Promotion of Access to Information Act Manual
Manual prepared in terms of section 51 of the Promotion of Access to Information Act 2 of 2000 ("PAIA") for the private body identified below.
Operator / private body: Whispa (Pty) Ltd ("the Operator", "we", "us", "our"), the operator of the Receiptally product and brand.
Effective date: 5 June 2026
1. Introduction and purpose of this manual
PAIA gives effect to the constitutional right of access to information held by public and private bodies. Section 51 of PAIA requires a private body to compile a manual that explains the records it holds and how a person may request access to them. A PAIA manual is mandatory for all private bodies.
This manual sets out:
- the particulars of the Operator as a private body, and how to contact its Information Officer;
- where to find the Information Regulator's guide on how to use PAIA;
- the categories of records that the Operator holds;
- the categories of records available without a PAIA request;
- the procedure for requesting access to a record, including the prescribed form and fees; and
- the remedies available if a request is refused.
This manual should be read together with the Operator's Privacy Policy, which describes in detail what personal information Receiptally collects and how it is processed under the Protection of Personal Information Act 4 of 2013 ("POPIA").
2. Particulars of the private body (section 51(1)(a))
- Registered name: Whispa (Pty) Ltd
- Company registration number: 2025/060253/07
- Registered office: 20C Corsair Road, Milnerton, Cape Town, 7441
- Product / brand: Receiptally (a receipt-scanning product for iOS and Android, together with this marketing website and its interactive demo)
- General contact: hello@receiptally.app
3. Information Officer and PAIA contact details
Requests for access to records, and any PAIA-related correspondence, must be directed to the Information Officer.
- Information Officer: the head of Whispa (Pty) Ltd, who acts as the Information Officer for the purposes of PAIA and POPIA
- Contact for PAIA requests and privacy matters: privacy@receiptally.app
- Postal / physical address: 20C Corsair Road, Milnerton, Cape Town, 7441 (marked for the attention of the Information Officer)
All access requests, deletion requests, correction requests and complaints are handled by email. The Operator does not operate a separate third-party request portal.
4. The Information Regulator's guide on how to use PAIA (section 51(1)(b))
The Information Regulator has compiled a guide, in terms of section 10 of PAIA, that contains information to help a person exercise the right of access to information. A person who needs assistance in understanding PAIA, or in lodging a request or complaint, may obtain this guide from the Information Regulator.
- The Information Regulator (South Africa)
- Physical address: Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191
- Telephone: 010 023 5200
- Toll-free: 0800 017 160
- PAIA enquiries / complaints email: PAIAComplaints@inforegulator.org.za
- Website: https://www.inforegulator.org.za
- Online submissions (iSupport helpdesk): https://eservices.inforegulator.org.za
The guide is available from the Information Regulator on request and via its website.
5. Categories of records held by the Operator (section 51(1)(d) and (e))
The Operator is a small, pre-launch business. Receiptally is built around a privacy principle that the Operator does not store receipt images or extracted receipt data on its servers; that information lives only on the user's own device. As a result, the categories of records the Operator actually holds are limited.
5.1 Records held under specific legislation
The Operator keeps records that any company is required to keep under various laws, which may include, depending on its activities:
- company-formation, statutory and secretarial records under the Companies Act 71 of 2008;
- financial, accounting and tax records under the Companies Act, the Income Tax Act 58 of 1962, the Value-Added Tax Act 89 of 1991, and the Tax Administration Act 28 of 2011;
- records relating to employees, where applicable, under the Basic Conditions of Employment Act 75 of 1997, the Labour Relations Act 66 of 1995, the Employment Equity Act 55 of 1998, the Unemployment Insurance Act 63 of 2001 and related legislation;
- records relating to the processing of personal information under POPIA.
5.2 Records relating to the website, demo and waitlist
- Waitlist records: the email address and platform preference (iOS, Android or both) of people who join the Receiptally waitlist, together with the date the request was received and a technical application identifier. The email address is stored in plaintext on the Operator's backend. Joining the waitlist also enrols the email address in the Operator's beta-testing programme (currently Google Firebase App Distribution; this may in future move to Apple TestFlight or Google Play testing). The Operator will retain waitlist records only until Receiptally launches, at which point the waitlist form is removed and the Operator will permanently and irrecoverably delete all collected waitlist emails — including copies held in the beta-testing tool. This deletion is a commitment carried out by the Operator; there is currently no automated deletion process in the underlying systems. A user may request earlier deletion at any time.
- Demo records: for the website's one-scan demo, the Operator's backend holds only an anonymous authentication identifier, a scan counter used to enforce the scan limit, and first-scan and last-scan timestamps. These backend demo and scan-counter records currently have no automated expiry. The Operator does not store the receipt image or the extracted receipt data from the demo on its servers; that data is held only in the visitor's own browser.
- Abuse-prevention records: short-lived rate-limiting records that contain only salted, hashed values (not raw email addresses or IP addresses) and that automatically expire. These hashed values relate to rate-limiting only; they are separate from, and do not protect, the plaintext waitlist email address described above.
5.3 Records relating to the Receiptally apps (when launched)
- On the user's device only: extracted receipts and receipt images, which are stored on the user's own device and never on the Operator's servers. The Operator does not hold these records and cannot retrieve them. An optional operating-system backup of this on-device data to the user's own iCloud or Google account is governed by those providers, not by the Operator.
- On the Operator's backend: for app users, a minimal account record consisting of an anonymous authentication identifier, a scan counter, platform and timestamps. A subscription-status field exists in the data schema but is not yet populated by any live billing flow; subscription and billing functionality is not yet implemented and will be addressed when the apps launch.
- Crash-diagnostic records (opt-in): if a user chooses to enable crash reporting (which is off by default and can be switched off again in the app settings), crash-diagnostic data is processed through Google Firebase Crashlytics.
5.4 Records held by third parties on the Operator's behalf
Some of the records above are processed using the services of Google and its Firebase platform (Authentication, Cloud Functions, App Check, Crashlytics and App Distribution) and, for receipt extraction, the Google Gemini API. Receipt images are sent transiently to Google Gemini only to extract the data and are not stored on the Operator's servers. These third parties act as the Operator's operators or service providers. The Operator's Privacy Policy describes the processing, retention and other terms applicable to these third parties.
6. Access to records held by the Operator
6.1 Records available without a PAIA request (section 51(1)(c))
The following records and information are available without a formal PAIA request:
- this PAIA manual;
- the Operator's published Privacy Policy;
- the Operator's website Terms; and
- marketing and product information published on the Receiptally website.
6.2 Records available in terms of other legislation
Certain records may be accessible under legislation other than PAIA (for example, records a person is entitled to receive under POPIA in relation to their own personal information, or records accessible under the Companies Act). A data subject who wants to access, correct or delete their own personal information should contact the Information Officer at privacy@receiptally.app; this is dealt with under POPIA and the Operator's Privacy Policy and does not require a formal PAIA request.
6.3 Records available in terms of PAIA
A requester may use the PAIA procedure below to request access to any other record held by the Operator. The Operator may grant or refuse access in accordance with the grounds for refusal set out in Chapter 4 of Part 3 of PAIA (for example, the mandatory protection of the privacy of a third party, commercial information of a third party, or the Operator's own confidential commercial information).
7. Procedure for requesting access (section 51(1)(e))
- A requester must complete the prescribed request form — Form 2 (Request for Access to Record) of Annexure A to the PAIA Regulations, 2021 — and submit it to the Information Officer at privacy@receiptally.app or at the postal address in section 3 above.
- The request must provide enough detail to identify the record requested and the requester, the form of access required, and a postal address, email address or fax number in the Republic. If the request is made in the personal interest of the requester, proof of identity must be provided; if made on behalf of another person, proof of authority must be provided.
- The requester must state the right that is to be exercised or protected and explain why the requested record is required for that purpose.
- If a requester is unable to read or write, or has a disability, the request may be made orally; the Information Officer will reduce it to writing and provide a copy to the requester.
- The Information Officer will decide on the request within 30 days of receiving it, in accordance with PAIA. This period may be extended once by a further period of up to 30 days where PAIA permits. The Information Officer will grant or refuse the request and will give reasons for any refusal.
The prescribed PAIA forms and regulations are available from the Information Regulator's website at https://www.inforegulator.org.za.
8. Fees (section 51(1)(e))
PAIA and its regulations prescribe the fees payable for access requests made to a private body. These generally consist of:
- a request fee, which a private body may require before processing a request; and
- an access fee, calculated according to the prescribed tariff, to cover the costs of reproduction, search, preparation and, where applicable, postage or the cost of any electronic medium.
Under the PAIA Regulations, 2021 (Annexure B), the prescribed request fee payable by a requester to a private body is R140.00, and access fees (for the search, reproduction and preparation of records) are charged according to the tariff in Annexure B. The current prescribed fees and tariff are available from the Information Regulator at https://www.inforegulator.org.za. The Information Officer will notify a requester of any request fee or deposit payable before processing the request, and of the access fee payable before granting access.
9. Remedies and complaints (section 51(1)(f) and related provisions)
PAIA does not provide for an internal appeal against a decision of a private body. A requester who is dissatisfied with a decision of the Operator's Information Officer (for example, a refusal of access, the fees charged, or the form of access given) may either:
- lodge a complaint with the Information Regulator, in the prescribed manner, using Form 5 (Complaint to the Information Regulator) of Annexure A to the PAIA Regulations, 2021; or
- apply to a court for appropriate relief in terms of PAIA.
Complaints to the Information Regulator may be submitted by email to PAIAComplaints@inforegulator.org.za or through the Information Regulator's online submission platform at https://eservices.inforegulator.org.za. The Information Regulator's full contact details appear in section 4 above.
10. Availability of this manual
This manual is available, free of charge:
- on the Operator's website at the Receiptally site; and
- from the Information Officer on request, by emailing privacy@receiptally.app.
11. Status of the small-private-body exemption
A PAIA manual is mandatory for all private bodies. The Operator does not rely on any exemption from the obligation to compile and publish this manual.
An exemption previously relieved certain smaller private bodies of the obligation to compile a PAIA manual under section 51. That exemption lapsed on 31 December 2021; with effect from 1 January 2022, all private bodies — with no size-based exemption — must compile and make a PAIA manual available. The Operator therefore does not rely on any exemption. Even if a future exemption were published under section 51(4) of PAIA, the Operator's position is that this manual should be compiled and published regardless, because it gives users a clear, single route to exercise their access rights.
12. Updates to this manual
The Operator will review and update this manual as its records, services or contact details change — in particular when the Receiptally apps launch and when subscription functionality is introduced. The Information Officer is responsible for keeping the manual current.