PAIA & POPIA Compliance Manual

Vault of Time (Pty) Ltd · Reg No 2025/875420/07 · Version 3.0 — July 2026
Prepared in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000 and the Protection of Personal Information Act 4 of 2013.

Download as PDF

1. Company Overview & Contact Details

Company NameVault of Time (Pty) Ltd
Registration No.2025/875420/07
Registered OfficeViljoenskroon, Free State, South Africa
Information OfficerNthabiseng Patsa
Contact Emailhello@vaultoftime.com
Websitevaultoftime.com

Vault of Time is an AI-native product studio. At the date of this version it operates the following products, each with its own data footprint described in this manual: TillTap (a grocery budgeting application, tilltap.co.za); MilliScoop (a digital generative-art service, milli.vaultoftime.com); and the legacy Genesis 50 archive (records of the company’s former digital art auction platform, now closed).

2. The Guide on How to Use PAIA

The South African Human Rights Commission has compiled a guide on how to use the Promotion of Access to Information Act. The guide is available on the Information Regulator’s website at www.inforegulator.org.za.

3. Records Held in Terms of Other Legislation

Vault of Time maintains records in accordance with the Companies Act 71 of 2008; the Income Tax Act 58 of 1962; the Value Added Tax Act 89 of 1991; the Consumer Protection Act 68 of 2008; the Electronic Communications and Transactions Act 25 of 2002; the Financial Intelligence Centre Act 38 of 2001 (in respect of legacy records arising from the company’s prior activities as a registered high-value goods dealer); the Protection of Personal Information Act 4 of 2013; and the Promotion of Access to Information Act 2 of 2000.

4. Schedule of Records Held by the Company

Record TypeDescription
TillTap Operational RecordsUser account identifiers, shopping lists, receipt data submitted by users for parsing, item price history, device push-notification tokens, and aggregated usage analytics.
MilliScoop Operational RecordsWallet email addresses, payment transaction references, scoop credit balances, redemption records, and artwork identifiers (Milli numbers).
Legacy Auction Records (Genesis 50)Historical digital ledger data, bidding logs, coordinate records, waitlist applications, and auction correspondence from the closed auction platform. Retained under applicable retention obligations; no new records of this type are created.
Identity Records (Legacy KYC/FICA)FICA-compliant documentation collected during the auction era, held in offline encrypted archive under the Air-Gap Protocol (Section 5.4).
Financial RecordsDirector’s loan ledger, bank statements, tax invoices, payment processor statements, and SARS correspondence.
Contractual RecordsTerms & Conditions acceptances, purchase records, and licence records.

5. Processing of Personal Information (POPIA)

5.1 Purpose of Processing

Personal information is collected and processed solely to: provide and operate the company’s products (including maintaining TillTap user accounts and features, and honouring MilliScoop scoop credits and artwork records); process payments and maintain transaction records; send transactional communications such as sign-in links and legally required notices; secure and improve the services through minimal, aggregated analytics; and meet legal obligations to SARS, the Information Regulator, and (in respect of legacy records) the Financial Intelligence Centre.

5.2 Categories of Data Subjects

TillTap users; MilliScoop purchasers and free-scoop users; legacy auction patrons and waitlist applicants; directors of Vault of Time (Pty) Ltd; and service providers.

5.3 Recipients and Operators

Personal information is processed internally and by the following operators under POPIA: Google LLC (Firebase hosting, database, authentication, and analytics infrastructure for all products); PayPal (payment processing for MilliScoop; PayPal acts under its own privacy policy in respect of payment credentials, which Vault of Time never receives); and Anthropic PBC (AI processing used by TillTap to parse receipt content submitted by users). Information may further be disclosed where legally mandated, specifically to the South African Revenue Service and, in respect of legacy records, the Financial Intelligence Centre upon lawful request.

5.4 Air-Gap Security Protocol (Legacy KYC/FICA Documents)

Legacy identity documentation from the auction era remains subject to the Air-Gap Protocol: all such documents were migrated to dedicated, hardware-encrypted offline storage upon verification, with all digital traces purged from networked servers and communication channels. No identity documentation is retained on cloud-connected infrastructure. The company’s current products collect no identity documents; the protocol is retained for the legacy archive and as standing procedure should identity processing ever resume.

5.5 Cross-Border Data Transfers (Section 72, POPIA)

The company’s platforms are built on infrastructure operated by Google LLC, PayPal, and Anthropic PBC, whose servers may be located outside the Republic of South Africa. Personal information — including account email addresses, transaction records, and content submitted for processing — may accordingly be processed outside South Africa. In compliance with Section 72 of POPIA, these transfers rest on: (a) the operators’ data processing terms, which incorporate standard contractual clauses and commitments providing an adequate level of protection substantially similar to the conditions for lawful processing under POPIA; and (b) informed consent obtained from data subjects at the point of collection, with cross-border processing disclosed in the applicable privacy policy before submission.

5.6 Data Retention Schedule

CategoryRetention PeriodTrigger for Deletion
TillTap account data (lists, receipts, preferences)While the account remains active.Account deletion by the user or verified deletion request; removal within 30 days, subject to legal holds.
MilliScoop wallet email & redemption recordsWhile the wallet holds credits or redeemed Millis.Wallet deletion request; unredeemed credits refunded before closure.
MilliScoop transaction records5 years from transaction date (tax and consumer-law obligations).Expiry of the legal retention period; deletion or anonymisation.
MilliScoop unredeemed credits3 years from purchase (s63, Consumer Protection Act) or until redeemed.Redemption, refund, or expiry in accordance with the published Terms.
Aggregated analyticsRetained only in aggregated, de-identified form.Not applicable (not personal information once de-identified).
Legacy auction & KYC recordsMinimum 5 years from transaction date per FICA.Expiry of legal retention obligation; secure destruction of offline media.
Email correspondence3 years from date of correspondence.Routine deletion cycle.

5.7 Rights of Data Subjects

Data subjects may, by contacting the Information Officer at hello@vaultoftime.com, exercise the following POPIA rights: the right of access (confirmation of what personal information is held, and a copy of it); the right to correction of inaccurate, incomplete, or outdated information; the right to deletion, subject to the company’s legal retention obligations; the right to object to processing in certain circumstances; and the right to complain to the Information Regulator (www.inforegulator.org.za; JD House, 27 Stiemens Street, Braamfontein, Johannesburg; complaints.IR@justice.gov.za) if they believe their rights have been violated.

5.8 Data Breach Notification Procedure

In the event of a data breach, the company acts in accordance with Section 22 of POPIA: the Information Officer is notified immediately upon discovery; the Information Regulator is notified as soon as reasonably possible; affected data subjects are notified as soon as reasonably possible unless the Regulator directs otherwise; notifications include the nature of the breach, the information involved, and remedial steps taken; and an internal breach log is maintained for all incidents regardless of severity.

6. How to Request Access to a Record

Requests must be made using Form 2, available from the Information Regulator (www.inforegulator.org.za), and directed to the Information Officer at hello@vaultoftime.com. A request fee may apply as prescribed by the Act.

7. Grounds for Refusal of Access

Access to records may be refused on the grounds set out in Part 3 of PAIA, including the protection of third parties’ personal information; commercial information held in confidence; information that could endanger the safety of individuals; information subject to legal privilege; and records required for ongoing legal proceedings.

Information OfficerVersionDate
Nthabiseng Patsa3.010 July 2026

This manual is reviewed annually or upon any material change to the company’s data processing activities. Version 3.0 supersedes Version 2.0 (March 2026) and reflects the closure of the Genesis 50 auction platform and the introduction of the TillTap and MilliScoop products.