Privacy Policy

1. Introduction

This Privacy Policy describes how the Operator collects, processes, stores, protects, and discloses personal information through the HumanCapital Platform.

The Platform provides managed payroll, leave administration, statutory compliance, benefit-scheme administration, employee self-service, and related human resources services to organisations operating in Zimbabwe ("Clients"). In the course of providing these services, the Platform necessarily processes substantial personal information about individuals employed by, contracted to, or otherwise associated with those Clients ("Data Subjects").

This Policy is issued in accordance with:

• The Cyber and Data Protection Act [Chapter 12:07] of the Laws of Zimbabwe (the "CDPA");
• Regulations and guidance issued by the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) in its capacity as Data Protection Authority;
• The Labour Act [Chapter 28:01] in respect of records the Operator is required to maintain on behalf of Clients;
• The Income Tax Act [Chapter 23:06], the National Social Security Authority Act, and related statutory instruments governing the records the Platform maintains for revenue and social security purposes;
• The Constitution of Zimbabwe, in particular section 57 (right to privacy).

The Operator is committed to processing personal information lawfully, fairly, transparently, and in a manner that meets the highest standards expected of a service that operates as the central control layer for payroll and human resources functions.

2. Defined Terms

The following terms have the meanings set out below:

• "Client" means an organisation that has entered into a service agreement with the Operator to use the Platform.
• "Data Subject" means any natural person whose personal information is processed by the Platform, including current, former, and prospective employees of a Client; agents, contractors, and beneficiaries associated with a Client; and authorised users of Client organisations.
• "Personal Information" has the meaning given in the CDPA: information relating to an identified or identifiable natural person.
• "Sensitive Personal Information" has the meaning given in the CDPA and includes information relating to medical condition, biometric data, financial information, identity-document numbers, and similar categories meriting heightened protection.
• "Process", "Processing", and cognates have the meaning given in the CDPA: any operation or set of operations performed upon Personal Information, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.
• "Platform" means the HumanCapital software, services, infrastructure, and operations operated by the Operator under the trading name HumanCapital.

2A. Abbreviations

The following abbreviations are used in this Policy:

3. Roles and Responsibilities

The Operator's role under the CDPA depends on the category of Personal Information being processed.

3.1 The Operator as Data Controller

The Operator acts as Data Controller in respect of:

• Personal Information of authorised users of Client organisations whom the Operator onboards directly to the Platform (account credentials, contact details, role assignments, audit metadata);
• Personal Information collected for the purpose of operating, securing, and administering the Platform itself (system logs, security event records, audit trails);
• Personal Information of Data Subjects who interact directly with the Operator, for example through this website or through correspondence with the Data Protection Officer.

3.2 The Operator as Data Processor

The Operator acts as Data Processor on behalf of each Client in respect of:

• Personal Information of the Client's employees, contractors, and beneficiaries that the Client provides or that is generated through use of the Platform in connection with that Client's payroll, leave, and HR operations.

In its capacity as Data Processor, the Operator processes Personal Information only in accordance with the documented instructions of the relevant Client, expressed through the service agreement, the Client's configuration of the Platform, and lawful directions issued by authorised representatives of the Client.

3.3 Joint Responsibilities

In a small set of circumstances, the Operator and the Client share responsibility under the CDPA — for example, in establishing the lawful basis for processing employee Personal Information, in responding to Data Subject access requests, and in handling personal data breaches that affect both parties' obligations. The respective responsibilities are set out in each service agreement.

4. Personal Information We Process

4.1 Categories of Personal Information

The Platform processes the following categories of Personal Information:

Identity and contact information. Full name; identity-document number; date of birth; nationality; residential address; personal email address; mobile telephone number; emergency-contact details.

Employment information. Employment status; employment category; employment class; date of joining; date of termination (where applicable); position or job title; reporting line; cost-centre; departmental assignment; payroll currency profile.

Statutory identifiers. ZIMRA Tax Reference; NSSA Employee Social Security Number (SSN); other statutory registration numbers required for the Client's operations.

Compensation and financial information. Base salary in United States Dollars; base salary in Zimbabwe Gold (ZWG); allowances; commissions; bonuses; benefits-in-kind; deductions; loan balances; garnishee orders; bank-account details (encrypted at rest, see section 7); cumulative earnings; year-to-date statutory contributions.

Leave and time information. Leave balances; leave-ledger entries (append-only history of all accruals, takes, encashments, and adjustments); leave reasons (where provided); approver records; payroll-impact records linking leave events to specific payroll runs.

Benefit-scheme information. Pension fund membership; medical aid scheme membership and tier; group life cover details; funeral cover details; member contributions; employer contributions; designated beneficiaries (where applicable to the scheme).

Self-service interaction information. Channel bindings (Web account, WhatsApp Business number, email address); verification status; session records; commands and queries issued by the Data Subject through self-service channels; agent-assisted interactions, including agent proposals and Data Subject confirmations.

Audit and security information. Records of every state-changing action performed in respect of the Data Subject's records, including the actor (human or agent acting on behalf of a human), the time, the action taken, the prior state, and the new state. The Platform maintains tamper-evident audit logs as a core architectural property of the service.

Document attachments. Where a Client uploads documents that contain Personal Information (for example, identity documents, contracts of employment, leave certificates, medical certificates), those documents are processed and stored as part of the Platform's records.

4.2 Sources of Personal Information

The Platform receives Personal Information from the following sources:

• Directly from Clients, who upload, enter, or import employee, contractor, and beneficiary data as part of onboarding and ongoing operations;
• Directly from Data Subjects, who interact with the Platform through Web and WhatsApp Business self-service channels, including verifying channel bindings, viewing payslips, requesting leave, or updating non-sensitive profile information;
• Generated by the Platform, in the course of executing payroll calculations, statutory computations, leave-balance accruals, and audit-log entries;
• From third parties, including statutory authorities (where statutory data is provided to the Operator at the Client's request, for example to reconcile a remittance), pension fund administrators, medical aid societies, banks, and benefit-scheme providers.

5. Lawful Basis for Processing

The Operator relies on the following lawful bases for the Processing of Personal Information, depending on the purpose:

5.1 Contractual Necessity

Processing of employee Personal Information for payroll calculation, payment disbursement, leave administration, and benefit-scheme administration is necessary for the performance of the contract of employment between the Client and the Data Subject, and for the performance of the service agreement between the Operator and the Client.

5.2 Compliance with Legal Obligations

The Operator processes Personal Information to enable Clients to comply with their legal obligations under Zimbabwean law, including but not limited to:

• Calculation, withholding, and remittance of PAYE and the AIDS Levy to the Zimbabwe Revenue Authority (ZIMRA);
• Calculation and remittance of contributions under the Pension and Other Benefits Scheme (POBS) and the Accident Prevention and Workers' Compensation Scheme (APWCS) to the National Social Security Authority (NSSA);
• Calculation and remittance of National Employment Council (NEC) levies and the Standards Development Levy (SDF);
• Maintenance of payroll, leave, and contribution records as required by the Labour Act, the Income Tax Act, and the National Social Security Authority Act;
• Production of payslips, certificates of service, and tax certificates as required by law;
• Compliance with garnishee orders and similar legal instruments served on the Client.

5.3 Legitimate Interests

Processing for the security of the Platform, the prevention of fraud (including ghost-worker detection), the maintenance of audit trails, the operational diagnostics of the Platform, and the integrity of statutory and benefit calculations is performed on the basis of the legitimate interests of the Operator, the Client, and Data Subjects in a secure and reliable service.

5.4 Consent

The Operator relies on the consent of the Data Subject for activities that are not necessary for the contract of employment or for compliance with a legal obligation, including:

• Binding a Data Subject's WhatsApp Business number to the Platform for self-service use (the Data Subject must affirmatively bind and verify the channel);
• Use of non-essential cookies, where applicable, on the Platform's web interfaces (see the Cookies Policy);
• Receipt of communications that are not essential to the employment relationship.

Consent may be withdrawn at any time by contacting the Data Protection Officer. Withdrawal does not affect the lawfulness of processing performed before withdrawal, and does not affect processing for which a different lawful basis applies.

6. Purposes of Processing

Personal Information is processed only for the following purposes:

1. Payroll operations — calculating gross pay, deductions, statutory contributions, and net pay; producing payslips; coordinating bank disbursement; performing reconciliation against bank statements, statutory submissions, and benefit remittance schedules.
2. Statutory compliance — calculating, recording, and supporting the remittance of obligations to ZIMRA, NSSA, NEC, ZIMDEF, the SDF authority, and other statutory bodies.
3. Benefit-scheme administration — calculating and producing remittance schedules for pension funds, medical aid societies, group life and funeral cover providers; supporting Client decisions on scheme configuration and membership.
4. Leave administration — accrual and balance maintenance; processing of leave requests, approvals, takes, encashments, and termination payouts; production of leave-liability reports.
5. Employee self-service — enabling Data Subjects to view their own records (payslips, leave balances), submit leave requests, and update non-sensitive profile information through the Web portal and WhatsApp Business channel, subject to channel-binding and verification.
6. Agent-assisted operations — where the Client has enabled agent capabilities, supporting the agent in drafting proposals, retrieving information the actor is entitled to view, and executing low-risk reversible actions on behalf of the actor. The agent's data access is bounded by the scope of the human acting-on-behalf-of in every interaction.
7. Audit, integrity, and accountability — maintaining tamper-evident records of every state-changing action; supporting investigations by the Client, by external auditors, and by statutory authorities; defending payroll outcomes to employees, ZIMRA, NSSA, fund administrators, and other stakeholders.
8. Platform security and operational integrity — preventing unauthorised access, detecting anomalous behaviour, applying rate limits, conducting integrity verification of audit chains, and operating the Platform safely.
9. Service administration — onboarding new Clients and authorised users, providing technical support, billing, and managing the contractual relationship with each Client.
10. Communications — sending operational notifications (for example, payroll-run status, leave-request decisions, statutory deadline reminders) through verified channels.

The Operator does not use Personal Information for direct marketing in respect of Data Subjects who are employees of Clients. Communications with Data Subjects relate to the operation of the Platform for the benefit of the Data Subject and the Client.

7. Security of Personal Information

The Platform is built to operate at institutional scale and to handle Personal Information that is, by its nature, highly sensitive. The Operator targets the OWASP Application Security Verification Standard, Level 3 as a structural release gate, not a checklist.

The principal security controls in place are summarised below.

7.1 Encryption in Transit

All communications with the Platform use Transport Layer Security (TLS), version 1.2 minimum. Earlier versions of TLS are explicitly disabled. HTTP Strict Transport Security headers are issued with a minimum one-year lifetime. Inbound webhooks from third parties (for example, the WhatsApp Business Platform) have their signatures verified before any further processing.

7.2 Encryption at Rest

All databases supporting the Platform use Transparent Data Encryption at the storage layer. Generated files (payslips, schedules, reports) are stored with server-side encryption.

In addition, three categories of Highly Sensitive information are protected with dedicated encryption keys, with access strictly partitioned by function:

• Bank-account details of employees and beneficiaries — encrypted with a dedicated key. Only the Payments service account holds decryption rights.
• Remittance and creditor account details for benefit schemes and garnishee creditors — encrypted with a separate dedicated key. Only the Payments service account holds decryption rights.
• General sensitive Personal Information (identity-document numbers, tax references, medical aid membership, leave reasons) — encrypted with a third dedicated key.

7.3 Access Control

Access to Personal Information within the Platform is governed by:

• Tenant isolation — every query is scoped by Client identifier. Cross-Client data access is treated by the Platform as a critical security failure and is structurally prevented at the data access boundary.
• Role-based authorisation — access decisions are made against typed roles, not strings, at the application layer.
• Separation of duties — the user who creates a payroll run may not approve it; the user who calculates a run may not reconcile it; the user who creates an employee record may not verify it; and similar separations apply throughout the workflow.
• Channel-level data classification — Highly Sensitive information (bank details, identity-document numbers, tax references) is never transmitted through messaging channels. Where a Data Subject requests such information, it is delivered through the verified Web channel only.
• Agent scope inheritance — where the Client has enabled agent capabilities, the agent operates as a client of the Platform, not a privileged subsystem. The agent's data access is bounded by the scope of the human acting-on-behalf-of and cannot exceed it.

7.4 Audit and Tamper Evidence

The Platform maintains an append-only audit log covering every state-changing action. The audit log uses hash-chaining: each entry records the hash of the previous entry and the hash of its own content, so any retrospective alteration is detectable. A daily verification job recomputes the chain and raises high-severity alerts on any break. Audit-log batches are shipped hourly to immutable external storage with seven-year retention, outside the application's write scope.

The application runtime account is explicitly denied database UPDATE and DELETE permissions on the audit log. Audit entries can only be appended.

7.5 Rate Limiting and Anti-Abuse

Authentication endpoints are subject to multi-dimensional rate limiting at the network edge and at the application layer, calibrated to permit legitimate use while structurally limiting brute-force and enumeration attempts. Tenant-level and user-level limits are applied to mutating operations to prevent any single actor from exhausting Platform capacity.

7.6 Logging and Diagnostic Discipline

The Operator does not log secrets, credentials, bank-account numbers, identity-document numbers, or salary figures in plain text. Logs record business intent, outcome, and correlation identifiers sufficient for diagnostics but insufficient to reconstruct sensitive details.

7.7 Personnel and Process Controls

Personnel of the Operator who have any access to Client Personal Information are bound by confidentiality undertakings, are trained on data protection obligations, and operate under disciplined access procedures. Access is logged, periodically reviewed, and rescinded promptly on change of role or end of engagement.

8. Hosting and International Transfers

8.1 Hosting Location

The Platform's production data is hosted in the Republic of South Africa, in the data centres of an established commercial hosting provider, operating under the laws of South Africa.

The Operator has chosen this hosting arrangement because it provides:

• A regulatory regime materially equivalent to Zimbabwe's CDPA. South Africa's Protection of Personal Information Act, 2013 (POPIA), in force since 2021, establishes data-protection principles substantively comparable to those in the CDPA and to the European Union's General Data Protection Regulation. The Information Regulator of South Africa is an established supervisory authority.
• Operational resilience and security maturity at a level required for a service of HumanCapital's nature, with industry-standard physical, environmental, and network controls.
• Geographic and regulatory proximity. Zimbabwe and South Africa are partners in the Southern African Development Community, and routine commercial data flows between the two jurisdictions are well-established and recognised.

8.2 Cross-Border Transfer Safeguards

In accordance with section 28 of the CDPA, transfers of Personal Information from Zimbabwe to South Africa for the purpose of operating the Platform are conducted under the following safeguards:

• Adequate level of protection — the destination jurisdiction (South Africa) operates under POPIA, which provides a level of protection that the Operator considers materially adequate to that required by Zimbabwean law.
• Contractual safeguards — the Operator's contractual arrangements with its hosting provider impose obligations on the provider in respect of data security, confidentiality, breach notification, and the use of subcontractors.
• Operational controls — the security controls described in section 7 are applied independently of the hosting provider's own controls.

8.3 No Onward Transfer Beyond Stated Jurisdictions

Personal Information is not transferred to any jurisdiction other than Zimbabwe (the country of collection) and South Africa (the country of hosting), except where:

• The Data Subject has given specific, informed consent to a transfer for an identified purpose;
• The transfer is necessary to comply with a legal obligation (for example, a lawful order issued by a competent authority);
• The transfer is necessary for the performance of a specific task identified in the service agreement with the relevant Client.

The Operator will publish updated disclosures should the hosting arrangement, or the use of any subprocessor in another jurisdiction, materially change.

9. Retention of Personal Information

The Operator retains Personal Information for the periods necessary to fulfil the purposes for which it was collected and to comply with applicable law.

9.1 Statutory Retention Minimums

Certain categories of Personal Information are retained for periods specified by Zimbabwean law:

• Payroll records, including payslips, statutory submissions, and reconciliation records — retained for the period required by the Income Tax Act and the Labour Act, currently a minimum of six years from the end of the relevant tax year, and longer where ongoing assessment, dispute, or audit so requires.
• Audit logs and integrity records — retained for seven years from the date of the recorded event, in immutable external storage, in accordance with the Platform's institutional integrity standard.
• NSSA contribution records — retained for the period required by the National Social Security Authority Act and applicable subsidiary legislation.
• Leave-ledger entries — retained as append-only entries for the lifetime of the underlying employment relationship and for a period thereafter sufficient to defend leave-related obligations and disputes.

9.2 Operational Retention

Personal Information that is not subject to a statutory minimum is retained for the period necessary to provide the Platform service to the Client, and is securely deleted or de-identified within a reasonable period after the Client's service agreement ends, save where retention is required by law or to defend a legal claim.

9.3 End-of-Service Disposition

Where a Client's service agreement ends, the Operator will, in accordance with the service agreement and applicable law:

• Make the Client's data available for export in a structured format;
• Delete or de-identify the Client's data on the Platform after a wind-down period sufficient to permit migration and to satisfy retention obligations the Client is subject to;
• Continue to retain audit logs and integrity records for the periods specified above, since these records exist for the protection of all stakeholders, including Data Subjects, and cannot be deleted at the request of an individual Client.

10. Disclosure of Personal Information

The Operator does not sell Personal Information. Personal Information is disclosed only as set out below.

10.1 Disclosure to Statutory Authorities

The Operator supports the production of returns, schedules, and reports for submission to ZIMRA, NSSA, NEC, ZIMDEF, the SDF authority, and other statutory bodies as part of the Platform's core service. These disclosures are made on the lawful basis of the Client's compliance with legal obligation, and only contain Personal Information that is required by the relevant statute or regulation.

10.2 Disclosure to Pension Fund Administrators, Medical Aid Societies, and Insurers

The Platform produces benefit-remittance schedules formatted for submission to pension fund administrators, medical aid societies, group life insurers, and funeral cover providers nominated by the Client. These disclosures are made for the operation of the relevant scheme on behalf of the Data Subject, and only the information required by the scheme is shared.

10.3 Disclosure to Banks

Net-pay disbursement requires the production of bank payment files for the Client's chosen bank. These files contain the Personal Information necessary for the bank to process the payment.

10.4 Disclosure to Garnishee Creditors

Where a competent court has issued a garnishee order against an employee, the Platform supports the Client in remitting the prescribed amount to the creditor as required by the order. Disclosures are limited to those required by the order itself.

10.5 Disclosure to Third-Party Processors

The Operator uses a limited number of third-party processors to operate the Platform, including:

• The hosting provider (Republic of South Africa, see section 8);
• Email-delivery services for transactional notifications;
• The WhatsApp Business Platform for self-service messaging where the Client and Data Subject have enabled it;
• SMS gateways for one-time-password delivery and operational notifications.

Each processor is engaged under contract terms that require the processor to handle Personal Information only on the Operator's documented instructions, to apply appropriate security, and to assist the Operator in meeting its obligations to Data Subjects and to Clients.

10.6 Disclosure on Lawful Order

The Operator will respond to lawful orders, subpoenas, and other compulsory legal processes issued by competent Zimbabwean authorities. Where law permits, the Operator will notify the affected Client and, where applicable, the Data Subject before disclosing.

10.7 Disclosure in Connection with Defence of Claims

Personal Information may be disclosed to the Operator's professional advisers, insurers, and dispute-resolution forums to the extent necessary to investigate, defend, or settle a claim made against the Operator or against a Client.

10.8 No Other Disclosure

The Operator does not disclose Personal Information for marketing purposes, to data brokers, or to any party not described above, except with the affirmative consent of the Data Subject for an identified purpose.

11. Rights of Data Subjects

In accordance with the CDPA, every Data Subject has the rights set out below in respect of Personal Information that the Operator processes about them. Rights apply to information that the Operator holds in its capacity as Data Controller; in respect of information held in its capacity as Data Processor on behalf of a Client, requests will ordinarily be directed to the relevant Client and supported by the Operator.

11.1 Right of Access

The right to obtain confirmation of whether Personal Information about the Data Subject is being processed, and, where so, to obtain a copy of that Personal Information together with information about the purposes of processing, the categories of recipient, and the retention periods.

11.2 Right of Correction

The right to obtain correction of Personal Information that is inaccurate or incomplete.

11.3 Right of Deletion

The right to obtain deletion of Personal Information where the Personal Information is no longer necessary for the purposes for which it was collected, or where consent (in respect of consent-based processing) has been withdrawn. This right is subject to the retention obligations described in section 9 — for example, audit-log entries cannot be deleted on individual request, since they exist for the protection of all stakeholders and are required by law to be retained.

11.4 Right of Restriction

The right to request that processing of Personal Information be restricted in defined circumstances, for example where the accuracy of the data is contested.

11.5 Right of Objection

The right to object to processing performed on the basis of legitimate interests, where the Data Subject's particular situation outweighs the interests pursued.

11.6 Right of Portability

The right to receive Personal Information that the Data Subject has provided in a structured, commonly-used, machine-readable format, and to transmit it to another controller, where processing is carried out by automated means and is based on consent or on the necessity of a contract.

11.7 Right Not to be Subject to a Solely Automated Decision

The Platform does not make solely automated decisions that produce legal effects on Data Subjects. Payroll calculations are performed automatically against versioned statutory and policy parameters, and the results are subject to human review (separation of duties between calculation and approval) before any disbursement, statutory submission, or benefit remittance is made.

11.8 Right to Lodge a Complaint

A Data Subject who is dissatisfied with the way the Operator has handled Personal Information has the right to lodge a complaint with the Operator's Data Protection Officer (section 12 below) and, if not satisfied, with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) in its capacity as Data Protection Authority.

11.9 Exercising Rights

Rights may be exercised by writing to the Data Protection Officer at the contact address in section 12. The Operator will respond, as required by the CDPA, within thirty (30) days of receipt of a valid request, save where the complexity or volume of the request requires a reasonable extension, in which case the Operator will explain the reason and the expected timescale.

The Operator may need to verify the identity of the requester before responding, in order to protect the Personal Information of the Data Subject from unauthorised disclosure.

The Operator does not charge for the exercise of rights, save in cases of manifestly unfounded or excessive requests, where a reasonable fee may be charged or the request refused, with reasons provided.

12. Data Protection Officer

The Operator has designated a Data Protection Officer (DPO) in accordance with section 19 of the CDPA. The DPO is responsible for:

• Monitoring the Operator's compliance with the CDPA and other applicable data-protection law;
• Advising the Operator and its personnel of their obligations;
• Cooperating with POTRAZ as Data Protection Authority;
• Acting as the point of contact for Data Subjects on all matters relating to the Processing of their Personal Information.

The DPO can be contacted as follows:

13. Personal Data Breaches

A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information.

13.1 Detection

The Platform's security architecture is designed to detect breach indicators, including audit-chain anomalies, unauthorised access attempts, and unusual patterns of activity. Where a breach is suspected, the Operator activates its incident-response procedure.

13.2 Notification to the Data Protection Authority

The Operator will notify POTRAZ of a personal data breach without undue delay, and where feasible no later than seventy-two (72) hours after becoming aware of it, in accordance with the CDPA. Where the seventy-two-hour timeline is not met, the notification will explain the reasons for the delay.

13.3 Notification to Affected Clients

The Operator will notify affected Clients of any personal data breach affecting their data without undue delay, with sufficient information to enable the Client to discharge its own notification obligations to Data Subjects and to authorities.

13.4 Notification to Data Subjects

Where the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the Operator will, in coordination with the affected Clients, notify the Data Subjects directly and provide them with information about the nature of the breach, the measures taken or proposed, and the contact point for further information.

13.5 Records of Breaches

The Operator maintains an internal register of all personal data breaches, including those that did not require notification, in accordance with section 22 of the CDPA.

14. Children

The Platform is designed for the management of employment relationships and does not knowingly collect Personal Information about children below the age of 16, save where the child is a designated beneficiary of an adult's benefit scheme (for example, a medical aid dependant or funeral cover dependant), in which case the information is collected from the adult member and processed solely for the operation of that scheme.

15. Changes to this Privacy Policy

The Operator will update this Privacy Policy from time to time to reflect changes to the Platform, to the law, or to operational practice.

When a change is made:

• The "Last updated" date and version number at the top of this Policy will be updated;
• For material changes, the Operator will publish a notice on the Platform's website and may notify Clients and Data Subjects directly through verified channels;
• Earlier versions of this Policy will remain available on request from the Data Protection Officer.

Continued use of the Platform after a change constitutes acceptance of the updated Policy. Where consent was the lawful basis for a particular processing activity, fresh consent will be sought rather than relying on prior consent against new terms.

16. Contact

The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) acts as Zimbabwe's Data Protection Authority and may be contacted directly by Data Subjects who wish to lodge a complaint.