Section 51 Manual

Prepared By: SkyL4rk (Pty) Ltd | Date: June 2025 | Version: 1.1

Prepared in accordance with Section 51 of the Promotion of Access to Information Act 2 of 2000 ("PAIA")

  Purpose of this Manual: PAIA gives every person the right to access information held by a private body where that information is required for the exercise or protection of a right. This manual describes who we are, what records we hold, how to request access to those records, and the grounds on which access may be refused. If you are seeking access to your own personal information held by SkyL4rk, please contact our Information Officer directly before submitting a formal PAIA request — many requests can be resolved more quickly through direct engagement.

1. Company Details

Detail	Information
Registered Name	SkyL4rk (Pty) Ltd
Registration Number	2018/043553/07
Trading Name(s)	SkyL4rk; xCrypt; Verilink; TermsCon; SkyVault; SkyDome; Matchy
Nature of Business	Software-as-a-Service (SaaS), API infrastructure, digital licensing, identity verification, and payment technology
Physical Address	Ballito, KwaZulu-Natal, South Africa
Postal Address	Ballito, KwaZulu-Natal, South Africa
Email	legal@xcrypt.co.za
Website	skyl4rk.co.za
Country of Incorporation	Republic of South Africa

2. Information Officer

As required by Section 51(1)(a) of PAIA and Section 1 of POPIA, every private body must designate an Information Officer responsible for encouraging compliance with PAIA and POPIA, handling access requests, and acting as the primary point of contact for data subjects.

Detail	Information
Name	Michael Beuster
Title	Information Officer
Email	legal@xcrypt.co.za
Postal Address	SkyL4rk (Pty) Ltd, Ballito, KwaZulu-Natal, South Africa
Regulator Registration	The Information Officer is registered with the Information Regulator of South Africa as required under POPIA

In the absence of the Information Officer, requests may be directed to legal@xcrypt.co.za and will be attended to by a designated deputy.

3. Applicable Legislation

SkyL4rk's operations are subject to the following legislation that governs the records it holds and its obligations to data subjects:

Legislation	Relevance to SkyL4rk
Promotion of Access to Information Act 2 of 2000 (PAIA)	Governs access to records held by SkyL4rk as a private body; the basis for this Manual
Protection of Personal Information Act 4 of 2013 (POPIA)	Governs the collection, processing, storage, and deletion of personal information by SkyL4rk as a responsible party
Companies Act 71 of 2008	Governs company registration, governance records, and director obligations
Tax Administration Act 28 of 2011	Governs tax records, financial records, and obligations to SARS
Value Added Tax Act 89 of 1991	Governs VAT registration, invoicing, and record-keeping obligations
Electronic Communications and Transactions Act 25 of 2002 (ECTA)	Governs electronic contracts, e-commerce, and digital records
Financial Intelligence Centre Act 38 of 2001 (FICA)	Governs AML/KYC obligations applicable to certain SkyL4rk services (particularly Verilink)
Basic Conditions of Employment Act 75 of 1997	Governs employment records for SkyL4rk staff
Labour Relations Act 66 of 1995	Governs employment and contractor relationships
General Data Protection Regulation (EU) 2016/679 (GDPR)	Applicable to processing of personal data of EU/EEA individuals through SkyL4rk platforms
UK General Data Protection Regulation (UK GDPR)	Applicable to processing of UK individuals' data through SkyL4rk UK Ltd operations

4. Categories of Records Held

As required by Section 51(1)(c) of PAIA, this section describes the categories of records held by SkyL4rk.

4.1 Corporate and Governance Records

Certificate of incorporation and memorandum of incorporation (MOI)
CIPC registration documents and company registration number
Director and officer details and resolutions
Share register and ownership records
Registered office and contact details
PAIA Manual (this document) and associated compliance records
POPIA Information Officer registration records

4.2 Financial and Billing Records

Annual financial statements and management accounts
Tax registration certificates (income tax, VAT)
Tax returns filed with SARS
Client invoices and payment records
Merchant subscription and billing history
Bank account records and transaction histories
Expense records and supplier invoices
Payroll records

4.3 Client and Merchant Records

Merchant account profiles (name, contact details, company details)
Signed or accepted terms and conditions
Data Processing Agreement acceptance records
API key assignment and management records
Subscription plan and billing tier records
Support correspondence and ticket histories

4.4 Sub-Client and License Records

Sub-client registration records (name, email, client ID, parent merchant)
License key records (hashed key, issuance date, expiry, status)
License activation and validation event logs
License revocation records and reasons
API usage logs (endpoint, timestamp, response code, client IDs)
Webhook delivery logs (event type, delivery status, timestamp)

4.5 Identity Verification Records (Verilink)

Identity document type and number (passport, national ID, driver's licence)
Biometric verification records and liveness scores (retained only as required by FICA/KYC regulations)
MRZ scan data
AML screening results and manual sign-off records
KYC verification outcomes and timestamps

4.6 Employment and Human Resources Records

Employment contracts and contractor agreements
Personal details of employees and contractors
Leave records, performance records
Payslips and remuneration records
Confidentiality and NDA agreements signed by personnel

4.7 Security and Compliance Records

Security incident register and post-incident reports
Access control logs and authentication event logs
Data breach notification records
Internal policy documents (Information Security Policy, Data Retention Policy, etc.)
Sub-processor agreements and vendor contracts
Data Protection Impact Assessment (DPIA) records

4.8 Legal and Contractual Records

Terms and Conditions (published and historical versions)
Privacy Policy (published and historical versions)
Data Processing Agreements with clients and sub-processors
Non-disclosure agreements
Correspondence with regulatory bodies
Legal opinions and correspondence (subject to legal privilege)

4.9 Communications Records

Email correspondence with clients, merchants, and third parties
Support ticket histories
Contact form submissions from the website
Marketing communications and consent records

5. Purposes for Which Records Are Used

As required by Section 51(1)(d) of PAIA.

Category of Record	Purpose(s)
Corporate and governance records	Company compliance; directorial obligations; CIPC filings
Financial records	Tax compliance; financial management; audit; billing clients
Client and merchant records	Service delivery; account management; billing; contractual obligations
Sub-client and license records	License management; API service delivery; usage monitoring; overage billing
Identity verification records	KYC/AML compliance; fraud prevention; regulatory obligations under FICA
Employment records	HR management; payroll; legal compliance; BCEA and LRA obligations
Security records	Incident response; breach notification; compliance auditing; vulnerability management
Legal records	Contractual compliance; dispute resolution; regulatory correspondence

6. How to Submit a Request for Access to Records

As required by Section 51(1)(e) of PAIA. Any person wishing to access records held by SkyL4rk must follow the procedure below.

6.1 Who May Request

Any person — whether or not they are a South African citizen or resident — may submit a request for access to records held by SkyL4rk, provided the request is for the purpose of exercising or protecting a right. A requester seeking access to their own personal information under POPIA need not demonstrate a right and may contact the Information Officer directly.

6.2 Request Form

Requests must be submitted using Form C as prescribed under PAIA. Form C is available from:

The Information Regulator's website: inforegulator.org.za
On request from the Information Officer at legal@xcrypt.co.za

6.3 Required Information in the Request

Form C must include:

Full name and contact details of the requester
If requesting on behalf of a third party — the third party's details and proof of authorisation
A description of the records requested, with sufficient detail to identify them
The form in which access is preferred (e.g., inspection, copy, electronic format)
A statement of the right the requester is seeking to exercise or protect, and an explanation of why access to the record is required for that purpose
If the requester believes the information is required to prevent or remedy serious harm — a description of the harm

6.4 Where to Submit

Method	Details
Email	legal@xcrypt.co.za (preferred — attach completed Form C as PDF)
Post	Information Officer, SkyL4rk (Pty) Ltd, Ballito, KwaZulu-Natal, South Africa

6.5 Request Fees

PAIA provides for fees in connection with access requests:

Fee Type	Amount	Notes
Request fee	R50.00	Payable upfront with the request (unless requester is a personal requester seeking own information)
Access fee	As prescribed by PAIA regulations	Payable before records are provided — calculated based on reproduction cost, search time, and format
Personal information requests	No request fee	Where the requester seeks access only to their own personal information, the R50 request fee is waived
Fee waiver	At Information Officer discretion	SkyL4rk may waive fees in appropriate circumstances, particularly where the requester demonstrates financial hardship

6.6 Response Timeframes

SkyL4rk will respond to a valid PAIA request within 30 days of receipt. This period may be extended by a further 30 days in circumstances of complexity or where the records are voluminous, in which case the requester will be notified. If the request fee is not paid within 30 days of being notified, the request will be deemed abandoned.

7. Grounds for Refusal of Access

PAIA provides mandatory and discretionary grounds on which access to records may be refused. SkyL4rk will only refuse access on grounds that are lawfully available.

7.1 Mandatory Grounds for Refusal

The record contains information that, if disclosed, would constitute an offence (PAIA Section 39)
Disclosure would be in contempt of court (Section 40)
The record is protected by legal professional privilege (Section 42)
Disclosure would endanger the safety or life of an individual (Section 38)

7.2 Discretionary Grounds for Refusal

The record contains commercial information, trade secrets, or confidential financial information of a third party (Section 64)
Disclosure would cause harm to the commercial or financial interests of a third party (Section 64)
The record contains research information the premature disclosure of which would prejudice the research (Section 69)
The record relates to a third party's personal information and its disclosure is not in the public interest (Section 63)
The request is clearly frivolous or vexatious, or would substantially and unreasonably divert SkyL4rk's resources (Section 45)

7.3 Severability

Where a record contains both information that must or may be withheld and information that may be disclosed, SkyL4rk will provide access to the disclosable portion with the withheld portions redacted, provided the disclosable portion can reasonably be separated.

8. Appeal and Complaint Process

8.1 Internal Appeal

There is no internal appeal mechanism for private bodies under PAIA. If you are dissatisfied with SkyL4rk's decision on your request, you may approach the Information Regulator or a court directly.

8.2 Complaint to the Information Regulator

Any person may lodge a complaint with the Information Regulator if they believe that SkyL4rk has failed to comply with PAIA or POPIA:

Detail	Information
Organisation	Information Regulator (South Africa)
Website	inforegulator.org.za
Email (complaints)	legal@xcrypt.co.za
Email (PAIA requests)	legal@xcrypt.co.za
Physical Address	JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal Address	P.O. Box 31533, Braamfontein, Johannesburg, 2017

8.3 Court Application

A requester who has been refused access, or has not received a response within the prescribed period, may apply to the High Court for relief under PAIA Section 82.

9. Availability of This Manual

This manual is available:

Online: Published at https://xcrypt.co.za/legal/paia-manual.html
In print: Available at SkyL4rk's registered office on request
By email: A PDF copy may be requested from legal@xcrypt.co.za
Information Regulator: A copy has been submitted to the Information Regulator as required under PAIA

This manual is reviewed and updated at minimum annually, or when material changes occur to SkyL4rk's operations, record-keeping practices, or applicable legislation. The version date is recorded at the top of this document.

10. Human Rights Commission Guide

The South African Human Rights Commission ("SAHRC") is required under PAIA Section 10 to compile a guide to assist persons who wish to exercise their rights under PAIA. This guide is available from the SAHRC:

Website: www.sahrc.org.za
Email: legal@xcrypt.co.za