Data & Compliance

Last updated 24 June 2026

This page is maintained by the ConnectHustle team to answer common questions about how we handle data and our approach to POPIA. It describes the controls we have enabled today; it is not an independent certification or audit. Builder, platform, and customer responsibilities are shared — we operate the platform, our infrastructure providers operate the underlying services, and you are responsible for the security of your account.

Access & authentication
  • Email + password sign-in, with Google OAuth optional.
  • Passwords are hashed by our auth provider — we never see them.
  • Role-based access: admin actions require an explicit admin role grant.
  • Row-level security restricts each user to data tied to their own account or jobs they participate in.
Hosting & infrastructure
  • Frontend and server functions run on Cloudflare's edge network.
  • Database, file storage, and auth are provided by Supabase.
  • Payments are processed by PayFast (Pty) Ltd, a registered South African payment provider.
  • Production traffic is served over HTTPS only.
Data we collect & store
  • Account profile, job posts, applications, messages, ratings, payment status, withdrawal requests.
  • Chat attachments and ID documents are stored in private buckets accessible only via short-lived signed links.
  • We do not store card numbers — those are entered on PayFast's hosted checkout.
Subprocessors
  • Supabase — database, authentication, file storage.
  • Cloudflare — application hosting and CDN.
  • PayFast — card and EFT payment processing.
  • Lovable AI Gateway — only when an in-app AI feature is used.

POPIA — Protection of Personal Information Act

ConnectHustle operates from South Africa and acts as the Responsible Party for the personal information of its users. Our practices follow the eight POPIA conditions: accountability, processing limitation, purpose specification, further-processing limitation, information quality, openness, security safeguards, and data-subject participation. This page and our Privacy Policy document how each is applied. Saying "POPIA-aligned" is not the same as a regulator certification — POPIA does not issue one.

Retention & deletion

When a user asks us to close their account we anonymize the record rather than hard-deleting: identifying fields are removed or replaced, while job, ratings, and payment history is kept in anonymized form so the other party's record of the transaction is preserved and we can meet South African tax and accounting record-keeping requirements (generally 5 years). ID documents are deleted from storage within 30 days of a review decision.

Security controls in place today

  • Row-level security on every public database table that holds user data.
  • Private storage buckets for chat attachments and ID documents.
  • Realtime subscriptions scoped per job topic so users only receive updates for jobs they participate in.
  • Internal database trigger functions are not callable directly by signed-in users.
  • Field-level update restrictions on jobs so workers cannot change price, payment status, or completion proof.
  • Webhook signature verification on PayFast callbacks.

Your rights & how to exercise them

You can request access, correction, anonymization, or object to processing of your personal information at any time. Email hello@connecthustle.com and we will respond within a reasonable period. You may also lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za.

Reporting a vulnerability

Found a security issue?
Please email hello@connecthustle.com with the steps to reproduce and we'll respond as quickly as possible. Please do not publicly disclose the issue until we've had a chance to fix it.

What this page is not

  • It is not a certification by Lovable, Supabase, Cloudflare, or any auditor.
  • It is not a guarantee that no security incident will ever occur.
  • It is not a substitute for the legally binding language in the Terms of Use and Privacy Policy.