Skip to main content
Vol. 01 Annexure B
Kultiflo
  • § IIPlatform
  • § IIIFeatures
  • § IVHow it works
  • § VWho it's for
  • Book walkthrough →
Annexure B — Personal information, accounted for —

Privacy &
POPIA Policy.

Effective date 11 June 2026 Version 1.0 Law POPIA — Act 4 of 2013

Contents

  1. What this policy covers
  2. Who is responsible for your information
  3. What we collect
  4. Why we process it
  5. Consent at registration
  6. Marketing communications
  7. Who we share it with
  8. Where it is stored
  9. How it is secured
  10. How long we keep it
  11. Your rights under POPIA
  12. This website
  13. No one under 18
  14. Changes to this policy
  15. Information Officer & contact

What this policy covers.

This policy explains how personal information is collected, used, shared, stored, and protected on the Kultiflo platform — the Admin Portal, Point of Share, Farmer Hub, and Front Desk applications — and on this website, kultiflo.com. It is written to meet the requirements of the Protection of Personal Information Act 4 of 2013 (“POPIA”).

When you register at a club, you are asked for four consents: the Terms & Conditions, this Privacy Policy, data processing, and (optionally) marketing communications. The data-processing consent is described in the dedicated Data Processing Notice and the marketing consent in the Marketing Consent Notice; this policy is the full account both of them rest on.

Who is responsible for your information.

Your club is the responsible party for the personal information it collects about its members and day-pass visitors. The club decides who to admit, what it needs from you, and how long it keeps your membership records.

Kultiflo is the operator — we process that information on the club's behalf, on its instructions, under a written agreement, and only for the purposes described in this policy. POPIA requires an operator to process personal information with the responsible party's authorisation and to secure it; that is the role we hold for member data.

Kultiflo acts as the responsible party in its own right for the account information of club staff and farmers who hold platform accounts, and for any information you send us directly — for example, by emailing hello@kultiflo.com.

What we collect.

Members and day-pass visitors

  • Identity — first name, surname, and your South African identity number or passport number. Your date of birth is read from your SA identity number to verify that you are 18 or older.
  • Identity documents — a photograph of your identity document, a profile photograph, and your digital signature, captured during registration or day-pass sign-in.
  • Contact details — email address and phone number.
  • Membership records — your club, membership number, role (member or day pass), application status, joining date, validity dates, and for day passes the name of the member accompanying you.
  • Sharing transactions — what was shared with you at the Point of Share, when, the amounts involved, and the payment method, kept as part of the club's transaction and audit record.

Club staff and farmers

  • Account details — name, surname, email, phone number, identity number, profile photograph, role, and approval status.
  • Farmer details — cultivation licence number, years of experience, and the location (coordinates and place name) of the growing operation, used for consignment and settlement records.
  • Settlement records — consignments, stock sold, amounts paid and outstanding.

Device and technical data

  • Push notification tokens — so the apps can deliver notifications to your device.
  • Crash diagnostics — anonymous-by-default crash reports (via Firebase Crashlytics) that help us fix faults in the apps.

We do not collect biometric templates (no fingerprint or face data is stored by the platform), and we do not track your location as a member — location data exists only where a farmer registers a growing operation or a club records its address.

Why we process it.

Personal information on the platform is processed for these purposes, each resting on a lawful basis under POPIA:

  • Age and identity verification — confirming you are 18 or older and that your identity document matches your registration. Basis: legal obligation and the club's legitimate interest in lawful operation.
  • Membership administration — maintaining the club's membership register, approvals, renewals, day passes, and check-ins. Basis: performance of your membership agreement with the club, and consent.
  • Sharing and settlement records — recording transactions at the Point of Share, reconciling cash-ups, and settling farmers, with a tamper-evident audit trail. Basis: contract, legal obligation (financial and tax records), and legitimate interest.
  • Operational communication — service messages about your membership, such as approval or expiry notices. Basis: performance of the membership agreement.
  • Marketing communication — only if you opted in; see § 6. Basis: consent, which you may withdraw at any time.
  • Security and fault-fixing — protecting accounts, investigating misuse, and diagnosing crashes. Basis: legitimate interest.

We do not use personal information for any purpose beyond these. In particular: we never sell it, never use it for third-party advertising, and never train AI models on it.

Consent at registration.

Before a club registers you as a member or issues you a day pass, four consents are recorded against your profile, each linked to the document you agreed to:

  • Terms & Conditions — the platform terms.
  • Privacy Policy — this document.
  • Data processing — the Data Processing Notice, which summarises § 3–§ 10 of this document.
  • Marketing and communication — optional; the Marketing Consent Notice, summarised in § 6.

The first three are required to register, because the platform cannot maintain a lawful membership register without them. Marketing consent is voluntary and registration does not depend on it. You may withdraw any consent by contacting your club or emailing hello@kultiflo.com; withdrawing the consents the membership register depends on may mean your club can no longer maintain your membership.

Marketing communications.

If — and only if — you ticked the marketing consent at registration, your club may send you news and offers about the club: events, new products available for sharing, and membership notices. These may reach you by push notification through the apps, or by email or message from your club using the contact details you provided.

You can opt out at any time by telling your club's front desk, or by emailing hello@kultiflo.com, and the marketing flag on your profile will be turned off. Opting out never affects your membership or the service messages your membership requires.

Who we share it with.

Your information is shared only with the service providers (operators under POPIA) the platform needs to run:

  • Google Cloud / Firebase — authentication, database, file storage (identity photographs and signatures), push notifications, crash reporting, and configuration. This is the infrastructure the entire platform runs on.
  • Algolia — product search indexing, so club catalogues are searchable. Member identity records are not part of the search index.
  • Google Maps — location services for club and farm locations.
  • Peach Payments — processes club subscription billing. Your in-club payments (cash or card at the Point of Share) are processed by your club, not by Kultiflo; we record the transaction, not your card details.

Beyond these operators, personal information leaves the platform only when the law compels it — a court order, or a lawful demand by a public authority — or with your consent. One club's data is never shared with another club; that isolation is enforced at three independent layers, described on our Security page.

Where it is stored.

The platform's data is stored on Google Cloud infrastructure. Google Cloud data centres may be located outside South Africa; where personal information is transferred across borders, it remains protected as POPIA section 72 requires — Google Cloud is contractually bound to safeguards (including its data-processing terms and certifications such as ISO 27001 and ISO 27018) that uphold a standard of protection substantially similar to POPIA.

How it is secured.

In summary: every connection is encrypted in transit with TLS 1.2+, all stored data is encrypted at rest with AES-256, every request is verified by Firebase App Check, access is gated by role, sensitive actions are written to an audit trail, and each club's data is isolated from every other club's at three independent layers.

The full account of how the platform protects member data is published on our Security page. If we ever have reason to believe personal information has been accessed by an unauthorised person, we will notify the Information Regulator and the affected data subjects as POPIA section 22 requires.

How long we keep it.

Membership records are kept for as long as your membership with the club is active, and thereafter only as long as the club needs them to meet its legal obligations. Transaction, settlement, and financial records are retained for the periods South African law prescribes for accounting and tax records, even after a membership ends.

When records are no longer required, they are deleted or de-identified. You may request deletion at any time under § 11 — we will honour it except where a law requires the record to be retained, and in that case we will tell you which law and for how long.

Your rights under POPIA.

As a data subject you have the right to:

  • Access — ask whether we hold personal information about you, and request a copy of it (also under the Promotion of Access to Information Act 2 of 2000).
  • Correction — have inaccurate or outdated information corrected.
  • Deletion — have your information deleted or destroyed, subject to legal retention duties.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — including marketing consent, at any time.
  • Complain — lodge a complaint with the Information Regulator if you believe your information has been mishandled.

To exercise any of these rights, contact your club's front desk or email hello@kultiflo.com. We respond to data-subject requests within a reasonable time and never charge for a first request for access to your own information.

The Information Regulator (South Africa)

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Enquiries: enquiries@inforegulator.org.za
Complaints: POPIAComplaints@inforegulator.org.za
inforegulator.org.za

This website.

kultiflo.com collects nothing about you. There are no analytics, no tracking pixels, no advertising tags, no cookies set by us, and no forms — the only way to contact us from this site is email. Standard web-server logs exist at our hosting provider (Google) for security and operational purposes only.

No one under 18.

The platform is strictly for adults. Registration verifies age against your identity document, and anyone under 18 is refused. We do not knowingly process the personal information of children; if you believe a child's information has been captured, contact us immediately and it will be removed.

Changes to this policy.

We may revise this policy from time to time. The current version, with its effective date, is always published at kultiflo.com/privacy. If a change materially affects how your personal information is processed, clubs will be notified so that members are informed before the change takes effect.

Information Officer & contact.

Questions about this policy, and all data-subject requests, go to Kultiflo's Information Officer:

Information Officer — Kultiflo
Pretoria, South Africa
hello@kultiflo.com
Kultiflo

Kultiflo is built in South Africa for South African cannabis clubs and agricultural cooperatives. Compliance software with one seed-to-share audit trail.

Platform

  • Admin Portal
  • Point of Share
  • Farmer Hub
  • Front Desk

Features

  • Member onboarding
  • Seed-to-share
  • Atomic POS
  • Settlement ledger

Colophon

  • Terms
  • Privacy · POPIA
  • Data processing
  • Marketing consent
  • Security
  • hello@kultiflo.com
© 2026 Kultiflo · All rights reserved Privacy by architecture · Built in Pretoria Vol. 01 · South Africa