Legal

PAIA Manual

This manual is published in terms of Section 51 of the Promotion of Access to Information Act, 2 of 2000 (PAIA). It describes the records held by Sinneo Financial Technologies (Pty) Ltd, operating the Sorae platform, and explains how any person may request access to those records.

§Section 51 — Promotion of Access to Information Act 2 of 2000

Company Details

The following details identify the private body responsible for this manual and to whom all PAIA-related correspondence should be addressed.

Field	Detail
Legal entity name	Sinneo Financial Technologies (Pty) Ltd
Trading name / Platform	Sorae
Parent group	Sinneo Group
Company registration no.	[Registration number — to be inserted]
Physical address	[Street address, City, Province, Postal code]
Postal address	[PO Box / PostNet Suite, City, Postal code]
Telephone	[+27 XX XXX XXXX]
General email	hello@sorae.co.za
Website	https://sorae.co.za

Placeholder fields marked with square brackets must be completed with the company's registered details before this manual is published. No manual may be submitted to the Information Regulator with outstanding placeholders.

Information Officer

In terms of section 1 of PAIA, as amended by POPIA, the head of a private body is deemed to be the Information Officer. The Information Officer may delegate responsibilities to a Deputy Information Officer in terms of section 17 of POPIA.

Designated Information Officer

Field	Detail
Full name	[Full name of Information Officer]
Designation / Title	[e.g., Chief Executive Officer]
Email address	paia@sorae.co.za
Telephone	[+27 XX XXX XXXX]
Postal address	[Same as company postal address above]

Responsibilities of the Information Officer

The Information Officer is responsible for encouraging compliance with PAIA within the company, dealing with requests for access to records, working with the Information Regulator in relation to investigations, and ensuring that the company's PAIA Manual is updated and available as required by law.

The Information Officer has been registered with the Information Regulator of South Africa as required by section 55 of POPIA. The Information Regulator may be contacted at: www.inforegulator.org.za · JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 · inforeg@justice.gov.za

Guide to Records Held

Sinneo Financial Technologies (Pty) Ltd holds records across several categories. The tables below describe each category, the purpose for which those records are maintained, and the legal basis for retention.

3.1 Corporate & Statutory Records

Record type	Description	Retention basis
Memorandum of Incorporation	Constitutional documents of the company	Companies Act 71 of 2008
Share register	Register of shareholders and issued shares	Companies Act 71 of 2008
Minutes & resolutions	Board and shareholder meeting records	Companies Act 71 of 2008
Annual financial statements	Audited / reviewed financials	Companies Act; SARS requirements
CIPC filings	Annual returns, director changes, registered address	Companies Act 71 of 2008

3.2 Employee & HR Records

Record type	Description	Retention basis
Employment contracts	Signed agreements with all employees	Basic Conditions of Employment Act
Payroll records	Salary, tax, and UIF information	SARS; POPIA
Leave records	Annual, sick, and family responsibility leave	Basic Conditions of Employment Act
Performance records	Reviews, PIPs, and appraisals	Internal policy
Disciplinary records	Warnings, hearings, and outcomes	Labour Relations Act 66 of 1995

3.3 Financial & Tax Records

Record type	Description	Retention basis
VAT returns & records	Input/output VAT schedules	Value-Added Tax Act 89 of 1991
Income tax records	Provisional and annual tax returns	Income Tax Act 58 of 1962
Invoice & billing records	Client invoices and payment records	SARS; POPIA
Banking records	Bank statements and transaction records	Internal policy; SARS
Client contracts	API subscription and SLA agreements	Internal policy

3.4 Operational & Technical Records

Record type	Description	Retention basis
API usage logs	Metadata logs of API calls (no statement content)	Internal policy; POPIA
Account & authentication records	Client account credentials, API keys (hashed)	POPIA; security policy
Support correspondence	Emails and tickets from clients or users	POPIA; internal policy
System audit logs	Security and access audit trails	Information security policy
Agreements with data processors	DPAs and vendor contracts	POPIA; internal policy

Zero Data Retention — Bank Statement Content: Sorae operates a strict zero-retention policy with respect to bank statement content. Raw statement data submitted via the API is processed entirely in-memory and is never written to disk, logged, or stored. No bank statement content forms part of any records held by the company. This policy is a core technical and contractual commitment.

How to Request Access

Any person wishing to request access to a record held by Sinneo Financial Technologies (Pty) Ltd must follow the procedure set out below. Requests must comply with section 53 of PAIA.

4.1 Prescribed Form

Requests for access to records must be made using Form C as prescribed by the South African Human Rights Commission (SAHRC) in terms of section 53(1) of PAIA. Form C is available from the SAHRC website at www.sahrc.org.za and may also be requested directly from our Information Officer.

4.2 Contents of the Request

In terms of section 53(2) of PAIA, a request must include the following:

Full name, address, and contact details of the requester
If the requester is acting on behalf of another person, the capacity in which the requester is acting and the name and contact details of the person on whose behalf the request is made
A description of the record or records to which access is sought, sufficient to enable the Information Officer to identify the record
The form of access required (e.g., paper copy, electronic copy, inspection in person)
The right the requester wishes to exercise or protect and an explanation of why the record is required for that purpose
Confirmation that the requester is not subject to a prohibition under section 54 of PAIA
If applicable, proof of identity of the requester

4.3 Where to Submit the Request

Completed requests must be submitted to the Information Officer by one of the following methods:

Method	Address / Contact
Email (preferred)	paia@sorae.co.za
Post	[Postal address of the company, as listed in Section 1]
Hand delivery	[Physical address of the company, as listed in Section 1]

4.4 Request Fee

A requester who seeks access to a record containing personal information about themselves is not required to pay a request fee. All other requesters must pay a request fee of R50.00 (or such other amount as prescribed by regulation from time to time) before the request will be processed. The Information Officer will notify the requester of the applicable fee and provide payment details.

A requester who is unable to pay the request fee due to financial hardship may apply to have the fee waived. The requester must provide written motivation, and the Information Officer will consider the application at their discretion in accordance with section 54(8) of PAIA.

Timelines & Fees

The timelines and fees set out below are prescribed by PAIA and the regulations made thereunder. Sinneo Financial Technologies (Pty) Ltd is obligated to adhere to these timelines unless a specific ground for extension applies.

5.1 Response Timelines

Event	Timeline
Decision on request	Within 30 days of receiving the request (s.56(1))
Extension where third-party notification required	Up to 30 additional days (s.57(1))
Extension where request is large or complex	Up to 30 additional days (s.57(2))
Notification of decision to requester	Immediately upon decision (s.56(3))
Deemed refusal if no decision communicated	After 30-day period lapses (s.58)

5.2 Fee Schedule

Access fees are those prescribed under the PAIA Regulations (as published in Government Notice R187 of 2002 and subsequently amended). The current fee schedule is summarised below. All fees are inclusive of VAT.

Fee type	Amount
Request fee (non-personal records)	R50.00
Reproduction — photocopy per A4 page	R1.10 per page
Reproduction — printed A4 page	R0.75 per page
Reproduction — electronic (CD/USB)	R70.00 per disc / drive
Transcription of visual image per A4 page	R40.00
Search and preparation (per hour after first hour)	R30.00 per hour
Inspection of records (per hour)	R30.00 per hour
Personal information — own records	No fee payable

Fees are prescribed by regulation and are subject to periodic amendment by the Minister of Justice. In the event of any discrepancy between the fees set out above and the current prescribed fees, the current prescribed fees shall prevail. Please confirm the current fee schedule with the Information Officer before submitting payment.

Grounds for Refusal

The Information Officer may refuse a request for access to a record on one or more of the grounds set out in Chapter 4 of PAIA (sections 63–70). Where access is refused, the requester will be notified in writing with reasons.

Grounds on which access may be refused include, among others:

The record contains personal information about a third party who has not consented to disclosure, and disclosure would constitute an unjustifiable infringement of that persons privacy(s.63)
Disclosure would reveal a commercial secret or confidential business information that could harm the competitive position of the company or a third party (s.64)
The record is protected by legal professional privilege (s.65)
The information is protected by statutory confidentiality obligations (s.66)
Disclosure would endanger the life, physical safety, or freedom of an individual (s.67)
Disclosure could reasonably be expected to prejudice the defence, security, or international relations of the Republic (s.68)
The record does not exist or cannot be found after all reasonable steps have been taken (s.55(3))

The Information Officer must disclose any severable portion of a record that does not itself fall within a ground for refusal, even if other portions are withheld (s.28).

Internal Appeal

In terms of section 74 of PAIA, a requester who is aggrieved by a decision of a private body's Information Officer may apply to a court for relief. There is no internal appeal mechanism applicable to private bodies under PAIA.

A requester who has been refused access, or who is dissatisfied with the information provided, may approach the Information Regulator for assistance or may institute proceedings in a court with jurisdiction. The requester must do so within 30 days of being notified of the decision (s.78).

Information Regulator of South Africa
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
PO Box 31533, Braamfontein, 2017
Email: inforeg@justice.gov.za · Web: www.inforegulator.org.za

POPIA & Privacy Policy

Sinneo Financial Technologies (Pty) Ltd processes personal information in its capacity as a responsible party under the Protection of Personal Information Act, 4 of 2013 (POPIA). The company is committed to processing personal information lawfully, in a manner that does not infringe on the privacy of data subjects.

8.1 Relationship Between PAIA and POPIA

PAIA and POPIA are complementary statutes. PAIA grants rights of access to information, while POPIA governs the conditions under which personal information may be collected, processed, and retained. Where a PAIA request concerns personal information of a third party, POPIA conditions will be applied to determine whether disclosure is permissible.

8.2 Rights of Data Subjects

Under POPIA, data subjects have the right to be notified of the collection of their personal information, to request access to their personal information, to request the correction or deletion of their personal information, to object to the processing of their personal information, and to lodge a complaint with the Information Regulator. These rights may be exercised by contacting the Information Officer at paia@sorae.co.za.

8.3 Privacy Policy

The company's full Privacy Policy, which sets out in detail how personal information is collected, used, shared, and protected in the context of the Sorae platform, is published at sorae.co.za/privacy. The Privacy Policy should be read alongside this PAIA Manual.

Sorae operates a zero data retention model in respect of bank statement content. No statement data submitted via the API is stored, logged, or retained in any form. This design makes POPIA compliance structurally embedded in the product rather than dependent on policy alone.

Availability of Manual

In terms of section 51(3) of PAIA, this manual must be made available in the prescribed manner. Sinneo Financial Technologies (Pty) Ltd makes this manual available as follows:

Published on the company website at sorae.co.za/paia, free of charge
Available in printed form upon written request to the Information Officer — a reproduction fee of R0.75 per A4 page applies
Submitted to the South African Human Rights Commission (SAHRC) in terms of s.51(3)
Updated as required whenever there are material changes to the records held or the applicable legal framework

A copy of this manual will also be made available at the company's registered physical address during normal business hours, upon reasonable request to the Information Officer.

This manual was compiled with reference to the Promotion of Access to Information Act 2 of 2000, the PAIA Regulations (GN R187 of 2002), the Protection of Personal Information Act 4 of 2013, and the SAHRC's guide on PAIA compliance for private bodies. It should not be construed as legal advice. Sinneo Financial Technologies (Pty) Ltd recommends that any person with a specific access request obtain independent legal advice where necessary.