Prepared in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000 (as amended)
| Acronym / Term | Meaning |
|---|---|
| PAIA | Promotion of Access to Information Act 2 of 2000 (as amended) |
| POPIA | Protection of Personal Information Act 4 of 2013 |
| Information Officer | The head of the private body responsible for PAIA compliance. For IntentGuard: Olebeng Molefe. |
| Information Regulator | The independent body established under POPIA to oversee compliance with PAIA and POPIA. |
| Record | Any recorded information regardless of form or medium held by or under the control of IntentGuard. |
| Requester | Any person making a request for access to a record held by IntentGuard. |
| Data Subject | A natural person to whom personal information relates. |
| SAHRC | South African Human Rights Commission |
This manual is compiled in terms of Section 51 of PAIA and serves to:
The right of access to information is enshrined in Section 32 of the Constitution of the Republic of South Africa, 1996. PAIA gives effect to this right by establishing procedures for requesting access to records held by public and private bodies.
| Detail | Information |
|---|---|
| Private Body Name | Intouch Prepaid (Pty) Ltd trading as IntentGuard · Registered in South Africa |
| Information Officer | Olebeng Molefe |
| Capacity | Founder and head of private body |
| Street Address | 40 Boshoff Street, South Crest, Alberton, Johannesburg, 1449, Gauteng, South Africa |
| Postal Address | 40 Boshoff Street, South Crest, Alberton, Johannesburg, 1449, Gauteng, South Africa |
| Email Address | [email protected] |
| Website | https://intentguard.dev |
| PAIA Manual URL | https://intentguard.dev/paia |
| Information Regulator Registration | 2026-003756 |
| Deputy Information Officer | Not yet designated. The Information Officer performs all functions personally at this stage. |
The South African Human Rights Commission (SAHRC) has compiled a guide on how to use PAIA. This guide is available:
The Guide explains: your right of access to records; how to submit a PAIA request; what fees apply; what grounds exist for refusing a request; and how to appeal a refusal.
The following categories of records are publicly available and do not require a formal PAIA request:
| Record | Where Available |
|---|---|
| Privacy Policy | intentguard.dev/privacy |
| Terms of Service | intentguard.dev/terms |
| Acceptable Use Policy | intentguard.dev/acceptable-use |
| Cookie Policy | intentguard.dev/cookies |
| This PAIA Manual | intentguard.dev/paia |
| Sub-processor List | Contained within the Privacy Policy at intentguard.dev/privacy |
| Product pricing and feature information | intentguard.dev/pricing |
IntentGuard, as a private body operating in South Africa, is required to maintain certain records under the following legislation. Access to these records is governed by the relevant legislation and by PAIA.
| Legislation | Records Held |
|---|---|
| Companies Act 71 of 2008 | Memorandum of Incorporation, share register, company resolutions, financial statements (once registered) |
| Income Tax Act 58 of 1962 | Tax registration details, income tax returns, VAT records (if applicable) |
| Basic Conditions of Employment Act 75 of 1997 | Employment contracts, payroll records, leave records (when employees are engaged) |
| Electronic Communications and Transactions Act 25 of 2002 | Electronic records of transactions, consumer agreements, contractual records |
| Protection of Personal Information Act 4 of 2013 | Records of processing activities, data subject requests, data breach records |
| Promotion of Access to Information Act 2 of 2000 | This manual, records of PAIA requests received and responses given |
IntentGuard holds records organised under the following subjects. This description is provided to assist requesters in identifying what records may exist.
| Subject | Categories of Records Held |
|---|---|
| Customer and User Records | Account registration data; subscription records; billing history; audit report outputs; support correspondence; data export requests; account deletion requests |
| Audit Metadata | Audit identifiers; repository metadata (name, URL, branch); lines of code counts; audit status records; Intent Alignment Scores; finding records with evidence hashes. NOTE: Source code submitted for auditing is not retained after audit completion. |
| Financial Records | Invoices; payment records (processed by Merchant of Record — Paddle.com Market Limited); subscription transaction records; overage purchase records |
| Personnel Records | Founder records; contractor agreements; payroll records (when applicable) |
| Operational Records | System logs (error and access, 30-day retention); infrastructure configuration records; security incident records; vendor contracts and agreements |
| Legal and Compliance Records | This PAIA manual; Privacy Policy; Terms of Service; AUP; data subject request records; POPIA compliance records; data breach notification records (if applicable) |
| Marketing and Communications Records | Waitlist signups; email campaign records; VC and enterprise outreach records (with consent records) |
| Intellectual Property Records | Source code of the IntentGuard platform (proprietary, not subject to public access); trademark and domain registration records; algorithm documentation (confidential) |
IntentGuard processes personal information for the following purposes:
| Category | Examples |
|---|---|
| Registered Users | Individuals who create an IntentGuard account via GitHub OAuth |
| Organisation Members | Users invited to join an IntentGuard organisation as members or viewers |
| Trial Users | Users accessing the platform during the 14-day, 3-audit free trial |
| Billing Contacts | Users who purchase a subscription or Single Audit |
| Waitlist Subscribers | Persons who sign up for early access at intentguard.dev |
| Prospective Customers | VC analysts, CTOs, and founders contacted via legitimate interest outreach |
| Support Correspondents | Persons who contact IntentGuard via support, hello@, or accounts@ email addresses |
IntentGuard transfers personal information outside the Republic of South Africa to the following third-party sub-processors. All transfers are governed by Data Processing Agreements and, where applicable, Standard Contractual Clauses (SCCs) under GDPR.
| Sub-processor | Country / Region | Personal Information Transferred | Safeguard |
|---|---|---|---|
| Supabase | EU West (Ireland) | Account data, user profiles, org records, audit metadata | DPA + GDPR SCCs |
| Railway | EU | Backend processing infrastructure; temporary audit environment only | DPA |
| Vercel | Edge / Global | Request logs; no personal data stored | DPA |
| Resend | EU (Ireland) | Email addresses; email content for transactional emails | DPA + GDPR SCCs |
| Paddle.com Market Limited | UK / Global | Billing data; payment method data (as Merchant of Record) | DPA + applicable payment regulation |
| Sentry | EU | Error logs (PII scrubbed before transmission via before_send hook) | DPA |
| PostHog | EU | Usage events; anonymous device identifiers (with consent) | DPA + GDPR SCCs |
| Anthropic (Claude) | United States | Code chunks during audit processing only. Not retained after inference. Not used for model training. | DPA + GDPR SCCs |
| Google (Gemini) | United States | Code chunks during audit processing only. Not retained after inference. | DPA + GDPR SCCs |
| Mistral AI | EU (France) | Code chunks during audit processing only. Not retained after inference. | DPA |
| Microsoft Azure OpenAI | Global | Code chunks during audit processing only. Not retained after inference. | DPA + GDPR SCCs |
IntentGuard implements the following technical and organisational measures to protect personal information:
| Category of Personal Information | Retention Period | Basis |
|---|---|---|
| User account data (active accounts) | Duration of account plus 90 days post-closure | Contract |
| Audit reports — Starter tier | 90 days from report generation | Contract |
| Audit reports — Professional tier | 1 year from report generation | Contract |
| Audit reports — Team tier | 2 years from report generation | Contract |
| Audit reports — Business tier | 3 years from report generation | Contract |
| Source code submitted for auditing | Deleted immediately on audit completion (sandbox purge) | POPIA data minimisation + contractual commitment |
| System error logs | 30 days rolling | Legitimate interest (security) |
| Billing transaction records | 7 years | Legal obligation (tax and financial records) |
| PAIA request records | 3 years from date of response | Legal obligation (PAIA) |
| Data breach records (if applicable) | 5 years | Legal obligation (POPIA) |
Any person wishing to access records held by IntentGuard must submit a written request to the Information Officer. Requests may be submitted:
The request must include: the requester's full name and contact details; proof of identity; a description of the record requested; the form in which access is required; and if the request is on behalf of another person, proof of authorisation.
In terms of Section 54 of PAIA and the regulations published in Government Gazette No. 45057 (27 August 2021):
The Information Officer will decide whether to grant or refuse the request within 30 days of receiving the request (or 30 days after payment of the request fee, whichever is later). This period may be extended by a further 30 days in the circumstances set out in Section 57 of PAIA, with written notice to the requester.
IntentGuard may refuse a request on the grounds set out in Chapter 4 of Part 3 of PAIA, including but not limited to:
If a request is refused, the requester will be notified in writing with reasons for the refusal and information about the right to appeal.
If a request is refused or the requester is dissatisfied with the response, the requester may:
This PAIA Manual is available:
The manual will be updated when material changes occur to IntentGuard's records, processing activities, or when required by changes in legislation.
Complaints, queries, and requests relating to PAIA and POPIA may be directed to the Information Regulator: