What we know, what we keep, and why.

This policy is published by Thought Into Reality (Pty) Ltd, a company registered in the Republic of South Africa with the Companies and Intellectual Property Commission (CIPC), trading as Hustla. Hustla is a verification publisher and platform operating in South Africa, with technical operations supported by our parent company, iDeployed UG (haftungsbeschränkt), based in Leipzig, Germany.

When this policy refers to "we", "us" or "Hustla", it refers to Thought Into Reality (Pty) Ltd in its capacity as the responsible party under the Protection of Personal Information Act, 2013 ("POPIA"). iDeployed UG acts as an operator on our behalf for hosting, security and engineering services, and is bound to us by a written processing agreement.

We collect only what is needed to verify a worker, match them with an employer, and keep a defensible record of the relationship. The categories below are exhaustive — if a category is not listed here, we do not collect it.

We do not collect biometric data beyond the profile photograph required for ID matching, and we do not collect special personal information about religion, political opinion, sexual orientation or health under any circumstances.

Every piece of information we hold corresponds to a specific, lawful purpose under section 11 of POPIA. We collect personal information for one or more of the following reasons:

A worker's verified file is held by the worker. We act as a custodian: we issue it, we store the canonical copy, and we present it to an employer only when the worker explicitly grants access for a specific hiring engagement.

Employers see a worker's name, photograph, work category, languages, verified-by-Hustla badge, and the date their last check cleared. They do not see the underlying check documents unless the worker chooses to share them, and even then access is logged, time-limited, and revocable.

We use aggregated, anonymous statistics — for example, the total number of workers verified in a given quarter — in our public reporting and in this policy. Aggregate figures cannot be traced back to any individual.

We do not sell personal information. We do not run third-party advertising on the platform. We do not pass worker data to recruiters, insurance underwriters or credit bureaus under any circumstances.

We do not subject any data subject to automated decision-making that has legal or similarly significant consequences. Every verification outcome is reviewable by a human analyst, and every dispute is handled by a human.

Sharing happens only where the law allows it and the purpose requires it. The list below is exhaustive.

iDeployed UG is located in Germany, a jurisdiction recognised by the Information Regulator as providing an adequate level of data protection. Transfers to iDeployed UG, and to Google Cloud Platform regions outside South Africa, are governed by standard contractual clauses and a written processing agreement that binds the operator to POPIA-equivalent obligations.

Personal information is retained only for as long as is required for the purpose it was collected, or as required by law. The schedule below sets out the periods we apply.

Where we are obliged to keep information beyond the active life of an account — for instance, under a regulatory or tax hold — we restrict access to it, isolate it from production systems, and delete it as soon as the obligation falls away.

The Protection of Personal Information Act gives every data subject a defined set of rights. We are obliged to respect them, and we do.

To exercise any of these rights, write to [email protected] with the subject line "POPIA request". We respond within 30 calendar days. If we need longer — for instance, because the request is complex or involves third parties — we will tell you why and how long it will take.

Verification only matters if the underlying record is secure. We apply technical, organisational and procedural safeguards that meet or exceed POPIA section 19 requirements.

We use cookies sparingly, and only where they have a clear functional purpose. We do not use third-party advertising cookies, we do not run cross-site trackers, and we do not share cookie data with marketing networks.

You may refuse non-essential cookies via the banner shown on your first visit, or change your choice in account settings at any time. Disabling preferences cookies will not stop you from using the platform; it will simply reset your settings on each visit.

Hustla is not for children. We do not knowingly collect personal information from anyone under the age of 18, and we do not permit registration as a worker or as an employer by anyone under 18.

If we learn that we have inadvertently collected personal information about a person under 18, we delete it immediately and notify the responsible adult where one can be identified. If you believe a minor has registered, write to [email protected] and we will act on the same day.

We update this policy when our practices change, when the law changes, or when we improve a description we think is unclear. Every change is dated, and the previous version is archived and available on request.

Material changes — a new purpose, a new recipient, or a meaningful shift in retention — are communicated in advance by email to all registered users, at least 30 days before they take effect. Trivial wording changes are not communicated individually; the "Last updated" stamp at the top of this page is the canonical record.

If you have a question about this policy, or you want to exercise a right under POPIA, write to our Information Officer.

If you are not satisfied with our response, or you believe we have processed your personal information unlawfully, you may lodge a complaint with the Information Regulator of South Africa at any time, with or without first contacting us.