Drive Shyft

Privacy & POPIA Notice

Last updated · 19 May 2026

Drive Shyft is operated by IOT Projects (Pty) Ltd (Reg. no. TODO). References to "Drive Shyft", "we", "us" or "our" in this document mean this company.

1. Joint Responsible Parties

  • IOT Projects (Pty) Ltd — Reg. no. TODO · Registered address TODO · Information Officer TODO (TODO@driveshyft.net)

The two companies act as joint Responsible Parties under POPIA and have agreed internally on their respective compliance responsibilities. Data subjects may exercise their rights against either entity.

2. Personal information we collect

  • Identity and contact details (name, email, phone, WhatsApp number).
  • South African ID number, driver's licence, PrDP, proof of address and other verification documents.
  • Vehicle documents where applicable (registration, insurance).
  • Location data (home suburb).
  • Platform-experience metadata (e-hailing platform history, ratings, tenure).
  • Payment tokens (via our payment processor; we do not store full card numbers).

3. Purpose of processing

Matching drivers with fleets, document verification, billing, fraud prevention, customer support, and regulatory compliance.

4. Lawful basis

Consent (POPIA s.11(1)(a)), performance of contract, and our legitimate interest in operating the platform.

5. Sharing

  • Between the two operating entities for the joint operation of the platform.
  • With verified fleet owners that a driver chooses to be visible to.
  • With our payment processor (PayFast) for fee collection.
  • With verification vendors for document checks.
  • We do not sell personal information.

6. Retention

Active for the life of the account, plus 5 years after closure (aligned with FICA) for billing and dispute records. Documents are purged on request subject to any applicable legal hold.

7. Data subject rights

Access, correction, deletion, objection, and the right to complain to the Information Regulator of South Africa. Submit requests to either Information Officer above.

8. Cross-border transfers

Only to processors with adequate protection or contractual safeguards as required by POPIA s.72.

9. Security

Encryption in transit and at rest, Row-Level Security on application data, and access-scoped storage for verification documents.

9.1 Payment data

Card payments are processed by PayFast (DPO Payments (Pty) Ltd), a PCI-DSS Level 1 payment service provider regulated by the FSCA. Card numbers, expiry dates and CVVs are entered on PayFast's hosted page and never reach Drive Shyft servers or storage. We store only a secure recurring token and the last four digits of your card for identification on receipts. Every charge is verified through PayFast's signed Instant Transaction Notification (ITN) before any payment status is recorded on our side, and every notification — including any that fail signature or origin checks — is written to an immutable audit log accessible only to our compliance team. Intro fees are subject to a 7-day cooling-off window enforced at the database level: they cannot be captured before the window expires.

10. Cookies and analytics

We use strictly-necessary cookies for authentication and session management, and limited first-party analytics to measure platform performance.