Privacy policy.

1. Who we are

This policy applies to South PropMan (Pty) Ltd (“South PropMan”, “we”, “us”), trading as the South PropMan platform, with its head office at 3 Centex Close & Katherine Str, Sandton, Johannesburg, South Africa. We are the Responsible Party (POPIA) / Data Controller (GDPR & SADC equivalents) for the personal information we collect through the South PropMan website and software platform.

For privacy questions, data-subject requests, or to report a suspected breach, contact our Information Officer at info@southpropman.com.

2. Laws we comply with

South PropMan operates in multiple jurisdictions. We align with:

• South Africa — the Protection of Personal Information Act 4 of 2013 (POPIA) and the Electronic Communications and Transactions Act 25 of 2002 (ECT Act).
• Botswana — the Data Protection Act 32 of 2018.
• Zambia — the Data Protection Act 3 of 2021.
• Zimbabwe — the Data Protection Act [Chapter 11:12] of 2021 (formerly the Cyber and Data Protection Act 5 of 2021).
• Namibia & eSwatini — where dedicated data-protection statutes are not yet in force, we default to POPIA-level safeguards.
• European Union visitors — we honour GDPR rights on a best-effort basis; please note our primary jurisdiction is South Africa.

3. What personal information we collect

We collect only the information needed to run the platform and honour our contractual obligations to you. Broadly:

• Identity & contact: name, email, phone, company, country, role, address.
• Authentication: hashed password, multi-factor tokens, session data, IP and device metadata for audit logging.
• Property-operations data: property, unit, lease, tenant, occupant, short-term letting, maintenance and financial records you (or your users) enter or upload into the platform.
• Sectional-scheme data: body-corporate and sectional-title scheme registers, unit notes, owner/member, trustee, occupant and short-term letting records, participation quotas, vehicle plates, levy-clearance records, meeting attendance, proxy and ballot records, portal messages between managers and scheme stakeholders, CSOS return evidence, insurance valuations, prescribed documents and audit-pack exports.
• Financial identifiers: bank account numbers, tax numbers (VAT, PAYE, WHT), payment references — encrypted at rest.
• KYC documents: ID, tax clearance, proof of banking, BEE or insurance certificates uploaded by service providers.
• Usage telemetry: feature events, error logs, browser user-agent — aggregated for product improvement.
• Marketing leads: information you voluntarily submit on the website contact form.

We do not knowingly collect personal information from children under 18, and we do not sell personal information to third parties.

4. Why we collect it (lawful basis)

• Performance of a contract — to deliver the platform and process your portfolio, leases, invoices and payments.
• Legal obligation — tax, accounting, anti-money-laundering and record-keeping obligations in each jurisdiction.
• Legitimate interest — fraud prevention, platform security, product improvement, essential communications about the service.
• Consent — for marketing emails, optional cookies and any processing outside the categories above. You can withdraw consent at any time.

5. Who we share it with

Personal information is never sold. It is shared only with:

• Other users you explicitly invite — your tenants, owners, trustees, managers, service providers, accountant or auditor, scoped by the role-based, property-scoped and scheme-scoped permissions you configure.
• Infrastructure operators acting as Operators (POPIA) / Processors under strict written agreements:
  • Cloud database & storage: Supabase (hosted on AWS).
  • Transactional email: our configured SMTP / email API provider for sign-in, invitations, invoice delivery and POPIA data-subject responses.
  • Payment gateways (only when you enable online rent payments): PayFast (ZA) and optional Stripe for card acquiring. We pass the invoice amount, invoice number and tenant display name only — card data never touches our servers.
  • Messaging providers (only when you enable WhatsApp or SMS nudges): WhatsApp Business API via your configured provider (Twilio, 360dialog or Meta direct) and Twilio for SMS.
  • Error & performance telemetry: anonymised exception traces.
• Professional advisers under confidentiality when required by law.
• Regulators & courts where a valid subpoena, warrant or statutory directive compels disclosure.

A current list of operators and where they process data is available on request from our Information Officer.

6. Cross-border transfers

Our production database is hosted in the EU region of our cloud provider. When your personal information crosses a Southern African border (for example, during backup), we rely on either (a) contractual safeguards with the operator equivalent to the requirements of POPIA § 72 and Standard Contractual Clauses, or (b) your explicit consent. You may request a copy of these safeguards from our Information Officer.

7. How long we keep it

• Active account data — for as long as your account is active.
• Financial records — at least 5 years after the relevant transaction, as required by the Tax Administration Act 28 of 2011 (SA) and equivalent acts in other markets.
• Sectional-scheme statutory records — retained for the period reasonably required to support STSMA, PMR, CSOS, conveyancing, audit and dispute-resolution obligations, unless you delete them earlier and no statutory retention duty applies.
• Marketing leads — 24 months from last interaction, unless you opt out sooner.
• Audit logs — 7 years for tamper-evident security logs.
• Closed account data — fully purged within 30 days of your written request, subject to the retention minima above.

8. Your rights as a data subject

Under POPIA (and its SADC counterparts) you have the right to:

• Be notified that personal information is being collected about you.
• Request access to your personal information (POPIA § 23).
• Request correction or deletion of inaccurate, excessive or unlawfully obtained information (POPIA § 24).
• Object to processing, including direct marketing (POPIA § 11(3)).
• Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
• Complain to the Information Regulator of South Africa (inforegulator.org.za) or the equivalent regulator in your country.

To exercise any of these rights, email info@southpropman.com. We respond within 30 calendar days. No fee is charged for reasonable requests.

9. How we protect it

• Encryption in transit (TLS 1.2+) and at rest (AES-256) for all personal information.
• Row-level security at the database layer so one tenant of the platform cannot see another’s data, even if a bug would otherwise allow it. Property-scoped access rules further restrict team members to only the properties they are assigned to.
• Least-privilege internal access, enforced via our identity provider and audited quarterly.
• Daily encrypted backups with point-in-time restore.
• Annual third-party penetration testing.
• A documented incident-response plan; confirmed breaches involving personal information are reported to the Information Regulator and to affected data subjects without undue delay, per POPIA § 22.

10. Cookies & similar technologies

The website uses the minimum cookies (and browser-storage entries) required to deliver the site and understand aggregate traffic. We do not use third-party advertising cookies.

We distinguish two classes:

• Strictly necessary — for example, your signed-in session, CSRF token, and the record of your cookie-consent choice itself. These are set automatically and are exempt from consent under POPIA § 11 and ECT Act § 45 because they are essential to providing a service you explicitly requested.
• Optional analytics / marketing — aggregate product analytics. Disabled by default. Only set after you click Accept on the cookie banner that appears on your first visit. You can change your mind at any time by clicking Cookie settings in the footer or by clearing southpropman.cookie-consent from your browser’s storage.

11. Children

The platform is intended for use by adult professionals. We do not knowingly process personal information of any person under 18. If you believe we have done so in error, contact us and we will delete it.

12. Changes to this policy

We update this policy when our practices change or the law requires. Material changes are notified by email to account holders at least 14 days before they take effect. The “Last updated” date at the top of the page reflects the current version.

13. Contact us

Information Officer
South PropMan (Pty) Ltd
3 Centex Close & Katherine Str, Sandton, Johannesburg, South Africa
info@southpropman.com