POPIA Compliance
Last updated: June 2026
Find My Creator, operated by FM Digital Solutions, is committed to complying with the Protection of Personal Information Act 4 of 2013 (POPIA). This page explains how we meet our obligations under the Act.
Our Commitment
POPIA is South Africa's primary data protection legislation. It regulates how organisations collect, store, use and share personal information. Find My Creator was built with POPIA compliance as a design requirement - not an afterthought. Our data retention settings, audit logging, soft-delete architecture and access controls are all aligned to the requirements of the Act.
We process personal information only for the purposes disclosed in our Privacy Policy, on a lawful basis, and with appropriate security measures in place.
Responsible Party
For the purposes of POPIA, FM Digital Solutions is the Responsible Party for personal information processed through the Find My Creator platform. This means we determine the purpose and means of processing personal information collected through the platform.
Where agencies use Find My Creator to manage creator personal information (profiles, campaign data, messages), those agencies also act as Responsible Parties in relation to the personal information of their creators. FM Digital Solutions acts as an Operator on their behalf, processing that data only as required to deliver the platform service.
Information Officer
FM Digital Solutions has designated an Information Officer as required by POPIA. The Information Officer is responsible for ensuring compliance with the Act, responding to data subject requests and liaising with the Information Regulator.
The Eight Conditions for Lawful Processing
POPIA sets out eight conditions that must be met when processing personal information. Here is how Find My Creator addresses each one:
1. Accountability
FM Digital Solutions takes responsibility for ensuring POPIA compliance across all personal information we process. Our Information Officer oversees compliance and is the first point of contact for data subjects and regulators.
2. Processing Limitation
We collect only the personal information necessary to provide the platform service. We do not collect data speculatively and we do not use personal information for purposes beyond those stated in our Privacy Policy.
3. Purpose Specification
Personal information is collected for specific, defined purposes: operating the platform, enabling campaign management, facilitating communication between agencies and creators, and processing billing. These purposes are documented and communicated in our Privacy Policy.
4. Further Processing Limitation
We do not use personal information for purposes incompatible with the original collection purpose. We do not sell data to third parties. Third-party integrations (PayFast, Klaviyo) are disclosed, optional where applicable, and subject to their own privacy policies.
5. Information Quality
We take reasonable steps to ensure that personal information is accurate, complete and up to date. Platform users can update their own profile data directly. Inaccurate information can also be corrected by contacting us.
6. Openness
We maintain a Privacy Policy that describes what personal information we collect, why, how we use it and who we share it with. This Compliance page and our Privacy Policy are publicly accessible.
7. Security Safeguards
We implement technical and organisational security measures appropriate to the risk of harm. These include role-based access controls (agencies cannot access each other's data), authentication controls, prepared SQL statements to prevent injection attacks, nonce verification on all write operations, and configurable data retention with automated purge schedules.
8. Data Subject Participation
Data subjects have the right to access, correct and request deletion of their personal information. These rights can be exercised by contacting our Information Officer. We will respond to all requests within 30 days.
Data Retention and Deletion
Agency administrators can configure a data retention period within their workspace settings (between 12 and 36 months). Records are soft-deleted on removal and permanently purged at the end of the retention period. This allows for recovery during the retention window while ensuring permanent deletion thereafter.
When an agency account is fully closed, we execute a documented deletion cascade that permanently removes all associated data including creator profiles, campaigns, messages, submissions, audit logs and team member records, subject to any legal retention obligations that may apply.
Security Incident Response
In the event of a security compromise that affects personal information, we will assess the severity of the incident and, where required by POPIA, notify the Information Regulator and affected data subjects within the timeframes prescribed by the Act (as soon as reasonably possible).
If you discover or suspect a security vulnerability in the platform, please contact us immediately at admin@fmdigitalsolutions.co.za.
Cross-Border Transfers
We do not transfer personal information outside South Africa except where explicitly required by a third-party integration that a user or agency has chosen to enable. Where such transfers occur (for example, via Klaviyo), we ensure that appropriate safeguards are in place as required by Section 72 of POPIA.
Data Subject Rights
Under POPIA, you have the right to:
- Request access to the personal information we hold about you
- Request correction of inaccurate or incomplete information
- Request deletion of your personal information (subject to legal retention requirements)
- Object to the processing of your personal information
- Lodge a complaint with the Information Regulator
To exercise any of these rights, contact our Information Officer at admin@fmdigitalsolutions.co.za. We will acknowledge your request within 3 business days and respond fully within 30 days.
Information Regulator
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Regulator of South Africa:
Information Regulator (South Africa)
Website: www.justice.gov.za/inforeg
Email: inforeg@justice.gov.za
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001