Solutions Sectors Free Tools Pricing Marketplace DPO Network Contact About ⚖ AskDPO

ENFORCEMENT ACTIVE: POTRAZ grace period has expired. Non-compliant organisations face Level 11 fines and up to 7 years imprisonment. — Act now.

POTRAZ Enforcement Active — March 2026

Zimbabwe's Data Protection Compliance Platform for Every Sector

The CDPA grace period has expired. POTRAZ is auditing now. Complai Africa helps your organisation get properly documented, prepare for registration, and match with the right POTRAZ-certified DPO — while the legal filing and appointment remain your organisation's responsibility.

Explore Sector Paths
📋 Your Compliance Checklist
POTRAZ Data Controller Licence
Form DP1 — Due immediately. $50–$2,500 government fee.
URGENT
Certified DPO Appointed
Form DP2 — POTRAZ-certified DPO required. Mandatory for sensitive data.
URGENT
Data Protection Policy
Board-adopted written policy required under CDPA Section 13.
REQUIRED
Consent Forms & Agreements
Written consent for sensitive data. DPA with all third-party processors.
REQUIRED
Cross-Border Transfer Authorisation
Google/Microsoft cloud users need separate POTRAZ authorisation.
REQUIRED
5,000+
Organisations at Risk in Zimbabwe
7 yrs
Max Imprisonment — Unlicensed Processing
72 hrs
Statutory Breach Notification to POTRAZ
30 days
Time to Full Compliance with Our Toolkit
The Compliance Crisis

The Deadline Has Passed. POTRAZ Is Auditing Now.

Most organisations in Zimbabwe are legally exposed. Complai Africa bridges the gap between the law and under-resourced organisations.

CDPA Section 13 + S.I. 155 of 2024

POTRAZ Data Controller Registration

Every organisation processing data of 50+ individuals must register with POTRAZ and pay the annual licensing fee (Tier 1: $50 to Tier 4: $2,500). Complai Africa supports preparation with templates, checklists, and guidance, but the filing remains the organisation's responsibility.

CDPA Section 16 + CDPG 1 of 2024

Certified DPO Appointment

Every data controller must appoint a DPO and notify POTRAZ via Form DP2. Failure carries a Level 7 fine and up to 2 years imprisonment. Complai Africa helps you identify and match with a suitable POTRAZ-certified DPO, but the appointment remains the organisation's responsibility.

CDPG 5 of 2024

Cross-Border Cloud Transfer

Using Google Workspace, Microsoft 365, or any offshore cloud constitutes a cross-border transfer requiring separate POTRAZ authorisation.

CDPA Section 24

72-Hour Breach Notification

Data breaches must be notified to POTRAZ within 72 hours of discovery. Failure: Level 9 fine (~$2,000) and up to 3 years imprisonment.

POTRAZ Enforcement Penalties
L11
Operating Without a LicenceLevel 11 fine (~USD $3,000+). Applies to every data controller without a valid POTRAZ licence.
L12
Unlawful Data ProcessingLevel 12 fine (~USD $5,000+) and/or up to 10 years imprisonment for processing sensitive data without consent.
L9
Breach Non-NotificationLevel 9 fine (~USD $2,000) and/or 3 years for failing to report a breach to POTRAZ within 72 hours.
L7
No Appointed DPOLevel 7 fine and/or 2 years imprisonment for failing to appoint and register a DPO with POTRAZ.
POTRAZ Contact: info@potraz.gov.zw | dpa@potraz.gov.zw
Forms DP1, DP2 and DP3 available at www.potraz.zw
Our Solutions

Compliance Tools Built for Zimbabwe

Sector-specific frameworks built around the exact requirements of the CDPA, S.I. 155 of 2024, and POTRAZ Implementation Guidelines.

🏯 SafeSchool Edition

Complete CDPA Compliance for Schools & Educational Institutions

Schools are the highest-risk category. You process sensitive data of children (under 18) — placing you under the strictest provisions of CDPA Section 12 and CDPG 2 of 2024. Schools are not eligible for Tier 1 DPO exemption.

  • Board-approved Internal Data Protection Policy for schools
  • CDPA-compliant Parental Consent Forms with guardian identity verification
  • DPIA template for CCTV, biometrics, e-learning apps
  • Staff Confidentiality Agreement + Data Awareness Training & Quiz
  • Vendor Data Processing Agreements (Google, Microsoft, EdTech)
  • Cross-Border Transfer package + POTRAZ authorisation assistance
  • +
    DPO Shield available separately — see pricing
Important: Schools using Google Workspace or Microsoft 365 must obtain POTRAZ authorisation before continuing. Complai Africa provides the templates, guidance, and DPO-matching route for that process.
📁 SafeSchool Document Bundle
📋
Data Protection Policy
Board-ready · .DOCX
Included
✍️
Parental Consent Form (3-tier)
Guardian verified · .PDF
Included
🔍
DPIA Template
Risk assessment · .DOCX
Included
🌐
Cross-Border Transfer Package
POTRAZ authorisation · .DOCX
Included
🤝
Vendor DPA Agreement
IT vendors · .DOCX
Included
🚨
Form DP3 Breach Template
24hr protocol · .PDF
Included
📊
Data Asset Register & ROPA
POTRAZ DP1 ready
Comply Business+
🏥 MedShield Edition

Patient Data Protection for Clinics, Practices & Pharmacies

Health data is explicitly classified as sensitive data under CDPA Section 12. Only a health professional may process health-related data, and written consent is required for biometric, genetic and health data processing.

  • Medical Practice Data Protection Policy (CDPA Section 12-compliant)
  • Patient Information & Written Consent Form
  • Health Record Data Processing Agreement for labs and specialists
  • DPIA template for health and biometric data processing
  • 72-hour breach response protocol with Form DP3
  • +
    DPO Shield available separately — see pricing
📁 MedShield Document Bundle
🏥
Medical Practice Privacy Policy
CDPA Section 12 · .DOCX
Included
🩺
Patient Written Consent Form
Sensitive data · .PDF
Included
🔍
DPIA Template
Health data · .DOCX
Included
🔮
Lab/Specialist DPA
Referral data · .DOCX
Included
🚨
Breach Response Protocol + DP3
72hr rule · .PDF
Included
🏢 FinGuard Edition

CDPA Compliance for MFIs, SACCOs & Credit Providers

MFIs process National IDs, financial history and credit data — all classified as sensitive data under the CDPA. FinGuard addresses both POTRAZ data protection and RBZ KYC requirements.

  • MFI/SACCO Data Protection Policy (POTRAZ & RBZ aligned)
  • KYC & Loan Application Privacy Consent Form
  • Credit Bureau Data Sharing Agreement (CreditRegistry, TransUnion)
  • Debt Collection Agent Data Processing Agreement
  • DPIA template for biometric and financial data processing
  • +
    DPO Shield available separately — see pricing
📁 FinGuard Document Bundle
🏢
MFI Privacy Framework
RBZ & CDPA · .DOCX
Included
📝
KYC Consent Form
Loan applications · .PDF
Included
🔍
DPIA Template
Financial & biometric data · .DOCX
Included
📞
Credit Bureau DPA
Bureau sharing · .DOCX
Included
🚨
Breach Response Protocol + DP3
72hr rule · .PDF
Included
🏠 PropSafe Edition

Tenant & Buyer Data Protection for Real Estate Agencies

Property managers collect ID copies, payslips, and bank statements from every tenant and buyer. PropSafe legally secures your data handling and ensures cross-border compliance for international landlords.

  • Real Estate Agency Data Protection Policy
  • Tenant Application Written Consent & Disclosure Form
  • Property Owner Data Processing Agreement (including overseas)
  • Right to Erasure procedure for expired lease data (6-month rule)
  • Cross-border transfer protocol for international landlords
  • +
    DPO Shield available separately — see pricing
📁 PropSafe Document Bundle
🏠
Agency Privacy Policy
CDPA-compliant · .DOCX
Included
📋
Tenant Consent Form
Lease applications · .PDF
Included
🌐
Cross-Border Transfer Package
Overseas landlords · .DOCX
Included
🗑️
Data Erasure Protocol
Post-lease deletion · .DOCX
Included
🚨
Breach Response + DP3
72hr rule · .PDF
Included
🏪 BizSecure Edition

Affordable CDPA Compliance for Zimbabwean SMEs

If you collect customer names, emails or payment data and have 50 or more data subjects, you are a Data Controller under the CDPA. BizSecure covers Tier 1 licensing (50–1,000 data subjects).

  • SME Data Protection Policy (Tier 1 POTRAZ licensing)
  • Customer Privacy Notice (website & physical display)
  • Staff Confidentiality Agreement & Acceptable Use Policy
  • Supplier Data Processing Agreement (payroll, IT, marketing)
  • Data Asset Register with retention schedule
  • +
    DPO Shield available separately — see pricing
Note: Some Tier 1 SMEs may qualify for DPO exemption under CDPG 1 of 2025. Subject to POTRAZ determination. We advise on your specific situation.
📁 BizSecure Document Bundle
🏪
SME Privacy Policy
Tier 1 POTRAZ · .DOCX
Included
🌐
Customer Privacy Notice
Web & print · .PDF
Included
📊
Data Asset Register
Excel tracker · .XLSX
Included
📑
Supplier DPA
Third parties · .DOCX
Included
🚨
Breach Response + DP3
72hr rule · .PDF
Included
🛎 HotelGuard Edition

CDPA Compliance for Hotels, Lodges & Hospitality Businesses

Hotels and lodges collect extensive guest data — passport copies, credit card details, booking history and CCTV footage. HotelGuard ensures full CDPA compliance and protects your guest privacy obligations under Zimbabwe's tourism regulations.

  • Hospitality Data Protection Policy (guest, staff and supplier data)
  • Guest Check-In Consent & Data Disclosure Form
  • CCTV Data Retention Policy (public areas, reception, car parks — 30-day rule)
  • Online Booking Platform DPA (Booking.com, Expedia, direct booking systems)
  • Cross-Border Transfer Protocol for international booking and reservation systems
  • +
    DPO Shield available separately — see pricing
📁 HotelGuard Document Bundle
🛎
Hospitality Data Protection Policy
Guest & staff data · .DOCX
Included
✍️
Guest Check-In Consent Form
ID & payment data · .PDF
Included
📹
CCTV Data Retention Policy
30-day rule · .DOCX
Included
🌐
Booking Platform DPA
Booking.com · Expedia · .DOCX
Included
🚨
Breach Response Protocol + DP3
72hr POTRAZ rule · .PDF
Included
How It Works

From Zero to Audit-Ready in 30 Days

1

Enquire & Onboard

Submit your details. We match your sector, confirm your POTRAZ tier, and create your account within 24 hours.

2

DPO Assigned

A POTRAZ-certified DPO is matched to your organisation. They review your data footprint and initiate POTRAZ filings.

3

Documents & Filing

Forms DP1 and DP2 filed with POTRAZ. Cross-border authorisation applied for if required. All within 5 business days.

4

File & Formalise

Use the prepared templates, supporting pack, and DPO match to complete your organisation's registration and appointment process directly with POTRAZ.

ROPA & DPIA Frameworks

Compliance Frameworks Included in Every Toolkit

Every Complai Africa toolkit includes structured compliance frameworks and document templates — designed specifically for Zimbabwe's regulatory environment and ready for POTRAZ inspection.

📊
Record of Processing Activities (ROPA)
Maps all processing activities with legal bases and retention periods. Foundation of your POTRAZ Form DP1 application. Required under CDPA Section 13 and S.I. 155 of 2024.
Comply Business+
🔍
DPIA Framework — Children's Data
Mandatory for all schools under CDPG 2 of 2024. Step-by-step risk assessment with DPO sign-off template.
Included
🔍
DPIA Framework — Health & Biometric Data
Required before processing health, genetic or biometric data under CDPA Section 12. Covers medical practices, MFIs with biometric authentication and HR biometric systems.
Included
🔍
DPIA Framework — Cross-Border Cloud Transfers
Required for Google Workspace, Microsoft 365, AWS and any offshore cloud provider under CDPG 5 of 2024. Covers all sectors.
Included
🔎
27-Point Compliance Gap Assessment
Measures your current compliance level against all CDPA, S.I. 155 of 2024 and POTRAZ obligations. Complete before and after implementation to measure progress.
Comply Business+
📋
Data Subject Access Request (DSAR) Kit
Complete intake form, identity verification checklist, and response letter templates. Respond within the mandatory 30-day window under CDPA Section 21.
Comply Business+
⚖️
AskDPO — AI Data Protection Assistant
Instant answers on CDPA, S.I. 155 and POTRAZ requirements. Available exclusively to licensed Complai Africa clients as part of selected higher-tier toolkit and support flows.
Comply Business+
Free Compliance Tools

Assess Your Position Before You Buy

Use these tools to understand your compliance gap, quantify your risk exposure, and generate a baseline privacy notice before you choose a paid package.

📊
Compliance Maturity Calculator
10 questions. Instant maturity score across all CDPA obligation areas. Personalised compliance roadmap.
Launch Calculator →
💰
ROI of Privacy Calculator
Calculate your financial exposure from non-compliance vs. the cost of getting compliant. Uses actual POTRAZ penalty levels from S.I. 155 of 2024.
Calculate ROI →
Free CDPA Quick Audit (27-Point)
Tick what you have in place. Get an instant gap report with critical vs. non-critical findings. Printable for board presentations.
Start Audit →
📝
Privacy Policy Generator
Generate a CDPA Section 8-compliant Customer Privacy Notice for your website or premises. Updates live as you type. Copy or print.
Generate Policy →

These tools generate starting-point outputs. For board-ready documentation, sector packs, and managed DPO support, move into a Comply package.

Transparent Pricing

Choose Your Comply Toolkit

All prices in USD. Comply is now sold as a toolkit line, with sector packs and DPO Shield layered on where needed. POTRAZ government fees remain separate and are paid directly to POTRAZ.

Common Core — Included In Every Comply Toolkit
Foundations first, then sector packs, then DPO Shield if you need a named DPO and recurring support.
DP1 template + guide & DP2 template + guide
Data Protection Policy — sector-specific
Internal & external privacy notices
Security Measures Checklist
Breach notification DP3
Consent form
Staff Confidentiality Agreement
DPO Starter Guide (internal DPO handbook)
Staff Training Pack
Tier 1
Comply
Essentials
50–1,000 data subjects · POTRAZ Tier 1
Sole traders, micro-businesses, NGOs, small retailers
USD49
one-time · annual refresh USD 29
  • ✓ Common Core toolkit documents included
  • ✓ Basic ROPA / Data Asset Register
  • ✓ Consent Log template
  • ✓ DPIA template — lite version
  • + Add EduProtect, NGO & Donor, Hospitality or PropTech packs where needed
  • + DPO Shield Essential if you need managed cover
Most Popular
Tier 2
Comply
Business
1,001–10,000 data subjects · POTRAZ Tier 2
Growing SMEs, professional services, logistics
USD149
one-time · annual refresh USD 79
  • ✓ Common Core plus Essentials coverage
  • ✓ Supplier / 3rd-party DPA
  • ✓ Full ROPA
  • ✓ DSAR Kit
  • ✓ Gap Assessment Tool
  • ✓ Employee Awareness Training slides + posters
  • + Add FinProtect, HealthProtect or PropTech packs
  • + DPO Shield Business for recurring oversight
Tier 3
Comply
Corporate
10,001–100,000 data subjects · POTRAZ Tier 3
Mid-corporates, insurers, schools, hospitals
USD299
one-time · annual refresh USD 149
  • ✓ Common Core plus Essentials and Business coverage
  • ✓ Full DPIA template — advanced
  • ✓ Cross-Border Transfer Risk Assessment
  • ✓ Incident Response Plan — detailed
  • ✓ DPO Internal Audit Checklist
  • ✓ Breach Register
  • + Often suited to larger or more operationally complex organisations
  • + DPO Shield level depends on your volume and governance needs
Tier 4
Comply
Enterprise
100,001+ data subjects · POTRAZ Tier 4
Banks, telcos, universities, government utilities
USD499
manual review · annual refresh USD 249
  • ✓ Full Comply stack with enterprise governance scope
  • ✓ Data Governance Policy (retention, destruction, classification)
  • ✓ Third-Party Risk Management (TPRM) toolkit
  • ✓ Children's Data Compliance Checklist
  • ✓ Multi-DPO Coordination Framework
  • + Enterprise sector packs and cross-border scoping
  • + DPO Shield Enterprise strongly recommended
🎓
DPO Shield
Add recurring managed cover after you choose your toolkit. DPO Shield Essential is USD 150/month, Business is USD 300/month, and Enterprise is USD 600/month. See DPO partner model →
📋
Premium Services and Concierge
Layer in POTRAZ Registration Concierge, Cloud Compliance Audit, Privacy Notice Setup, DPIA facilitation, cross-border transfer support, and annual health checks after your toolkit is in place.
Responsibility note: Complai Africa provides concierge compliance support, including templates, guided registration support, and DPO matching. Legal responsibility for registration, appointment, and regulatory submissions remains with the organisation.
Industry Verticals

Sector-Specific Compliance Paths

Each sector path combines the right Comply tier, the right sector pack, and the right DPO Shield level for that operating model.

🏯
SafeSchool

Schools & Education

Children's data obligations, parental consent, DPIAs, and cross-border authorisation for cloud services make education one of the most closely regulated sectors.

Explore SafeSchool →
🏥
MedShield

Medical & Pharmacy

Health, biometric and genetic data require written consent under CDPA Section 12. Only health professionals may process health data.

Explore MedShield →
🏢
FinGuard

Finance & MFIs

Financial history and ID data are sensitive under CDPA. FinGuard satisfies both POTRAZ and RBZ compliance obligations.

Explore FinGuard →
🏠
PropSafe

Real Estate

Every tenancy application collects sensitive data. PropSafe ensures legally compliant data handling and cross-border compliance.

Explore PropSafe →
🏪
BizSecure

SMEs & General Business

50+ customers or employees makes you a Data Controller. BizSecure gives you Tier 1 POTRAZ compliance.

Explore BizSecure →
🛎
HotelGuard

Hospitality

Hotels collect passport copies, credit cards and CCTV footage. HotelGuard covers guest privacy and international booking platforms.

Explore HotelGuard →
For DPO Professionals

Join the Complai Africa POTRAZ-Certified DPO Partner Network

Are you a POTRAZ-certified Data Protection Officer? We provide the clients and infrastructure — you provide the professional certification and oversight.

  • 💼

    Zero Client Acquisition Cost

    We handle all sales and marketing. You focus on delivering compliance services to organisations we place with you.

  • 📈

    Manage Multiple Clients Efficiently

    Our automated toolkit handles 80% of groundwork. You review, advise, sign Form DP2, and liaise with POTRAZ.

  • 💰

    60% of Monthly Retainer

    You carry the professional oversight responsibility and receive the larger share. 30/70 on one-off toolkit sales.

  • 🔒

    Governed by Formal SLA

    Clear response time obligations: 4 hours for critical breaches, 24 hours for POTRAZ requests, 48 hours for standard queries.

🎓POTRAZ Certified

Certified DPOs

POTRAZ-approved certification required. HIT-certified DPOs preferred.

⚖️Law Firms

Tech Law Specialists

Lawyers with POTRAZ-certified DPO status can provide both legal advice and official oversight.

💻IT Auditors

IT Audit Firms

IT security professionals with POTRAZ certification can extend compliance services through our platform.

🤝60/40 Model

Clear Revenue Share

60% of retainer to POTRAZ-certified DPO. 40% to Complai Africa platform.

Get in Touch

Request a Free Compliance Assessment

Not sure where to start? Submit your details and we'll tell you which Comply tier, sector pack, and DPO Shield path best fit your organisation, then help you prepare the right templates and DPO-matching route.

📧
📧
DPO Enquiries
dpo@complai.africa
🏭
Location
Harare, Zimbabwe
POTRAZ — Data Protection Authority

Forms DP1, DP2 and DP3 available at www.potraz.zw
info@potraz.gov.zw | dpa@potraz.gov.zw
+263 242 333032/46/48

We respond within 24 hours. Your data is processed under our own CDPA-compliant privacy policy.

Ready to Choose Your Compliance Path?

Choose your Comply toolkit first, then add the sector pack and DPO Shield cover that match your organisation's real-world obligations. Your organisation remains responsible for the formal POTRAZ filing and DPO appointment.

Request a Fit Check