1. List of Acronyms and Abbreviations
| Abbreviation | Full Name |
|---|---|
| CEO | Chief Executive Officer |
| CIPC | Companies and Intellectual Property Commission |
| DIO | Deputy Information Officer |
| ECTA | Electronic Communications and Transactions Act 25 of 2002 |
| GDPR | General Data Protection Regulation (European Union) |
| IO | Information Officer |
| Minister | Minister of Justice and Correctional Services |
| PAIA | Promotion of Access to Information Act 2 of 2000 (as amended) |
| POPIA | Protection of Personal Information Act 4 of 2013 |
| Regulator | Information Regulator of South Africa |
| Republic | Republic of South Africa |
2. Purpose of this PAIA Manual
This PAIA Manual is compiled in compliance with Section 51 of the Promotion of Access to Information Act 2 of 2000 (as amended). It is intended to be useful to the public to:
- Check the categories of records held by Pocket Friend (Pty) Ltd which are available without a person having to submit a formal PAIA request.
- Have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records and the categories of records held on each subject.
- Know the description of the records of the body which are available in accordance with any other legislation.
- Access all the relevant contact details of the Information Officer who will assist the public with the records they intend to access.
- Know the description of the guide on how to use PAIA, as updated by the Regulator, and how to obtain access to it.
- Know if the body will process personal information, the purpose of processing of personal information, and the description of the categories of data subjects and of the information or categories of information relating thereto.
- Know the recipients or categories of recipients to whom the personal information may be supplied.
- Know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied.
- Know whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.
3. Key Contact Details
3.1 Information Officer
The Information Officer of Pocket Friend (Pty) Ltd is the sole director of the company, appointed by virtue of their position as head of the private body in terms of Section 1 of PAIA.
| Detail | Information |
|---|---|
| Title | Information Officer / Director |
| support@pocketfriend.co.za | |
| Telephone | +27 66 534 6003 |
3.2 Deputy Information Officer
No Deputy Information Officer has been designated at this time. The Information Officer fulfils all duties directly.
3.3 Registered Office
| Detail | Information |
|---|---|
| Registered Name | Pocket Friend (Pty) Ltd |
| Registration Number | 2026/135783/07 |
| Postal Address | PO Box 188, Suite 23, Robertson, Western Cape, South Africa, 6705 |
| support@pocketfriend.co.za | |
| Website | pocketfriend.co.za |
4. Guide on How to Use PAIA and How to Obtain Access to the Guide
The Information Regulator has, in terms of Section 10(1) of PAIA (as amended), updated and made available the revised Guide on how to use PAIA (the "Guide"), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA.
The Guide is available in each of the official languages and in braille.
The Guide contains, among other things, a description of the objects of PAIA and POPIA; the contact details of Information Officers and Deputy Information Officers; the manner and form of a request for access to a record; the assistance available from the Information Officer and from the Regulator; all remedies in law regarding an act or failure to act in respect of a right or duty conferred or imposed by PAIA and POPIA; the provisions regarding compilation of manuals; the provisions regarding voluntary disclosure of categories of records; notices regarding fees; and the regulations made in terms of Section 92.
Members of the public can inspect or make copies of the Guide from the offices of the Regulator during normal working hours.
The Guide can also be obtained:
- Upon request to the Information Officer at the contact details provided in Section 3 above.
- From the website of the Information Regulator: inforegulator.org.za
A copy of the Guide is available in English and Afrikaans for public inspection at the registered office during normal office hours.
5. Records Available Without a Person Having to Request Access
The following categories of records are available without a person having to submit a formal PAIA request:
| Category | Description | On Website | On Request |
|---|---|---|---|
| Terms and Conditions | Full terms of service for the Pocket Friend service | Yes — pocketfriend.co.za/terms.html | Yes |
| Privacy Policy | Full privacy policy detailing data collection and processing | Yes — pocketfriend.co.za/privacy.html | Yes |
| PAIA Manual | This manual | Yes — this page | Yes |
| Company Registration | CIPC registration certificate | No | Yes |
6. Records Available in Accordance with Other Legislation
The following records are created and available in accordance with South African legislation:
| Category of Records | Applicable Legislation |
|---|---|
| Company registration documents (MOI, certificates) | Companies Act 71 of 2008 |
| PAIA Manual | Promotion of Access to Information Act 2 of 2000 |
| Privacy Policy | Protection of Personal Information Act 4 of 2013 |
| Terms and Conditions (incl. ECTA Section 43 disclosure) | Electronic Communications and Transactions Act 25 of 2002 |
| Transaction records and invoices | Income Tax Act 58 of 1962; Value-Added Tax Act 89 of 1991 |
| Financial records | Companies Act 71 of 2008 |
7. Subjects and Categories of Records Held
The following describes the subjects in respect of which Pocket Friend (Pty) Ltd holds records and the categories of records held on each subject:
| Subject | Categories of Records |
|---|---|
| User Accounts | Phone numbers, nicknames, persona preferences, email addresses (optional), account balances, dialling codes, currency preferences, payment provider references, onboarding status |
| Conversations | Text messages, transcribed voice notes, image descriptions, AI-generated responses. Automatically deleted after 90 days |
| Conversation Summaries | AI-generated summaries of past conversations, used for service continuity. Retained until account deletion |
| Financial Transactions | Deposits, automatic top-ups, per-message cost deductions, payment references, amounts, timestamps. Retained for 5 years per tax regulations |
| Payment Processing | Tokenised card references (Paystack authorization codes, Peach Payments registration IDs, card last 4 digits, card brand). No full card numbers stored |
| Support Tickets | Ticket numbers, subjects, messages, status. Linked to user accounts |
| Authentication Records | OTP verification codes (temporary, auto-expire), website portal session tokens (temporary, auto-expire) |
| System Configuration | Operational settings (pricing, API configurations, thresholds). No personal information |
| Email Templates | Template content for transactional emails. No personal information |
| Persona Configurations | AI persona settings (system prompts, voice settings). No personal information |
| Company Administration | CIPC registration documents, financial records, tax records, contracts with service providers, intellectual property records |
8. Processing of Personal Information
8.1 Purpose of Processing Personal Information
Pocket Friend (Pty) Ltd processes personal information for the following purposes:
- To provide a paid wellbeing and personal reflection companion service via the WhatsApp and Telegram messaging platforms.
- To receive user messages, generate AI-powered responses, and deliver them to the user.
- To store conversation history for contextual continuity across sessions (automatically deleted after 90 days).
- To calculate message costs, manage account balances, process payments, and execute automatic top-ups.
- To create and maintain user accounts, track onboarding progress, and manage preferences.
- To send transactional email communications (payment confirmations, support ticket responses) where an email address has been provided.
- To analyse aggregate, anonymised usage patterns for service improvement. No individual conversation content is analysed for this purpose.
- To comply with legal and regulatory obligations, respond to lawful requests, and protect the company's legal rights.
8.2 Categories of Data Subjects and Personal Information
| Categories of Data Subjects | Personal Information That May Be Processed |
|---|---|
| Registered users of the Pocket Friend service | Phone number (account identifier), nickname (user-chosen), companion persona name (user-chosen), email address (optional), conversation content (text messages, transcribed voice notes, image descriptions), account balance, transaction history, dialling code, currency preference, payment card tokens (tokenised references only — no full card numbers), onboarding status, platform preference (WhatsApp/Telegram) |
| Website portal visitors | Phone number (for OTP authentication), session tokens (temporary), support ticket submissions (name, email, subject, message) |
| Service providers and contractors | Contact names, business registration details, contract terms, banking details for payments |
8.3 Recipients of Personal Information
Personal information may be supplied to the following recipients or categories of recipients, solely for the purposes described:
| Category of Personal Information | Recipients and Purpose |
|---|---|
| Message content, conversation history | OpenAI (AI processing provider) — for generating AI responses |
| Phone number, display name, message content | Meta / WhatsApp (WhatsApp Business API) — for message delivery to WhatsApp users |
| User ID, chat ID, message content | Telegram (Telegram Bot API) — for message delivery to Telegram users |
| All stored personal data | Supabase (database hosting provider) — for data storage in the European Union |
| Data in transit during workflow processing | N8N GmbH (workflow automation, Germany) — for processing workflows |
| Payment card details (tokenised) | Paystack (SA payment processing) and Peach Payments (international payment processing) |
| Email address, email content | Resend (email delivery service) — for transactional emails |
| As required by law | South African Revenue Service, Information Regulator, law enforcement (upon lawful request only) |
8.4 Planned Transborder Flows of Personal Information
Pocket Friend (Pty) Ltd transfers personal information outside the Republic of South Africa to the following countries and for the following purposes:
| Country / Region | Recipient and Purpose | Categories of Personal Information |
|---|---|---|
| United States | OpenAI — AI processing of messages and voice Resend — Transactional email delivery Meta/WhatsApp — Message delivery infrastructure | Message content, conversation history, email addresses, phone numbers |
| European Union (Germany) | N8N GmbH — Workflow automation | Data in transit during processing |
| European Union | Supabase — Database hosting (EU region) | All stored personal data |
| United Arab Emirates | Telegram FZ-LLC — Message delivery for Telegram users | Telegram user IDs, chat IDs, message content |
These transfers are made in compliance with Section 72 of POPIA. Safeguards include: transfers to recipients bound by contractual obligations providing adequate protection (Section 72(1)(a)); informed consent obtained during onboarding (Section 72(1)(b)); and transfers necessary for the performance of the service contracted by the user (Section 72(1)(c)).
8.5 Information Security Measures
Pocket Friend (Pty) Ltd implements the following security measures to ensure the confidentiality, integrity, and availability of personal information:
- Encryption in transit: All data transmitted between users, our systems, and third-party processors is encrypted using TLS 1.2 or higher (HTTPS).
- Encryption at rest: Database storage (Supabase) uses AES-256 encryption for data at rest.
- Access controls: Database access requires authentication with service role keys. API keys are stored securely and are not exposed in client-side code.
- Tokenised payments: Full card numbers are never stored on our systems. Payment processing uses PCI-DSS compliant tokenisation through Paystack and Peach Payments.
- Immediate media disposal: Voice recordings and images are processed in memory and discarded immediately — they are not written to persistent storage.
- Automatic data deletion: Conversation history is automatically deleted after 90 days. OTP codes and session tokens auto-expire.
- Limited access: Access to personal information is limited to authorised personnel only.
- Third-party security: All third-party processors are selected based on their security practices and certifications (SOC 2, PCI-DSS, ISO 27001 as applicable).
9. Availability of this Manual
A copy of this Manual is available:
- On the Pocket Friend website at pocketfriend.co.za/paia.html
- As a downloadable PDF from the website
- To any person upon request and upon the payment of a reasonable prescribed fee
- To the Information Regulator upon request
A fee for a copy of the Manual, as contemplated in Annexure B of the Regulations, shall be payable per each A4-size photocopy made.
10. Updating of this Manual
The Information Officer of Pocket Friend (Pty) Ltd will on a regular basis review and update this Manual to ensure accuracy and compliance with applicable legislation.
How to request access to records: To request access to any records held by Pocket Friend (Pty) Ltd, please complete the prescribed Form 2 (Request for Access to Record) as set out in the PAIA Regulations, and submit it to the Information Officer at support@pocketfriend.co.za. The Information Officer will respond within 30 days of receiving the request. Form 2 is available from the Information Regulator's website at inforegulator.org.za/paia.
Issued by: The Information Officer, Pocket Friend (Pty) Ltd
Date of issue: 22 March 2026
Place: Robertson, Western Cape, South Africa