Privacy Policy - TMS Teamwork

1. Who We Are

Registered Name	TMS Teamwork (Pty) Ltd
Registration Number	2014/19093/07
Physical Address	No 2, 10th Avenue, Melville, Gauteng
Website	www.tmsteamwork.co.za
Telephone	+27 11 482 2161

Information Officer (POPIA s55): B van der Westhuizen, Chief Executive Officer — barry@tmsteamwork.co.za

2. Our Role Under POPIA

As a Responsible Party: when we process personal information for our own business purposes — for example, information about our own employees, or about individuals at our client organisations.

As an Operator: when we process personal information on behalf of our client organisations, under their instruction. Our clients include automotive repair workshops, insurance companies, and other regulated entities. We process their customers' personal information strictly in accordance with our clients' instructions and applicable law.

3. Personal Information We Collect

3.1 As Responsible Party (our own operations)

Category	Examples
Employee information	Full names, ID numbers, contact details, payroll and banking details, employment records
Client contact information	Names, email addresses, telephone numbers, job titles of persons at client organisations
Business contact information	Contact details of suppliers and service providers
Platform administrator accounts	Names, email addresses, roles within client organisations

3.2 As Operator (on behalf of clients)

The following categories are processed through TMS-Online on behalf of our client organisations. Our clients determine the purpose and means of this processing.

Category	Examples
End-customer details	Full names, contact details (telephone, email, address)
Identification information	Identity numbers (used for credit checks or regulatory purposes by clients)
Vehicle information	Vehicle registration numbers, VIN numbers, make, model
Vehicle history data	Repair dates, damage type, repair scope, cost category
Insurance information	Policy numbers, insurer names, claim details, assessor details
Financial information	Invoice amounts, payment records, supplier banking details, claim settlement amounts
Communication records	SMS and WhatsApp messages between the platform and end-customers
Platform usage data	Login timestamps, IP addresses, session data, audit trail

3.3 Website (www.tmsteamwork.co.za)

Our marketing website does not use cookies, does not collect personal information through user accounts, and does not employ analytics or tracking tools. If you contact us through the website, we will collect only the personal information you voluntarily provide for the purpose of responding to your enquiry.

4. Purpose of Processing

4.1 As Responsible Party

Managing our employment relationships
Delivering and supporting the TMS-Online platform to client organisations
Managing contractual relationships with clients, suppliers, and service providers
Maintaining financial records as required by law
Complying with applicable legislation
Security monitoring and platform integrity

4.2 As Operator

Vehicle damage assessment and repair management
Insurance claim processing and tracking
Parts ordering and supplier management
Customer communication and job tracking
Financial processing and invoicing

We do not use data processed as an Operator for any purpose beyond what is necessary to deliver our services to the client, except where an end-customer has provided explicit consent for Vehicle History Sharing.

5. Vehicle History Data Service

TMS Teamwork operates a Vehicle History Data service as an independent Responsible Party. With the explicit consent of the vehicle owner, we compile vehicle incident reports from repair records processed on the platform and make these available to authorised third parties (such as motor vehicle dealers) for vehicle valuation and pre-purchase assessment.

Vehicle history reports include repair dates, damage type and severity, repair scope, and repair cost category, keyed to the Vehicle Identification Number (VIN). Reports do not include the vehicle owner's name, contact details, identification number, or any other direct personal information.

The VIN is classified as an indirect personal identifier under POPIA because it can be linked to the registered vehicle owner through external databases. Vehicle history data is therefore treated as personal information, and explicit consent (POPIA s11(1)(a)) is required before any vehicle history report is shared. Vehicle owners may withdraw this consent at any time.

Customer Workspace. If your repair shop has enabled our Customer Workspace, you can track your repair online and manage your consent preferences — including Vehicle History Sharing — at any time from within the workspace. Your preferences are recorded in an auditable log and applied immediately.

6. Legal Basis for Processing

Ground	Application
Contract	Processing necessary for performance of a contract with the data subject or their employer
Legal obligation	Processing required to comply with POPIA, the Companies Act, the Tax Administration Act, the BCEA, and other applicable legislation
Legitimate interest	Processing necessary for our legitimate business interests (security monitoring, fraud prevention, platform integrity), where these interests are not overridden by the data subject's rights
Consent	Where consent is the appropriate ground, including Vehicle History Sharing with authorised third parties

7. Sharing and Disclosure of Personal Information

7.1 Within TMS Teamwork

Personal information is accessible only to TMS Teamwork employees and contractors who require it to perform their functions, on a strict need-to-know basis.

7.2 With Service Providers

We use a small number of reputable service providers to deliver our platform. These include:

A South African primary hosting provider for data storage and infrastructure
Cloud infrastructure services (primary region: South Africa)
Email hosting (South Africa)
Messaging providers for SMS and WhatsApp delivery to customers
Customer satisfaction survey services (South Africa)
Accounting platform integrations (optional; enabled only when a client configures them)
Address verification services
Vehicle damage assessment and repair method data providers

All service providers are engaged under appropriate contractual safeguards. No personal information is shared with third parties for their own independent marketing or commercial purposes, except where the data subject has given explicit consent for Vehicle History Sharing (see section 7.4).

A full list of current sub-processors is available on request by emailing info@tmsteamwork.co.za.

7.3 With Regulatory and Law Enforcement Authorities

We may disclose personal information where required by law, court order, or lawful request from a regulatory authority (including the Information Regulator, SARS, SAPS, or sector regulators).

7.4 Vehicle History Report Recipients

With the explicit consent of the vehicle owner, we share vehicle incident reports — containing repair dates, damage type, repair scope, and cost category, keyed to the VIN — with authorised motor vehicle dealers registered on the TMS Vehicle History platform. These reports do not contain the vehicle owner's name, contact details, or identification number.

Dealers may use vehicle history reports solely for vehicle valuation and pre-purchase assessment. Each dealer is bound by a Data Processing Agreement that prohibits marketing, profiling, onward resale of data, and any use beyond the stated purpose.

We maintain an auditable register of all vehicle history queries (querying dealer, VIN queried, timestamp, and whether a report was returned), retained for 7 years per the Companies Act s24(1) and the Cybercrimes Act 19 of 2020.

Vehicle owners may withdraw Vehicle History Sharing consent at any time. On withdrawal, reports for that vehicle are no longer made available to dealers, and authorised dealers are contractually required to purge any cached reports within 30 days.

8. Cross-Border Transfers

TMS Teamwork does not store personal information outside the Republic of South Africa. However, some service integrations involve the transmission of personal information to international service providers via API for processing purposes (for example, international messaging, address verification, vehicle assessment data, and client-initiated accounting integrations).

In each case, data is transmitted for processing and is not retained outside South Africa by TMS Teamwork. All international service providers are engaged under appropriate contractual safeguards in accordance with POPIA s72.

9. Security Measures

We apply industry-standard technical and organisational safeguards to protect personal information, including:

Encryption of data in transit and at rest
Multi-factor authentication for platform access
Role-based access control with field-level permission enforcement
Multi-tenant data isolation (each client's data is isolated from other clients)
Automated malware scanning of uploaded files
Web application firewall protection
Security audit logging
Account lockout on repeated failed login attempts
Enforced password complexity and rotation (single sign-on accounts follow the identity provider's policy)

In the event of a security breach involving your personal information, we will notify you and the Information Regulator as required by POPIA s22.

10. Retention of Personal Information

Category	Retention Period	Basis
Financial records	7 years	Companies Act 71/2008
Employment records	3 years after employment ends	BCEA 75/1997
Client identification records	5 years after relationship ends	FICA 38/2001
Platform user accounts	Duration of use + 90 days	POPIA s14
Audit logs	12 months	ISO 27001
Security incident records	7 years	POPIA s22; Cybercrimes Act 19/2020
Vehicle history query logs	7 years	Companies Act 71/2008; Cybercrimes Act 19/2020
Customer PII (no financial nexus)	Until erasure request fulfilled	POPIA s14

11. Cookies and Tracking Technologies

Website (www.tmsteamwork.co.za): our website does not use cookies, web beacons, tracking pixels, or any analytics or marketing tools.

TMS-Online Platform: the platform uses essential session cookies required for authentication and security only. No advertising, third-party tracking, or profiling cookies are used.

12. Your Rights as a Data Subject

Right	Description
Right of access	Request a record or description of personal information we hold about you
Right of correction	Request correction of inaccurate, irrelevant, excessive, outdated, or misleading personal information
Right of deletion (erasure)	Request deletion of personal information where we no longer have a lawful basis to retain it (subject to statutory retention obligations)
Right to object	Object to processing of your personal information for a specific purpose
Right to withdraw consent	Where processing is based on consent, withdraw that consent at any time
Right to lodge a complaint	Lodge a complaint with the Information Regulator

To exercise any of these rights, email info@tmsteamwork.co.za. You will receive a Data Subject Request Form to complete and lodge your request formally.

Alternatively, contact the Information Officer directly:
B van der Westhuizen · barry@tmsteamwork.co.za · +27 11 482 2161 · No 2, 10th Avenue, Melville, Gauteng

13. Direct Marketing

TMS Teamwork sends marketing communications (such as product updates, service announcements, and related offerings) only to existing customers, in terms of the exemption in POPIA s69(3) for direct marketing to a data subject whose details were obtained in the context of a sale of a similar product or service.

We do not send unsolicited marketing to prospects or members of the public, and we do not sell, rent, or share customer contact details with third parties for their own marketing purposes.

Marketing from us is sent by email. We do not use SMS or WhatsApp for our own marketing communications.

You may opt out of receiving marketing communications from us at any time by clicking the unsubscribe link in any marketing email, or by emailing info@tmsteamwork.co.za. Opt-out requests are actioned within 5 business days. Opting out will not affect operational or service-related communications necessary to deliver the TMS-Online platform.

14. Complaints

If you believe TMS Teamwork has handled your personal information in a manner that does not comply with POPIA, you may first contact our Information Officer at barry@tmsteamwork.co.za. If unsatisfied, lodge a complaint with the Information Regulator of South Africa:

Website	https://inforegulator.org.za
Email	inforeg@justice.gov.za
Telephone	012 406 4818
Address	JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page. Platform users will be presented with updated policies for acceptance before continued use.

16. Governing Law

This Privacy Policy is governed by the laws of the Republic of South Africa, including POPIA and the Companies Act 71 of 2008.