POPIA Compliance Statement

1. Introduction

Rubynet (Pty) Ltd ("we", "us", "our") is the operator of PropSpec, a digital rental property inspection platform for South African landlords, agents, and property practitioners. This statement describes how we comply with the Protection of Personal Information Act 4 of 2013 (POPIA) in our processing of personal information.

This statement should be read together with our Privacy Policy and Terms of Service.

2. Information Officer

In terms of section 55 of POPIA, we have designated an Information Officer who is responsible for compliance with the Act and acts as the point of contact for data subjects and the Information Regulator.

3. Personal Information We Process

In the course of providing the PropSpec service, we collect and process the following categories of personal information:

3.1 Account & Agency Data

• Names, email addresses, and phone numbers of registered users
• Organisation name, branding, and contact details
• Subscription plan, billing email, and PayFast subscription token
• Login activity and IP address (for security and audit purposes)

3.2 Inspection Subject Data

• Property addresses and physical attributes
• Names, email addresses, and contact numbers of landlords and tenants involved in an inspection
• Photographs, condition ratings, and notes captured during a move-in or move-out inspection
• Meter readings (electricity, water, gas) and meter photographs
• Inventories of keys, remotes, and other items handed over
• Digital signatures, the IP address from which they were captured, and the user-agent string of the signing device

3.3 Cookies & Technical Data

We use only essential cookies for session management and authentication. We do not use tracking, advertising, or analytics cookies that profile individuals across websites.

4. Purpose of Processing

We process personal information only for the following legitimate purposes, consistent with section 13 of POPIA:

• Facilitating the creation, completion, and digital signing of rental property inspection reports
• Generating branded PDF compliance reports that landlords, agents, and tenants can rely on as a record of property condition
• Sending inspection links, signature requests, and report copies to the relevant parties via email and WhatsApp
• Authenticating users, securing accounts, and preventing unauthorised access
• Processing subscription payments and managing billing
• Providing customer support and responding to enquiries
• Complying with legal and regulatory obligations

5. Lawful Basis for Processing

Our processing is lawful under one or more of the following grounds in section 11 of POPIA:

• Consent — for example, where a tenant signs an inspection report
• Contract performance — to deliver the inspection service that agents and landlords have subscribed to
• Legitimate interest — to keep records of property condition, prevent fraud, and operate the service
• Legal obligation — where retention or disclosure is required by law

6. Retention Periods

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, in accordance with section 14 of POPIA:

• Inspection records and signed PDFs: 5 years from the date of signature, to support possible deposit disputes and legal proceedings
• Inspection photographs: 3 years, after which they are deleted from primary storage
• Account data: retained for the duration of the user's subscription and for a reasonable period thereafter, until deletion is requested
• Audit logs and security events: 12 months
• Billing records: 5 years, as required by SARS for tax record keeping

When the retention period expires or a deletion request is honoured, personal information is securely deleted from active systems and backups within a reasonable timeframe.

7. Sharing With Third Parties

We do not sell personal information. We share information only with the operators listed below, all of whom are bound by data-processing terms consistent with POPIA:

• SMTP2GO — for transactional email delivery (inspection invitations, signature requests, PDF reports)
• PayFast (Pty) Ltd — for subscription billing and payment processing in South African Rand
• Cloudflare — for content delivery, DDoS protection, and edge security
• Hosting and infrastructure providers operating data centres located in or serving South Africa

We may also disclose personal information where required by law, court order, or a valid request from a competent regulatory authority.

8. Cross-Border Transfers

Where personal information is transferred outside of South Africa (for example to an email-delivery provider with infrastructure in the European Union), we ensure the receiving party is subject to laws or contractual undertakings that uphold principles substantially similar to POPIA, in line with section 72.

9. Your Rights as a Data Subject

Chapter 3 of POPIA grants you the following rights in relation to your personal information:

• The right to be notified that information is being collected about you
• The right to request access to the personal information we hold about you
• The right to request correction or deletion of inaccurate information
• The right to object to the processing of your personal information on reasonable grounds
• The right to object to direct marketing (we do not currently send direct marketing)
• The right to lodge a complaint with the Information Regulator
• The right to institute civil proceedings regarding alleged interference

To exercise any of these rights, please contact our Information Officer at [email protected]. We will respond within a reasonable time and in any event within 30 days.

10. Security Safeguards

In terms of section 19 of POPIA, we have implemented appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, and unlawful processing:

• HTTPS / TLS encryption for all data in transit
• Encrypted password storage using industry-standard hashing (bcrypt)
• Role-based access control — users only see data belonging to their own organisation
• Email verification and secure session management
• Regular security updates and dependency monitoring
• Audit logging of sensitive actions (logins, exports, deletions)
• Encrypted backups and disaster-recovery procedures stored separately from production

In the event of a security compromise that creates a reasonable risk of harm to a data subject, we will notify the affected individuals and the Information Regulator as required by section 22 of POPIA.

11. Complaints & Information Regulator

If you believe we have not handled your personal information in accordance with POPIA, please first contact our Information Officer so we can attempt to resolve the matter. If you are not satisfied with our response, you have the right to lodge a complaint directly with the Information Regulator of South Africa:

12. Updates to this Statement

We may update this POPIA Compliance Statement from time to time to reflect changes in our processing activities or in applicable law. The "Last updated" date above indicates when the most recent revision was made. Material changes will be communicated to active users via email.