PAIA Manual

1. Introduction and Purpose

1.1. This manual is published in compliance with Section 51 of the Promotion of Access to Information Act, No. 2 of 2000 (PAIA), as amended.

1.2. PAIA gives effect to the constitutional right of access to information held by private bodies, as enshrined in Section 32 of the Constitution of the Republic of South Africa, 1996.

1.3. The purpose of this manual is to inform the public of the categories of records held by AutoNexus (Pty) Ltd and the procedure to follow when submitting a request for access to such records.

1.4. This manual is made available on the company's website at beta.renovatr.app/paia and has been submitted to the Information Regulator of South Africa.

2. Details of the Private Body

3. Information Officer

4. Guide on How to Use PAIA (Section 10 Guide of the Information Regulator)

4.1. The Information Regulator has compiled a guide in terms of Section 10 of PAIA to assist persons wishing to exercise their right of access to information. This guide is available from:

• Website: https://inforegulator.org.za
• Email: enquiries@inforegulator.org.za
• Telephone: 010 023 5200
• Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

5. Records Available in Terms of Other Legislation

5.1. Records are held by AutoNexus (Pty) Ltd in accordance with the following legislation, where applicable:

• Companies Act, No. 71 of 2008
• Income Tax Act, No. 58 of 1962
• Value-Added Tax Act, No. 89 of 1991
• Basic Conditions of Employment Act, No. 75 of 1997
• Employment Equity Act, No. 55 of 1998
• Electronic Communications and Transactions Act, No. 25 of 2002
• Protection of Personal Information Act, No. 4 of 2013 (POPIA)
• Consumer Protection Act, No. 68 of 2008
• Promotion of Access to Information Act, No. 2 of 2000 (PAIA)

6. Categories of Records Held

6.1. The following categories describe the records held by AutoNexus (Pty) Ltd. The inclusion of a category does not imply that access will be granted to all records in that category. Each request will be assessed on its merits.

6.1. Company Records

• Company registration documents (CIPC)
• Memorandum of Incorporation
• Director and member records
• Minutes of meetings
• Shareholder records

6.2. Financial Records

• Annual financial statements
• Accounting records and general ledger
• Banking records and statements
• Tax returns and SARS correspondence
• VAT records
• Invoices and receipts (issued and received)
• Subscription and payment records

6.3. Employment and Human Resources Records

• Employment contracts
• Payroll records
• Leave records
• Disciplinary records
• UIF documentation
• PAYE records

6.4. User Account Records

Records of individuals who register and use the Renovatr platform:

• Full name and email address (provided at registration via authentication provider)
• Subscription plan and payment references
• Account activity timestamps (login, record creation/modification)
• Company profile information (company name, contact details, physical address, logo) — voluntarily provided by users

6.5. Project Management Records

Records created by users of the Renovatr platform in the course of managing their interior design projects:

• Project records: Project name, description, address, status, financial parameters (design fee rate, currency, VAT rate)
• Client records: Client name, email address, phone number, physical address (encrypted at rest)
• Deliverable records: Task and item descriptions, costs, commission rates, status, due dates, assigned subcontractors, revision history
• Subcontractor and supplier records: Business name, contact person, email, phone number (encrypted at rest)
• Invoice records: Invoice numbers, amounts, dates, payment status
• Snag/issue records: Issue descriptions, priority, status, assigned parties
• Photo and file attachments: Images, documents, and other files uploaded in connection with projects

6.6. Audit and Security Records

• Audit logs (user actions within the platform — record creation, modification, deletion)
• API key records (hashed keys, usage logs)
• Access permission records (user sharing and collaboration permissions)
• Client portal access records (access counts, last accessed timestamps)

6.7. Technical and Operational Records

• Server and application logs
• IP addresses and browser information (captured by infrastructure)
• Error and incident reports
• Backup records

6.8. Correspondence

• Customer support communications
• Business correspondence with service providers
• Legal correspondence

7. Records Available Without a Request

7.1. The following records are publicly available on the Renovatr website and do not require a formal PAIA request:

• Privacy Policy — beta.renovatr.app/privacy
• Terms of Service — beta.renovatr.app/terms
• This PAIA Manual

8. Processing of Personal Information

8.1. In accordance with Section 51(1)(c) of PAIA, as inserted by the Protection of Personal Information Act (POPIA), the following information is provided regarding the processing of personal information by AutoNexus (Pty) Ltd:

8.1. Purpose of Processing

Personal information is processed for the following purposes:

• Providing and maintaining the Renovatr platform and its services
• User account registration and authentication
• Processing subscription payments
• Communicating with users about their accounts and the Service
• Improving and developing the platform
• Ensuring security and preventing fraud
• Complying with legal obligations

8.2. Categories of Data Subjects

• Registered users — interior designers and design professionals who create accounts on the platform
• Clients — individuals or entities whose information is entered by users in connection with design projects
• Subcontractors and suppliers — individuals or entities whose information is entered by users
• Shared users — individuals granted access to projects by the project owner
• Portal visitors — individuals who access client-facing progress portals via shared links
• Website visitors — individuals who visit the Renovatr website

8.3. Recipients of Personal Information

Personal information may be shared with:

• Cloud infrastructure providers — for hosting and data storage
• Authentication provider (Auth0) — for secure login and identity management
• File storage providers — for uploaded photos and documents
• Legal authorities — when required by law

8.4. Cross-Border Transfers

Some service providers used by AutoNexus may process data outside the Republic of South Africa. Where this occurs, AutoNexus ensures that adequate safeguards are in place as required by Section 72 of POPIA.

8.5. Security Measures

AutoNexus implements appropriate technical and organisational measures to protect personal information, including:

• AES-256-GCM encryption of sensitive personal information at rest (client details, subcontractor contacts, company profiles)
• HMAC integrity verification on permission records to prevent tampering
• SHA-256 hashing of API keys and portal tokens
• Encryption of data in transit (HTTPS/TLS)
• Role-based access controls and granular permissions
• Audit logging of user actions

9. How to Request Access to Records

9.1. A request for access to records must be made on the prescribed Form C (for private bodies), as set out in Annexure B of the Regulations Relating to the Promotion of Access to Information (GN R187 in GG 23119 of 15 February 2002, as amended).

9.2. The completed Form C must be submitted to the Information Officer:

• By email: autonexusbusiness@gmail.com

9.3. The request must include:

• Sufficient detail to enable the Information Officer to identify the record(s) requested
• The form of access required (e.g., inspection, copy, electronic format)
• The requester's full name, contact details, and postal address
• If the request is made on behalf of another person, proof of authorisation
• An indication of which right the requester is seeking to exercise or protect, and an explanation of why the record is required for the exercise or protection of that right

10. Fees

10.1. The following fees may apply, as prescribed by the Regulations:

• Request fee: A non-refundable fee is payable on submission of the request (currently R50.00, or as prescribed)
• Access fee: An additional fee may be payable for search, reproduction, and preparation of the record, as determined by the prescribed fee schedule

10.2. The Information Officer will notify the requester of any applicable fees before processing the request. A deposit may be required if the search for and preparation of the record will take more than six hours.

10.3. The prescribed fee schedule is available from the Information Regulator's website.

11. Decision and Timeframes

11.1. The Information Officer will process the request and notify the requester of the decision within 30 days of receipt of a valid, complete request.

11.2. This period may be extended by a further 30 days if:

• The request is for a large number of records or requires a search through a large volume of information
• Consultation with a third party or another private body is required

11.3. If the request is refused, the Information Officer will provide adequate reasons for the refusal and inform the requester of their right to lodge a complaint with the Information Regulator or apply to a court for relief.

12. Grounds for Refusal of Access

12.1. Access to records may be refused on the following grounds, as set out in Chapter 4 of PAIA:

• Protection of personal information of a third party (Section 63) — where disclosure would involve the unreasonable disclosure of another person's personal information
• Protection of commercial information of a third party (Section 64) — trade secrets, financial, commercial, or technical information that could cause harm if disclosed
• Protection of confidential information of a third party (Section 65) — information provided in confidence
• Protection of safety of individuals and property (Section 66)
• Mandatory protection of records privileged from production in legal proceedings (Section 67) — attorney-client privilege and litigation privilege
• Commercial information of the private body (Section 68) — trade secrets or information that would put the private body at a disadvantage in negotiations or prejudice its commercial interests
• Protection of research information of a third party and of the private body (Section 69)
• Records that cannot or do not exist (Section 70)

12.2. Despite the above, access must be granted if the disclosure would reveal evidence of a substantial contravention of, or failure to comply with, the law, or an imminent and serious public safety or environmental risk, and the public interest in disclosure clearly outweighs the harm (Section 70).

13. Remedies Available if a Request is Refused

13.1. If a request for access is refused, the requester may:

• Lodge a complaint with the Information Regulator:
  • Website: https://inforegulator.org.za
  • Email: complaints.BI@inforegulator.org.za
  • Telephone: 010 023 5200
• Apply to a court for appropriate relief within 180 days of notification of the decision

14. Availability of This Manual

14.1. This manual is available:

• On the Renovatr website at beta.renovatr.app/paia
• From the Information Officer on request at autonexusbusiness@gmail.com
• At the offices of the Information Regulator

15. Updates to This Manual

15.1. AutoNexus (Pty) Ltd reserves the right to amend this manual from time to time as required by law or changes in business operations.

15.2. The most current version will always be available on the Renovatr website.