Privacy Policy
This policy explains how DataRights collects, uses, stores, shares, and protects personal information when providing POPIA request, scan, dashboard, support, and subscription services.
1. Who We Are
DataRights is a South African consumer privacy service that helps subscribers prepare, submit, track, follow up on, and where appropriate prepare escalation material for requests made under the Protection of Personal Information Act, 4 of 2013 (POPIA).
For DataRights' own website, account, payment, consent, support, and service administration, DataRights acts as the responsible party for the personal information it collects directly from you. When DataRights prepares and sends requests to data holders on your behalf, DataRights acts under your authorisation as your service provider and authorised representative for that request process.
Support: support@datarights.co.za. Information Officer: privacy@datarights.co.za. Registered address: South Africa.
2. What This Policy Covers
This policy applies to website visitors, free scan users, subscribers, trial users, support contacts, payment and billing interactions, consent records, customer dashboard usage, and POPIA request workflows. It does not control how third-party data holders, brokers, payment providers, or infrastructure providers process information under their own policies.
3. Personal Information We Collect
Account and identity information
- First name, last name, full name, email address, phone number, city or town, selected plan, billing cycle, subscriber status, and optional South African ID number if you choose to provide it.
Consent and authorisation records
- Service consent, authorised-agent confirmation, consent version, exact consent wording, exact authorisation wording, marketing opt-in, source page, timestamp, IP address where available, and browser or device user agent where available.
Payment and subscription information
- Selected plan, amount, billing cycle, payment status, payment date, PayFast payment reference, subscription reference, cancellation reason, refund workflow status, and billing reconciliation status.
DataRights does not intentionally store full card details. Card and payment credential processing is handled by PayFast.
Request, scan, and operational information
- Scan signals, broker or data holder request records, request status, request letter text, scan or batch reference, broker response summaries, follow-up dates, escalation status, customer sightings, support notes, customer actions, and audit log summaries.
Website and technical information
- IP address, browser and device details, form submission metadata, security logs, basic analytics, cookies, or similar technologies where used.
4. Optional South African ID Number
Your South African ID number is optional. Providing it may help certain data holders match your request to their records. DataRights restricts access to it and must not place ID numbers in email subject lines, public logs, analytics events, or unnecessary support messages.
5. Why We Process Personal Information
- To create and manage subscriber profiles and Privacy Control Center access.
- To record consent and authorisation.
- To process payments, renewals, cancellations, and subscription reconciliation.
- To prepare and send POPIA request letters to covered data holders.
- To track broker responses, non-responses, follow-ups, and escalation options.
- To process customer-reported sightings and support tickets.
- To maintain audit records, prevent abuse, protect the service, and comply with legal, tax, accounting, and regulatory duties.
6. Legal Bases
Depending on the context, DataRights may process personal information because you consented, processing is necessary to provide the service you requested, processing is necessary for a contract, processing is required by law, processing supports legitimate operational or security purposes, or you authorised DataRights to submit and follow up on requests on your behalf.
Marketing messages are separate from service messages. You can refuse or withdraw marketing opt-in without losing service messages needed to operate DataRights.
7. How POPIA Requests Work
When you authorise DataRights, DataRights may use your profile information to prepare and send requests to covered data holders. Those requests may ask a data holder to confirm whether it holds your personal information, delete, destroy, correct, or update information where POPIA permits, confirm action taken in writing, provide a lawful basis if it refuses, or explain next steps where more information is required.
DataRights only marks a request as completed or confirmed when the relevant data holder confirms the action or there is another documented basis for that status.
8. Data Processors and Service Providers
| Provider | Purpose | Note |
|---|---|---|
| Supabase | Database, customer records, consent records, request data, and operational state. | Operates under its own data protection terms and infrastructure policies. |
| Cloudflare Workers | API layer, request processing, Worker routing, and security controls. | Operates under its own data protection terms and infrastructure policies. |
| Resend | Transactional email, verification codes, request dispatch, and service notifications. | Operates under its own data protection terms and infrastructure policies. |
| PayFast | Payment processing, subscription confirmation, payment references, and payment status. | PayFast handles card and payment credential processing under its own terms. |
| Have I Been Pwned | Breach signal checking and breach alert context where used. | Operates under its own data protection terms and usage policies. |
DataRights may also use domain, hosting, security, accounting, support, and professional service providers where reasonably needed. DataRights aims to share only what is needed for the relevant purpose.
9. Sharing With Data Holders
DataRights may share relevant request information with covered data holders, brokers, credit bureaus, marketing databases, telecoms providers, public record sources, people-search sources, and similar organisations for request processing. DataRights does not sell subscriber personal information.
10. Cross-Border Processing
Some providers may process or store information outside South Africa. Where this happens, DataRights takes reasonable steps to use providers, contractual arrangements, or safeguards that support appropriate protection for personal information.
11. Retention
- Subscriber profile data is held for the subscription duration plus 12 months, unless a longer period is required for legal, tax, dispute, fraud-prevention, or audit reasons.
- Consent and authorisation records are retained as evidence of consent and authority.
- Deletion request, response, and audit trail records may be held indefinitely as evidence of the service provided and the request history.
- Breach alert records are held for 24 months unless needed longer for support, audit, or legal reasons.
- Payment records are retained for tax, accounting, fraud prevention, chargeback, and reconciliation duties.
- Support records are retained while needed to resolve the issue and maintain service history.
DataRights should delete, anonymise, or restrict records when continued retention is no longer justified.
12. Security
DataRights uses reasonable technical and organisational safeguards, including access controls, restricted secrets, server-side credentials, secure payment processing through PayFast, limited raw payload storage, audit logging, and breach response procedures. No online service can guarantee absolute security, but DataRights takes reasonable steps to protect personal information from loss, misuse, unauthorised access, disclosure, alteration, or destruction.
13. Your Rights
Subject to POPIA and other applicable law, you may ask whether DataRights holds personal information about you, request access, request correction or deletion of your own DataRights data, object to certain processing, withdraw consent where processing is based on consent, object to direct marketing, complain to DataRights, or complain to the Information Regulator.
To exercise rights or request deletion of your own DataRights account data, contact privacy@datarights.co.za. DataRights may need to verify your identity before acting on a request. If you withdraw service consent, DataRights can no longer submit requests on your behalf and parts of the service may stop.
14. Marketing
DataRights may send marketing emails only where you have opted in or where otherwise permitted by law. You can unsubscribe from marketing messages. You may still receive transactional or service emails required for account, payment, request, security, or support purposes.
15. Cookies and Analytics
DataRights may use cookies, analytics, or similar technologies to operate the website, understand performance, improve content, and protect the service from abuse. Where required, DataRights should provide a cookie notice or cookie policy explaining the categories of cookies used and user choices.
16. Complaints and Changes
If you have a privacy concern, contact DataRights first so it can investigate: privacy@datarights.co.za. You may also contact the Information Regulator of South Africa.
DataRights may update this policy when the service, laws, providers, or operations change. The updated version will be posted on the website with a new effective date.