Mastech Privacy Policy

Introduction

Mastech (Pty) Ltd, located in Pretoria, South Africa, is committed to safeguarding your privacy and ensuring that your personal information is managed lawfully and transparently. This Privacy Policy outlines how we collect, use, and protect personal information across our products and services, including the Wayware software platform and the Wayware Cloud service, in compliance with the Republic of South Africa’s Protection of Personal Information Act, 2013 (POPI Act). In line with Section 18 of POPIA’s transparency requirements, we explain what personal information is collected, the purpose for collecting it, whether providing it is voluntary or mandatory, who will have access to it, and other relevant details. By using our software, cloud services, websites, or by communicating with us, you agree to the processing of your personal information as described in this Privacy Policy.

Scope

This Privacy Policy applies to all personal information processed by Mastech in the course of our business. It covers:

  • Wayware On-Premises Software (Customer-Hosted): Users of our Wayware software installed on customer infrastructure (on-premises deployments).
  • Wayware Cloud Service: Users of our cloud-based Wayware platform (accessible at app.wayware.io) where we host and process data on behalf of customers.
  • Websites: Visitors to our company websites (mastech.co.za and wayware.io).
  • Communications: Individuals who engage with us via phone, email, or other channels (including customers, prospective clients, and suppliers).

This unified policy addresses how personal information is handled in all the above contexts by Mastech.

Personal Information We Collect

We collect different types of personal information depending on how you interact with Mastech and our services. This includes:

  • Account and Contact Information: When you purchase or register for our Wayware products or services, we collect information such as your name, company/organization name, email address, telephone number, and other contact details. For example, if you sign up for a Wayware Cloud account, we will ask for your email address and relevant business contact information to create and manage your account. We may also record business contact details when you acquire a license for the Wayware on-premises software or when you request support.
  • Customer Data in Wayware Cloud: If you use the Wayware Cloud service, any data you choose to upload or store on that platform (which may include personal information related to your business operations, such as data about your employees or end-users) is considered Customer Data. This data remains under your ownership and control – we act only as a custodian or processor of that information on your behalf. We do not access or use the content of your stored data except as necessary to operate and support the cloud service, in accordance with your instructions and this policy.
  • On-Premises Software Data: When you use the Wayware software installed on your own systems (on-premises), the data you input into the software remains on your network and is not transmitted to Mastech. We do not collect or store the personal information you process in the on-premises Wayware system. It is your responsibility to manage and protect any personal data in your self-hosted Wayware database. Mastech will only have access to such data if you explicitly provide it to us for troubleshooting or support purposes (for example, if you send us a sample of your data or a backup for help with an issue). In such cases, we will only use that information to assist you and will handle it confidentially per this policy and the POPI Act.
  • Website Usage Data: When you visit our websites (mastech.co.za or wayware.io), we may collect limited information about your visit. This can include your Internet Protocol (IP) address, browser type, pages viewed, and browsing behavior through the use of cookies or analytics tools. This information is generally not directly identifiable to you and is used for analytical purposes to improve our website’s functionality and user experience. Our websites do not require you to provide personal data just for browsing. However, if you choose to fill out a form on our site (for example, a Contact Us form), we will collect the personal information you provide in that form, such as your name, email address, phone number, and the content of your message. We will use this information to respond to your inquiry or request.
  • Communication Data: If you communicate with us via email, phone, or other channels, we will collect the information you choose to give us during those interactions. This may include your name, contact information, the content of emails or phone conversations, and any other personal details you provide when you contact us for support, sales inquiries, or general questions. We handle any personal information obtained through these communications in line with industry best practices and in compliance with the POPI Act, which means we keep such information confidential and use it only for the purposes for which you provided it. For instance, if you email us documentation that contains personal data, we will treat those documents as private and will not share them beyond what is necessary to assist you, abiding by the South African POPI Act’s principles of lawful processing and confidentiality.

Voluntary vs. Mandatory Provision of Data: In general, providing your personal information to us is voluntary. However, certain details are necessary for us to deliver our products or services. If you choose not to provide information that is required, we may not be able to fulfill your request or provide the service in question. For example, without an email address, we cannot create a Wayware Cloud user account or send you important communications, and without certain business details, we cannot complete a software license agreement. We will inform you at the time of collection if specific information is mandatory. (The consequences of not providing requested personal information may include inability to use some of our services or features, as described above, in accordance with POPIA’s requirements.)

How We Use Personal Information

Mastech will only use your personal information for legitimate business purposes and in ways that are relevant and necessary for those purposes. We limit our processing of personal data to what is adequate, relevant, and not excessive in relation to the purposes set out below, in line with the POPI Act’s principles. The main purposes for which we use personal information are:

  • Providing and Supporting Our Services: We use your information to deliver the products and services you have requested. This includes using your contact and account details to set up and administer your Wayware Cloud account, to provide you with access to the Wayware platform, and to offer technical support or training. If you use the on-premises Wayware software, we may use your contact information to provide license keys, software updates, or customer support when you reach out to us. We also process Customer Data (in the case of Wayware Cloud) strictly to operate the service on your behalf – for example, storing it on our cloud servers, backing it up, and enabling you to retrieve and manage it. We do not use Customer Data for any purpose other than providing the Wayware Cloud service as per our agreement with you.
  • Communication and Responding to Requests: We use your email address, phone number or other contact information to communicate with you about our services. This may include sending service-related announcements (such as notifications about software updates, security alerts, and changes to our terms or this Privacy Policy), responding to inquiries you send us, and providing customer support or troubleshooting. If you contact us for information or support, we will use the details you provided to address your needs and keep records of our communications. We may also send you confirmations or receipts, for example when you sign up for an account or make a purchase.
  • Improvement and Development: We may use personal information and aggregated data to improve our offerings. For instance, feedback you provide or information about how you use our software (when such data is available to us) can help us debug issues, develop new features, and enhance the user experience. Any analytics we perform on usage data are typically done in an anonymized or aggregated manner. Internally, we limit access to personal data in these processes to only those who need it for development or quality assurance.
  • Marketing and Newsletters: With your consent or as otherwise permitted by law, we may use your contact information to send you occasional updates about our products and services. For example, we might email you about new Wayware features, special offers, or company news if you are an existing customer or if you have subscribed to our mailing list. We will ensure any marketing communications comply with applicable laws on direct marketing. If at any time you prefer not to receive promotional emails or calls, you can opt out by using the unsubscribe link in the email or by contacting us, and we will respect your choice. We will not send you marketing communications if you object or opt out.
  • Legal Compliance and Protection: We may process personal information when necessary to comply with our legal obligations and regulatory requirements. For example, we might retain invoicing information for tax and accounting purposes, or disclose information if required by a court order or lawful request by authorities. Additionally, we may use or disclose personal data to protect our rights or the rights and safety of our customers, employees, or others. This includes preventing fraud, investigating suspicious activity, enforcing our contracts (such as software license agreements or terms of service), or pursuing remedies available to us. In any such case, we will ensure the disclosure is lawful and limited to what is necessary.

We will not use your personal information for new purposes that are incompatible with the original purposes described above without first obtaining your permission or otherwise complying with the law. In particular, we do not engage in any selling of personal information to third parties, and we do not profile or make automated decisions that produce legal effects concerning you without your knowledge.

Sharing and Disclosure of Personal Information

Mastech understands the importance of keeping your personal information private. We do not sell or rent your personal information to third parties. However, in certain circumstances we may share personal information with third parties, as described below, always in accordance with the POPI Act’s requirements and with appropriate safeguards in place:

  • Service Providers (Operators): We may share personal information with trusted third-party service providers who perform services on our behalf (known as "operators" under POPIA). This includes, for example, cloud hosting providers, data center or infrastructure services for the Wayware Cloud, email and communications services, analytics providers, or other IT service vendors. These third parties are given access only to the information necessary to perform their specific tasks. They are contractually required to protect your information and are not permitted to use it for any purpose other than providing services to Mastech. We ensure that any operator we engage processes personal data in compliance with POPIA and with a level of protection comparable to what we commit to in this Privacy Policy.
  • Within Mastech (Employees and Contractors): Personal information may be accessed by Mastech’s own team members (such as our support engineers, developers, or administrative staff), but only on a need-to-know basis and for the purposes described in this policy. All Mastech employees and contractors are bound by confidentiality and data protection obligations. They are trained on the proper handling of personal information in line with our policies and the POPI Act.
  • Legal Requirements and Protection: We may disclose personal information to third parties if we believe in good faith that such disclosure is required to: (a) comply with a legal obligation or applicable law, regulation, or governmental request; (b) enforce our agreements or terms of service; (c) address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Mastech, our users, or the public. For instance, if law enforcement or regulatory authorities lawfully require us to provide certain data, we may comply after verifying the legality of the request. We will attempt to notify you of such requests when permissible and practical.
  • Business Transfers: If Mastech undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or a portion of our assets, personal information may be among the assets transferred to the relevant successor entity. Should such a transfer occur, we will ensure that the recipient of the data is bound by privacy obligations consistent with this policy. We will also provide notice to our users before personal information becomes subject to a different privacy policy as a result of the business transfer.
  • Aggregated or De-Identified Information: We may share information that has been aggregated or anonymized in such a way that it cannot be linked back to any individuals. Such information is not considered personal and may be used for industry analysis, research, or other purposes, and shared freely since it does not identify any person.

International Data Transfers: Mastech is based in South Africa, and we primarily process and store personal data within South Africa. If it becomes necessary to transfer your personal information to a country outside of South Africa (for example, if we use a cloud infrastructure or service provider located in another country), we will ensure that the transfer is done in compliance with Section 72 of the POPI Act. This means we will only transfer personal data to recipients in other countries if an adequate level of protection is in place or if we have your consent or another legal justification. In practice, we strive to host and process data within South African jurisdiction when possible. If we do transfer data internationally, we will take appropriate safeguards, such as using contracts that require the recipient to protect the information to South African standards or relying on agreements between South Africa and the recipient country that ensure adequate data protection. We will inform you in this Privacy Policy (or at the point of data collection) if any of your personal information is stored or processed in other countries. At present, Wayware Cloud data is stored on secure servers in South Africa (or, if stored elsewhere, we will explicitly let you know). Personal information collected via our websites or communications is generally stored on systems in South Africa as well, unless we specifically use an overseas service in which case the above safeguards apply.

Data Security

We take the security of personal information very seriously. Mastech implements reasonable technical and organizational measures to safeguard personal data against loss, theft, misuse, unauthorized access, alteration, or destruction. In accordance with Section 19 of the POPI Act, we have instituted measures to secure the integrity and confidentiality of personal information in our possession or under our control. These measures include, but are not limited to:

  • Technical Security: We use industry-standard security practices to protect data. For data stored in Wayware Cloud, we employ measures such as access controls (ensuring only authorized personnel can access systems), encryption of data in transit (e.g., using HTTPS for data transfer) and at rest where applicable, firewalls and network security monitoring, and regular security updates for our software and servers. Our systems are hosted in secure facilities with appropriate physical security controls.
  • Organizational and Operational Security: We restrict access to personal information to Mastech employees or contractors who need that information to process it (for example, support staff assisting you with an issue). Those who have access are subject to strict confidentiality obligations. We also maintain policies and conduct training on data protection to ensure our team understands how to handle personal information safely and lawfully.
  • On-Premises Software Data: For customers using Wayware on-premises, since your data remains on your own infrastructure, you are responsible for implementing adequate security measures within your environment. Mastech’s software provides mechanisms for you to secure your data (such as user account management and access controls in the application), but it is up to you to use those features properly and to maintain the security of the servers or computers where the software and data reside. We strongly encourage you to follow best practices for IT security to protect the data processed by the Wayware on-premises software. Mastech cannot see or access the data on your network unless you provide it to us, and we cannot secure data that we do not host. Thus, ensuring the privacy and security of on-premises data is primarily the customer’s responsibility. We will gladly provide guidance on securing your system if requested.
  • Monitoring and Testing: We regularly monitor our systems for possible vulnerabilities and attacks, and we carry out testing and evaluations of our security measures. This helps us proactively identify and address potential security risks. We also keep our software up to date, applying security patches and improvements when they become available to mitigate new threats.

Despite our best efforts, no method of transmission over the Internet or electronic storage is 100% secure. However, we strive to use commercially acceptable means to protect your personal information and continuously improve our security measures. If we become aware of a security breach that has compromised the privacy of your personal data on our systems, we will notify you as soon as reasonably possible, as well as the South African Information Regulator where required, in accordance with Section 22 of the POPI Act. We will take all necessary steps to mitigate the breach and prevent further unauthorized access.

Retention of Personal Information

We will retain personal information only for as long as it is necessary to fulfill the purposes for which it was collected, or to comply with legal and contractual requirements. In other words, we will not keep your data indefinitely “just in case,” but rather manage it through its lifecycle in accordance with South African law and good data management practices. Specifically:

  • Duration of Use: Personal information tied to the provision of a service (such as your Wayware Cloud account details, or Customer Data stored in the cloud) will be kept for as long as you maintain an account or subscription with us and for a reasonable period thereafter. If you decide to close your account or stop using our services, we will initiate the process of deleting or de-identifying the personal information associated with your account, unless we need to keep it longer to meet legal obligations or other legitimate reasons (as described below). For example, if a Wayware Cloud customer terminates their subscription, we will securely erase or return the customer’s stored data after a retention period (we will communicate the specifics in such event), save for any data we must retain by law.
  • Legal and Business Obligations: In some cases, we may need to retain certain records containing personal information for a longer period. For instance, financial records (invoices, payment history) may be kept for several years to comply with tax and accounting laws. Likewise, information needed for resolving disputes, enforcing our agreements, or defending against legal claims might be retained until the issue is resolved. During any such retention, we will continue to protect the personal information in line with this Privacy Policy.
  • Deletion and De-Identification: When personal information is no longer needed, we will either permanently delete it or anonymize it (such that it can no longer be linked to any identifiable individual), as required by Section 14 of the POPI Act. We have processes in place to periodically review the data we hold and to purge data that is outdated or no longer necessary. For example, if you sent us an inquiry and we have finished addressing it, we may delete the correspondence after some time if it’s not needed for any follow-up. Backup copies of data are also subject to deletion policies; there may be a short delay in removing data from backups, but we ensure that once the retention period expires, data is wiped from active systems and will not be restored from backups except as allowed by law.

In summary, we do not keep personal information for longer than justified. We aim to ensure information is not kept longer than it should be, thereby reducing the risk of unwanted disclosure. If you have specific questions about our retention practices for a certain type of data, you are welcome to contact us for more detail.

Your Rights Under POPI Act

As an individual (data subject) whose personal information is processed by Mastech, you have certain rights under the POPI Act regarding that information. We respect your rights and have processes to enable you to exercise them. Your rights include:

  • Right of Access: You have the right to request confirmation of whether we hold any personal information about you, and to request a copy of that information or details about what information we have. This is sometimes called a Data Subject Access Request. We will provide you with the relevant personal data we maintain about you, as well as information about the identity of all third parties who have, or have had, access to your information (if applicable), as required by law.
  • Right to Correction: You have the right to ask us to correct or update any of your personal information that is inaccurate, out-of-date, or incomplete. We strive to ensure that the information we have is accurate, but if you find that it isn’t, please let us know and we will rectify it where possible. This may involve updating our records and informing any third parties who received the incorrect information to also correct their records.
  • Right to Deletion: You may request that we delete or destroy your personal information in certain circumstances. For example, if the information we hold is no longer needed for its original purpose, or if you withdraw consent (in cases where consent was required for us to have the data), or if you believe we are unlawfully processing your data, you can ask that we remove it. We will assess such requests in light of our obligations; if no legal or legitimate reason requires us to keep the data, we will erase it as requested. If there is a lawful reason to refuse (such as a legal obligation to keep the data), we will inform you of that reason.
  • Right to Object to Processing: You have the right to object to the processing of your personal information in certain situations. For instance, you can object to processing for direct marketing purposes at any time, and we will then stop using your data for that purpose. You can also object if you feel our processing of some of your information is causing you harm or is not justified. In some cases, the POPI Act allows further processing despite an objection (for example, if processing is required by law), but generally, if you object on reasonable grounds, we will consider your objection and stop or limit the processing if required. There is a formal process for lodging an objection (Form 1 under POPIA); however, simply contacting us with your objection will start the process and we will guide you through any additional requirements.
  • Right to Withdraw Consent: Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time. For example, if you have given consent to receive marketing emails, you can opt out later (withdraw consent) and we will stop sending them. Withdrawal of consent will not affect the lawfulness of any processing we did before you withdrew, but it will mean we stop the specific activity that was based on consent going forward. Note that often we do not rely solely on consent (we might rely on other grounds, such as contract necessity to provide a service), but for the areas we do, you are free to change your mind.
  • Right to Lodge a Complaint: If you believe we have infringed your rights or violated the POPI Act in the handling of your personal information, you have the right to lodge a complaint with the Information Regulator in South Africa. The Information Regulator is the independent authority established to enforce data protection laws like POPIA. We would appreciate the chance to address your concerns first, so we encourage you to contact us with any complaint and we will do our best to resolve it. However, if you are not satisfied with our response, you can contact the Information Regulator. (Contact details for the Information Regulator can be found on its official website; as of the date of this policy, the website is justice.gov.za/inforeg. The Information Regulator’s email for POPIAct complaints is often listed as [email protected] or a similar address on their site.)

To exercise any of your rights, please contact us at our contact details provided in the Contact Us section of this policy. We may require you to verify your identity before acting on a request (to ensure we don’t disclose your data to someone else). We will respond to your requests within a reasonable time and in accordance with the procedures and timeframes set out by POPIA. For certain requests, we might ask you to complete a specific form (for example, the prescribed POPIA forms for objections or corrections), but we will guide you through that process if needed. There is usually no fee for exercising your rights, though if a request is unfounded or excessive (e.g., repetitive), POPIA allows us to charge a reasonable fee or refuse the request – we will inform you beforehand in such a case.

Contact Us

If you have any questions about this Privacy Policy, or if you wish to request access to or correction of your personal information, or exercise any other rights, please contact us at:

Mastech (Pty) Ltd
Unit E2, Atterbury Court, 669 Plettenberg Street, Faerie Glen, Gauteng, 0081, South Africa
Email: info@mastech.co.za

This is our official corporate address and contact email for privacy matters. Please direct any privacy-related inquiries or complaints to the attention of our management/Information Officer at the above email address. We will make every effort to address and resolve your concerns.

Updates to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our services or to ensure compliance with legal requirements. When we make significant changes, we will post the updated Privacy Policy on our website (and within our applications where appropriate) and update the "Last updated" date below. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our services after any changes to this policy implies your acceptance of the revised Privacy Policy.

Last updated: July 9, 2025.

Please note that this Privacy Policy is provided for transparency and information purposes. It does not form a contract, except where explicitly incorporated into our customer agreements. Nonetheless, we strive to adhere to the commitments herein. If you have any questions or need further clarification about our privacy practices, do not hesitate to contact us at info@mastech.co.za.

Mastech