Digiiworks Legal (“Digiiworks”, “we”, “us”, or “our”) is committed to protecting the privacy of every person whose personal information we process. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit law.digiiworks.co or use our practice management platform (the “Service”).
This Policy is issued in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”), the Electronic Communications and Transactions Act 25 of 2002 (“ECTA”), and the Consumer Protection Act 68 of 2008 of the Republic of South Africa.
1. Responsible Party
The responsible party (as defined in POPIA) is Digiiworks Legal, a South African business operating at law.digiiworks.co. Our Information Officer may be contacted at privacy@digiiworks.co.
2. Personal information we collect
We may collect and process the following categories of personal information:
- Identity and contact data: full name, ID or passport number, practice number, firm name, physical and postal address, email address, and telephone number.
- Account data: login credentials, user role, profile preferences, and billing details.
- Matter and client data: information that attorneys upload into the Service about their clients, matters, documents, diaries, invoices, and communications.
- Technical data: IP address, browser type, device identifiers, operating system, access times, and pages viewed.
- Communications: records of correspondence, support tickets, and feedback you send to us.
3. How we collect personal information
We collect personal information directly from you when you register an account, use the Service, contact us, or subscribe to updates. We may also collect information automatically through cookies and similar technologies and, where lawful, from third parties such as identity verification providers and payment processors.
4. Purpose and lawful basis for processing
In terms of section 11 of POPIA, we process personal information only where we have a lawful basis to do so, including:
- performance of a contract with you or your firm;
- compliance with a legal obligation;
- protection of your legitimate interests;
- pursuit of our legitimate interests or those of a third party; or
- your consent, which you may withdraw at any time.
Specifically, we process personal information to provide and maintain the Service, authenticate users, manage billing, provide customer support, comply with regulatory obligations, prevent fraud, and improve our product.
5. Role as operator
Where attorneys upload client matter data into the Service, the attorney or firm is the responsible party in respect of that data, and Digiiworks acts as an operator as defined in POPIA. We will process such personal information only on the documented instructions of the responsible party and will maintain appropriate technical and organisational security measures.
6. Sharing and disclosure
We do not sell personal information. We may share it with:
- trusted sub-operators and service providers (hosting, email, payment, analytics) who are contractually bound to protect it;
- regulators, courts, or law enforcement where legally required;
- professional advisers under duties of confidentiality; and
- a successor entity in the event of a merger, acquisition, or sale of assets.
7. Cross-border transfers
Where personal information is transferred outside the Republic of South Africa, we comply with section 72 of POPIA by ensuring the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection.
8. Retention
We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law (including the retention periods prescribed by the Legal Practice Act, tax legislation, and the Financial Intelligence Centre Act). Thereafter it is securely deleted or de-identified.
9. Security safeguards
In terms of sections 19 to 22 of POPIA, we maintain appropriate technical and organisational safeguards, including application-level 256-bit AES encryption of sensitive fields (with per-firm key derivation so that one firm’s key cannot decrypt another firm’s data), TLS 1.2+ in transit, row-level security at the database, passwordless magic-link authentication with a 30-minute inactivity timeout, rate limiting on sensitive endpoints, an append-only administrative audit trail, and automatic scrubbing of personally identifiable information from monitoring and error diagnostics. A full description of our controls is available in our Trust & Security statement. In the event of a security compromise we will notify the Information Regulator and affected data subjects as soon as reasonably possible.
10. Your rights
As a data subject you have the right to:
- be notified that your personal information is being collected;
- request confirmation of, access to, and correction or deletion of your personal information;
- object to processing on reasonable grounds, or for direct marketing purposes;
- submit a complaint to the Information Regulator; and
- institute civil proceedings regarding alleged interference with the protection of your personal information.
To exercise any of these rights, contact privacy@digiiworks.co. We may require you to complete Form 2 (Request for Access) or Form 1 (Objection to Processing) prescribed under POPIA.
11. Cookies
We use strictly necessary cookies to operate the Service and, with your consent, analytics cookies to understand how it is used. You may disable cookies in your browser, but some features may not function correctly.
12. Children
The Service is not directed at children under 18. We do not knowingly collect personal information of a child without the prior consent of a competent person as contemplated in section 34 of POPIA.
13. Information Regulator
You may lodge a complaint with the Information Regulator of South Africa:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: POPIAComplaints@inforegulator.org.za
Website: https://inforegulator.org.za
14. Updates to this Policy
We may amend this Policy from time to time. Material changes will be communicated via the Service or by email. Continued use of the Service after such changes constitutes acceptance of the updated Policy.
15. Contact us
Questions about this Policy may be directed to our Information Officer at privacy@digiiworks.co.