Privacy Policy

This policy explains how Ikhaya24 (“we”, “us”) processes personal information of property owners, tenants, and contractors in line with the Protection of Personal Information Act, 2013 (POPIA).

1. Data controller

The responsible party (data controller) under POPIA is Ikhaya24. For access, correction, or deletion requests, contact the Information Officer at admin@ikhaya24.com.

2. Notification of collection (POPIA s.18)

We collect personal information directly from you when you register an account, list a property, submit a maintenance request, or otherwise interact with the service. The categories we collect include: name, email address, phone number, ID number (where you choose to provide it for tenant onboarding), property and lease details, payment-related metadata, and message content you send through the platform.

The lawful basis for processing is performance of a contract (the property-management service you have signed up for) and our legitimate interest in operating and securing the service. Provision of identifying information is voluntary; without it, we may be unable to offer parts of the service such as tenant onboarding or contractor coordination.

3. How we use your information

• To deliver the property-management features of the service.
• To send transactional notifications about your account, leases, and maintenance threads.
• To detect, investigate, and prevent fraud, abuse, and security incidents.
• To comply with legal obligations under South African law, including POPIA, the Companies Act, and tax legislation.

4. Operators (sub-processors) we share data with

We use a small number of operators to deliver the service. Each is contractually bound to process personal information only on our instructions and to maintain appropriate security safeguards.

• Resend — transactional email delivery (account notifications, password resets).
• Twilio — WhatsApp and SMS message delivery for tenant and contractor coordination.
• PayFast — payment processing for subscription billing only (we do not collect or store card numbers).
• Google Cloud Storage (GCS) — object storage for uploaded documents and images.
• Postgres database host — managed Postgres hosting in South Africa or the European Union for relational data.

5. Retention period

We retain personal information for as long as your account is active and for a further seven years after closure, to comply with South African tax and accounting record-keeping obligations. Backups containing closed-account data are pruned within 35 days of their creation cycle. Where you exercise a deletion right, we remove the underlying records within 30 days, retaining only what law obliges us to keep.

6. Your rights (POPIA s.23 and s.24)

You have the right under POPIA s.23 to request access to the personal information we hold about you, and under POPIA s.24 to request correction of inaccurate information or deletion of information we are no longer entitled to retain. Send requests to admin@ikhaya24.com. We respond within 30 days.

You may also lodge a complaint with the Information Regulator of South Africa if you believe your rights under POPIA have been breached.

7. Cross-border transfers

Some operators (notably Resend, Twilio, GCS) may process data outside the Republic of South Africa. POPIA permits these transfers where the recipient is bound by laws or binding agreements that provide an adequate level of protection.

8. Security

We use TLS in transit, encryption at rest for the database and object storage, role-based access controls, and per-organisation tenancy isolation enforced at the application and database layer.

9. Updates to this policy

We update this policy when our processing practices change. The last-updated date at the top of this page reflects the most recent revision.