← Back to blog
Compliance

POPIA compliance for cleaning companies: what you actually need to know

Lymra Team·4 min read·8 April 2026

If you run a cleaning company in South Africa, you're almost certainly collecting personal information — and that means the Protection of Personal Information Act (POPIA) applies to you. Most cleaning companies don't think of themselves as data processors, but they are. Here's what you need to know.

What data do cleaning companies actually hold?

More than you might expect:

  • Employee personal details — names, ID numbers, contact information, bank details for payroll, home addresses, next-of-kin
  • Client contact information — property manager names, emails, phone numbers
  • Site access credentials — gate codes, alarm codes, key safe combinations, access card details
  • Operational records — who was at which site, when, for how long
  • CCTV footage — many buildings have cameras that record your cleaners at work
  • Health information — if you collect medical certificates or manage occupational health records
  • Photos and evidence — if you use any kind of proof-of-service system, you're storing images that may contain identifiable information

Every one of these categories falls under POPIA.

What POPIA requires of you

POPIA isn't as complicated as it sounds. At its core, it requires eight things:

  1. Lawful basis — You need a legal reason to collect each piece of information. For employees, it's typically the employment contract. For clients, it's the service agreement. For operational data, it's your legitimate business interest.

  2. Purpose limitation — You can only use personal information for the purpose you collected it for. Employee bank details are for payroll, not marketing.

  3. Consent where required — For anything that isn't covered by a contract or legitimate interest, you need explicit consent. This includes things like using a cleaner's photo on your website.

  4. Data minimisation — Only collect what you actually need. If you don't need a cleaner's home address, don't ask for it.

  5. Retention limits — Don't keep data forever. Set a retention policy. Employee records: duration of employment plus five years (as required by BCEA). Client records: duration of contract plus a reasonable period. Evidence photos: 12 months is a sensible default.

  6. Security — Take reasonable steps to protect the data you hold. This means secure storage, access controls, and not leaving paper records unsecured.

  7. Breach notification — If personal data is compromised, you must notify the Information Regulator and affected individuals as soon as reasonably possible.

  8. Data subject rights — Anyone whose data you hold has the right to access it, correct it, and in some cases request its deletion.

Employee data deserves special attention

Your cleaners' data is particularly sensitive. You hold their ID numbers, bank details, and in many cases their real-time location data (if you track site attendance). POPIA requires you to:

  • Inform employees what data you collect and why (a clear privacy notice in the employment contract)
  • Store their data securely — not in an unlocked filing cabinet or a shared WhatsApp group
  • Limit access to their data to those who need it (payroll staff, direct supervisors)
  • Delete their data within a reasonable period after employment ends

If you use GPS tracking or photo evidence systems, make sure your employees know about it and understand what data is being collected. Transparency isn't just a legal requirement — it builds trust.

Where Lymra fits

Lymra is designed with POPIA in mind. All client data is encrypted in transit and at rest. Access is role-based — cleaners see only their own jobs, supervisors see their teams, and owners see everything. Evidence photos are stored securely and are never publicly accessible.

Clients can export all their data at any time from account settings. When an account is closed, data is retained for 90 days (to allow for reactivation) and then permanently deleted.

We don't sell personal information. We don't use it for advertising. We don't share it with third parties except for essential infrastructure (cloud hosting, payment processing via Stripe).

If you have questions about how Lymra handles personal information, email privacy@lymra.co.za.

More from the Lymra blog