GetSmartLease Privacy Policy (South Africa)

Last Updated: [February 2026]

14. Introduction and Scope

Welcome to GetSmartLease’s Privacy Policy. This Privacy Policy explains how Sunrise Technosystems (Pty) Ltd (“Sunrise Technosystems”, “we”, “us” or “our”), operating the GetSmartLease Platform, collects, uses, discloses, and safeguards personal information of users. It also outlines your rights as a data subject under South Africa’s Protection of Personal Information Act, 2013 (POPIA) and other relevant laws.

Data Controller: For the purposes of POPIA and this policy, Sunrise Technosystems (Pty) Ltd (South Africa) is the “Responsible Party” (data controller) with respect to personal information processed through GetSmartLease. Our contact details are provided in Section 14.10. We operate under the brand name GetSmartLease, but the legal entity accountable for data protection is Sunrise Technosystems.

By using the GetSmartLease website or services (collectively, the “Platform”), you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any provision of this policy, please do not use the Platform or provide personal information.

This policy applies to all users of the Platform, including landlords, tenants, property managers, and any other individuals who interact with our services (such as guarantors or references whose information may be provided).

We aim to adhere to POPIA’s eight conditions for lawful processing of personal information: Accountability, Processing Limitation, Purpose Specification, Further Processing Limitation, Information Quality, Openness, Security Safeguards, and Data Subject Participation. Throughout this policy, we will explain how we fulfill these conditions.

15. Information We Collect

We collect various categories of personal information depending on your role (landlord, tenant, etc.) and how you use the Platform. Below is a breakdown of the types of data we collect and process:

15.1. Information Provided Directly by You:
- Account Registration Data: When you register an account, we collect information such as your full name, email address, mobile number, and a password. If you register as a company or property manager, we may collect the company name, registration number, and contact person’s details.
- Profile and Identity Verification Data: We may request your ID number (South African ID or passport number) or ask for copies of identification documents (e.g., ID book/card, driver’s license) to verify your identity or for tenant screening permissible purposes. For property owners, we might also collect proof of property ownership (like an utility bill or deed info) to ensure legitimate listings.
- Property Listing Information (for Landlords/Managers): When you list a property, you provide details about the property (address, type, number of bedrooms, rental price, amenities, photos, etc.). Some of this may be considered personal information if, for example, you live at the property or the listing includes contact details. We treat the listing details as information you intend to make public to potential tenants, except where you opt to keep certain info private (like exact address hidden until later in the process).
- Application and Tenant Information (for Tenants): When you fill out a rental application or your tenant profile, we collect data such as your birth date, ID number, current and past addresses, employment status and employer details, income, references (names and contact details of employer/previous landlord/personal refs), and any documents you upload (like payslips, bank statements, proof of employment, rental history, etc.). This information is typically shared with the specific landlord you apply to (with your consent at time of application). It may also be used for screening reports (see below).
- Financial Information: For rent payments or payments for Platform services, we may collect your banking details or card information. Note: For security, card payments are processed by third-party payment providers, so we usually only store tokens or partial card info (like last 4 digits). If you set up a debit order, we collect bank account number and branch code. We also record payment transaction details (dates, amounts, reference numbers).
- Communication Content: If you communicate with other users through our Platform (messaging between tenant and landlord, maintenance requests, etc.), or communicate with us (customer support inquiries, feedback forms), we collect the content of those communications. This may include any personal info you choose to share therein. For example, if through messaging you provide your personal email to a landlord, that info gets captured in our system as part of the message history.
- Photographs and Media: If you upload a profile picture or if a landlord uploads images of a property (which sometimes might inadvertently contain personal info, like a family photo on a wall – landlords should remove such before photographing), that media is stored. Profile photos are optional. Tenants might also upload a photo of themselves or with family if they choose, as part of an introduction; while optional, if provided, it becomes part of our collected data. (We do not encourage sensitive personal images and any inappropriate images will be removed per our terms.)

15.2. Information Collected Automatically:
When you use the Platform, our systems automatically gather some data to improve your experience and for security:
- Usage and Device Data: This includes your IP address, device type (e.g., laptop, smartphone), operating system, browser type, and version. We collect timestamps of logins, clicks, and page views (e.g., you viewed a particular listing). We might also log how you interact with features (e.g., clicked “Apply Now”, or navigated to Help section). This is standard web analytics data.
- Cookies and Similar Technologies: We use cookies (small text files stored on your browser) and similar tracking technologies (like web beacons) to provide and personalize the service. For instance, cookies help keep you logged in, remember your preferences, and track site usage analytics (via tools like Google Analytics). We also use cookies for security (e.g., detecting multiple failed logins). You can control cookies via your browser settings, but note that disabling essential cookies (like session cookies) may affect functionality. For more detail, see our Cookie Notice (if separate) or ask us for details on types of cookies used. Generally, we do not use cookies to serve third-party ads at this time, so tracking is mainly for our own service functionality and analytics.
- Location Data: If you enable location services or provide an address, we may process location information to show you nearby properties or help auto-fill addresses. For example, tenants might search for rentals near their current GPS location. This is optional; you can search by entering an area name instead. Any location data from device is only used at the time of search and not stored with your profile (unless you save an address). IP addresses can also give a rough location (city level) which we use for security (e.g., alerting you if an unfamiliar location logs in) or to show relevant content (like defaulting search to your city).

15.3. Information from Third Parties:
Sometimes we obtain personal info from sources other than you:
- Credit and Background Checks: If you are a Tenant and undergo tenant screening via the Platform, we receive information from credit bureaus and background check agencies with your consent. This can include your credit score, credit report details (like accounts, payment history, judgments), eviction history, criminal record checks, and ID verification. These reports are obtained from authorized credit bureaus or background screening partners (e.g., TransUnion, Experian, or TenantProfileNetwork) in accordance with POPIA and the National Credit Act. The information in these reports is used for assessing tenancy risk and is shared with the landlord you applied to. We store a copy in your application record. Note: performing these checks requires your consent; if some landlords require it, they’ll request through the system and you’ll opt-in.
- Public Records and Listings: We might supplement property listings with publicly available info (like geolocation coordinates for an address, or info from deeds registry about property size or zoning) to enrich the listing, where lawful. If you are a landlord entity, we may verify business registration details against CIPC records (public corporate registry) for legitimacy.
- Referrals: If a user invites you to the Platform (for example, a landlord invites a co-landlord or a property manager invites a team member; or a tenant invites a roommate to apply), we receive your name and email from that user as part of the referral. We will only use it to send an invite and will not add you to any marketing list unless you separately consent.
- Third-Party Integrations: If you link or login via a third-party account (say we allow login with Google or Facebook in the future), we would get basic profile info from them (like your name and email as stored in that account) to streamline registration. We will explicitly ask for your permission at the time of such linking and specify what data we retrieve.
- Service Providers: Our payment processor might provide us with updated information like a masked card number and status (success/failure) of transactions. Our analytics providers may give aggregated data about usage (e.g., user demographics or interests as inferred, though typically this is not personal data since it's aggregated).

15.4. Special Personal Information and Children:
POPIA designates certain personal information as “special” (sensitive), such as religious or philosophical beliefs, race/ethnic origin, health info, biometric info, or criminal records. Our policy is to minimize our handling of special personal info. We do not require or request information about your race, religion, health or biometrics for using the Platform. However, some sensitive data could be processed in specific contexts: e.g., a criminal background check result (criminal history is considered special personal information and we only process it with your explicit consent as part of screening, or if required by law for certain properties). We also might inadvertently collect what you volunteer (e.g., if a tenant says they need a ground-floor unit due to a disability – that implies health info). We will treat any such volunteered sensitive info with extra security and only use it for the purpose it was provided (in that example, to help find suitable housing).
Children’s data: Our Platform is not directed to minors (under 18) for contracts. We do not knowingly collect personal info from children, aside from perhaps names/ages of minor occupants in a rental (which a tenant might input in an application for context). If you are under 18, you should only use the Platform with involvement of a parent/guardian and with landlord’s consent. Landlords should not target minors as tenants. If we become aware of a child using the Platform or providing personal data without appropriate adult consent, we will remove that data. Special rules apply under POPIA for processing children’s information – we avoid doing so unless we have legal obligation or consent from a competent person (parent/guardian). For example, a lease might list a child as an occupant; by including that, the parent/guardian (our user) is effectively consenting to us processing the child’s basic info for the lease.

15.5. Openness – Your Awareness: POPIA requires that data subjects be made aware of what personal information is collected and from where. We have above listed categories and sources. To recap in plain terms: We collect most data directly from you during account setup, listing creation, or application. Additional data comes from your device (automatically) or from authorized third-parties like credit bureaus (with your consent). If we ever need to collect information from a new source or for a new purpose not covered here, we will update this Policy and notify you when required.

16. Purposes of Processing and Lawful Basis

We process personal information for various purposes related to providing and improving our services. POPIA requires that processing have a lawful basis and a specific purpose. Below, we explain each major purpose and the legal justification (condition) for processing:

16.1. Providing the Platform Services:
- Purpose: To enable you to use our Platform features – e.g., create accounts, list properties, search listings, communicate between landlord and tenant, complete applications and leases, process payments, and manage maintenance.
- Lawful Basis: Performance of a Contract – Much of our processing is necessary to perform our obligations in the contract we have with you (the Terms of Service) or to take steps at your request prior to entering a contract (e.g., processing a tenant’s application which is a step towards a lease contract with a landlord). For example, using your profile and application data to generate a lease agreement is processing necessary for providing the service you requested. Where the CPA or other law sees you as a consumer, this aligns with the necessity to deliver the service as promised. Additionally, Consent – in many cases, by voluntarily providing information for these features, you consent to its processing for that purpose. POPIA’s Processing Limitation condition allows processing if the data subject consents or if necessary for contract. Here, both apply: you want us to use the data to provide you the service, so it’s inherently necessary, and your actions imply consent.
- Example: We use your listing data to display it to prospective tenants. We use tenants’ application info to show it to the landlord they applied to, which is why they provided it – to be considered for a rental. We use contact info to send communications about the services (like lease renewal reminders). All that is to perform the core service.

16.2. Tenant Screening and Automated Decision Aspects:
- Purpose: To assess suitability of tenants for landlords by processing credit and background data, and to automate parts of the decision process (like generating a credit score or flag). Also, to comply with certain legal obligations such as checking against lists (if required by law e.g., some rental might need to check against terrorist lists per FICA – though that’s more for financial institutions, typically not required for private rentals, but if we integrate with any such compliance, it would be purpose-driven).
- Lawful Basis: Consent & Explicit Consent – We rely on your consent to perform any credit check or similar screening, especially because it often involves special personal information (e.g., criminal record) which under POPIA requires explicit consent to process. We will not run these without your opt-in. Additionally, Legitimate Interest (of the Landlord) – Landlords have a legitimate interest in vetting tenants to avoid non-payment or fraud, which is recognized as a lawful basis provided it doesn’t unjustifiably infringe on privacy rights. We balance this interest by requiring consent and using the data only for its intended purpose. If any automated profiling is done, we ensure it doesn’t result in a solely automated rejection without human intervention, to comply with POPIA Sec 71 (see Section 14.5 on automated decisions).
- Example: A tenant consents to a credit check. We send their ID to a bureau, get a report, and show a summary to the landlord with a recommendation level. The legal basis is consent. If a tenant didn’t consent, we wouldn’t process this – but then the landlord might not consider their application, which we’d inform the tenant about.

16.3. Communications and Customer Support:
- Purpose: To communicate with you about your account, transactions, and the Platform – e.g., sending verification codes, alerts (tenant applied, rent due, etc.), service updates, and responding to your inquiries or requests for support. Also to send policy updates or legal notices.
- Lawful Basis: Legitimate Interests – It’s in both your and our interest to communicate essential information about the service. Also, some communications are required for contract performance (like sending an OTP to login securely, or emailing you a copy of your lease, which is part of the service). For direct support communications, it’s part of our service to you (contractual necessity). For broader service emails (like an announcement of new features or maintenance downtime schedules), legitimate interest in keeping you informed and engaged with the service (and arguably performance of our general obligation to maintain service). We will not spam; these are generally service-related or requested communications.
- Example: If you email support, we use your email and issue details to troubleshoot and reply – necessary to fulfill your request. If a lease is expiring, we might email both parties a reminder – necessary to assist contract renewal, which is a legitimate interest and arguably an implied part of service.

16.4. Marketing and Newsletters:
- Purpose: If you opt in, to send you marketing communications about new features, promotions, or relevant property management content. Also, possibly to show testimonials or success stories (with permission). We might also send surveys or research questionnaires to improve our services.
- Lawful Basis: Consent – We will only send you marketing emails or SMS if you have given us consent (opted in) or if you are an existing customer in context of similar services and the law allows a soft opt-in. POPIA is generally opt-in for direct marketing by electronic channels, and we comply with that. You can withdraw consent at any time (unsubscribe). We include easy opt-out mechanisms in every marketing message. Note: Transactional or service messages (previous point) are not “marketing” and come regardless of marketing opt-in.
- Example: When signing up, you might tick a box to receive our newsletter with tips for landlords. If you do, we’ll send those occasionally. If you untick or unsubscribe, we stop. No hard feelings.

16.5. Platform Analytics and Improvement:
- Purpose: To analyze usage of our Platform, troubleshoot performance issues, test features, and improve user experience. We study how users navigate, where they drop off, which features are popular, so we can optimize and innovate. Also, to test algorithms (like improving our tenant matching algorithm) using historical data.
- Lawful Basis: Legitimate Interests – We have a legitimate interest in understanding and improving our services. We ensure analytics data is mostly aggregated or pseudonymized where possible, and that this processing does not harm your privacy unduly. We do not use analytics to make decisions about individuals, it’s more about trends. For any profiling related to improvement, it doesn’t affect you personally in a legal sense; it’s aimed at generally better service. We consider this aligned with POPIA’s “further processing limitation” – further processing for research or improvement is generally compatible if original collection was for providing service. Also, the data subjects typically benefit from an improved platform, so interests align.
- Example: We might log that “User X took 5 steps to list a property” and see where time was spent, to simplify that flow. Or use error logs containing user IDs to quickly fix bugs. We might also run A/B tests showing different layouts to users and compare engagement – this uses personal data minimally (to assign who sees what). All is under legitimate interest in service optimization.

16.6. Safety and Security:
- Purpose: To protect the security of user accounts, the Platform, and other users. This includes fraud detection, identity verification, investigating suspicious activity or violations of our Terms, and implementing measures against bad actors. If necessary, to cooperate with law enforcement and regulatory inquiries.
- Lawful Basis: Legal Obligation (in some cases) – We may have legal duties to maintain certain security standards (POPIA Section 19 requires appropriate safeguards) and to report or act on unlawful activity. Also, Legitimate Interests – in preventing fraud and ensuring safety of our community. This can also be seen as in the vital interests of users at times (e.g., preventing financial harm). For special personal info (like detecting a crime), we’d rely on the legal allowances in POPIA (e.g., processing criminal info if allowed by law or with consent – but our main use is not to process such unless part of screening which is consent-based). If we run checks against government sanction lists (for AML or similar reasons) that could be legal obligation under certain circumstances (though not common in rentals unless we suspect money laundering).
- Example: We might use your device information and IP to identify if an account login is coming from an unusual location possibly indicating a hack; we might then challenge with 2FA. That processing of IP and login pattern is to secure your account. If a user is reported for scamming others, we use the info we have on them to investigate and maybe report to authorities – legitimate interest to protect others from fraud, and legal obligation to not allow illegal activity on our platform.

16.7. Legal Compliance and Record-Keeping:
- Purpose: To comply with laws such as tax laws, ECTA, CPA, or data retention laws. For instance, keeping records of transactions for a certain period for SARS (tax) or for resolving disputes, maintaining a POPIA compliance program (like documenting consents), and providing data if required by a lawful subpoena or Information Regulator inquiry. Also to enforce our terms or exercise legal claims (which might involve using certain data as evidence).
- Lawful Basis: Compliance with legal obligation – e.g., tax law might require us to retain invoices including personal details for X years. POPIA itself requires us to document processing activities. If the Information Regulator exercises oversight, we must comply. Additionally, Legitimate interests in defending our legal rights if needed (e.g., keeping logs to demonstrate something in court if it came to that).
- Example: If a user deletes their account, we might still keep certain records for, say, 5 years if financial transactions were involved, because of laws or potential legal claims (like the Prescription Act on contract claims being 3 years – we might keep contract-related data at least that long).

We ensure that all processing is done in a manner consistent with the original purpose of collection (Purpose Specification and Further Processing conditions). If we ever need to use your information for a new purpose that is incompatible with those above, we will seek your consent or ensure a legal basis and notify you as required by law.

17. Disclosure of Information (Third-Party Sharing)

We value your privacy and only share personal information with third parties for the purposes outlined above, or where required by law. Here we list the categories of recipients with whom we may share information, and why:

17.1. Counterparties to Transactions (Landlords/Tenants):
Our platform is built to facilitate information sharing between users in a controlled manner. If you are a Tenant applicant, your application data will be shared with the Landlord (or property manager) of the property you applied to. This is obvious but worth stating: landlords need that info to consider you, and by applying you agree to this transfer. Landlords, your profile (like name, photo if provided, and contact as you choose to share) is shown to interested tenants and on listings. We may initially relay tenant communications via our messaging system (masking direct emails until a certain stage to protect privacy), but ultimately if a lease is signed, each party will have each other’s contact details (which typically are exchanged in the lease document anyway). This sharing is intrinsic to the service – we only share what is necessary (the tenant’s personal info that was asked on the application form; the landlord’s info needed for tenant to evaluate and contact them). Both parties are expected to treat the information received about the other as confidential and use it only for rental purposes, per our Terms. However, we cannot enforce that beyond contractual terms; once a landlord has a tenant’s info, they become a Responsible Party for that data too, and must handle it per POPIA. We do warn and contractually obligate them (via Terms) not to misuse tenant data. But note, we are not responsible for how another user you shared info with handles it outside our Platform (though if we learn of abuse, we take action on our Platform).

17.2. Service Providers (Operators):
We use third-party companies to help us operate the Platform or provide services on our behalf. Under POPIA, these are often “Operators” (data processors) acting on our instruction. They only get access to information as needed to perform their functions, and we ensure they are bound by confidentiality and data protection obligations. Key examples:
- Hosting and Infrastructure: We may host our platform on cloud servers (e.g., AWS, Azure, or local data centers). These host databases that include personal info. Cloud providers are operators, storing data but not using it for their own purposes. We ensure data centers have appropriate security (we often choose ones with international certifications). Note cross-border details below in Section 18.
- Payment Processors: When you pay online, a payment gateway (like PayFast, PayGate, Stripe, etc.) will process your payment info. They might collect and store card details tokenized. We share with them your name, email, and amount to charge. They return transaction status and possibly some payer info. These processors are PCI-DSS compliant and act as independent responsible parties for the financial info as well (they have legal obligations to handle that data securely). We have agreements to ensure they protect data and only use it for payment.
- SMS/Email delivery services: To send verification codes or notifications, we might use services like Twilio (SMS) or SendGrid (email) who handle sending messages containing your contact info and message content. They are operators in handling that on our behalf.
- Credit Bureaus / Screening Agencies: As mentioned, if a screening is done, we send the necessary personal info (ID, perhaps financial info, etc.) to trusted third-party partners (registered credit bureaus or agencies). They process it and return a report. They are somewhat independent (they have their own obligations under credit laws), but we only engage them with your consent for specified checks. We ensure such transfers are lawful and that they treat your data carefully. Usually, the bureau will keep a record of the enquiry on your credit file (visible to other credit providers) – this is a normal industry practice and also subject to credit laws, not something we solely control. But by consenting, you accept that a footprint of the enquiry will be logged (we typically do “tenant screening” inquiries that are not full credit applications so they have minimal impact).
- Background Check and Other Integrations: Similar to above, if we integrate with, say, an identity verification service (that checks Home Affairs ID validity) or a sanctions list check for compliance, we send data to them and get a result.
- Analytics and Crash Reporting: We might use Google Analytics, which uses cookies and scripts to collect usage data (usually anonymized or pseudonymized). Google may act as an operator (they analyze on our behalf) but also in some respects a separate controller (using data to improve their services). We have enabled IP anonymization where possible and do not send them any direct personal identifiers like your name. Still, they might receive your IP and device info. We are careful to comply with privacy guidelines and you can opt out via your browser (or by not accepting analytics cookies if we provide that option).
- Developers and Support contractors: We could have third-party developers or IT support who occasionally need access to the database or system to fix issues. They are bound by NDAs and access controls so they don’t misuse or unnecessarily browse personal data. They act on our instructions.

We strive to limit the information shared to what the provider needs to do their job (data minimization). And we choose reputable providers with strong data protection standards.

17.3. Business Transfers:
If Sunrise Technosystems or the GetSmartLease business is involved in a merger, acquisition, sale of assets, or investment transaction, it may be necessary to disclose or transfer user information as part of that deal. For instance, if another company acquires GetSmartLease, user data would likely be part of the assets transferred (so they can continue the service). We would ensure any such party is bound to respect your privacy rights at least as much as we have. Similarly, if we engage in restructuring or joint ventures, relevant data might be shared with advisors (like due diligence by lawyers or auditors) under strict confidentiality.

In the event of insolvency or bankruptcy, data may be considered an asset subject to legal processes. However, we aim to ensure continuity of privacy commitments even in those cases (to the extent possible).

17.4. Legal and Regulatory:
We may disclose personal information to third parties if required by law, regulation, or legal process (such as a subpoena, warrant, or court order). We will try to limit the scope of disclosure and will object if requests seem overly broad. But for example, if law enforcement is investigating a fraud that took place via our Platform, they might lawfully request certain user data. POPIA allows processing for the purposes of criminal investigations or by law enforcement with appropriate safeguards, so we comply as required. Also, we might share info if necessary to exercise or defend our legal rights. For instance, if we get sued or need to sue someone, we may present relevant communications or logs as evidence in court (which become public record potentially). Or we might share your identity to a complainant if required (e.g., someone defrauded might legally request we identify the fraudster user).

We also may disclose to the Information Regulator or other authorities if we are under an investigation or need to report something (POPIA breach notifications or similar).

17.5. Rental Tribunals or Credit Ombud, etc.: If there is a dispute (like a tenant files a complaint with the Rental Housing Tribunal or a consumer complaint about credit checks), with your authorization or as required, we could share relevant data with that adjudicatory body to resolve the matter. We would likely require a request or consent, unless the law compels us (the Tribunal often can subpoena info).

17.6. Other Users and Public:
Publicly visible information on our Platform includes things like property listings and (if you choose to post them) public reviews or forum posts. If our Platform has a community forum or Q&A and you participate, your name (or chosen screen name) and whatever you post will be public to others on the Platform. Property listings obviously are public to any visitor (with landlord contact usually revealed only to logged-in interested tenants or in a controlled way). Landlord profiles might be semi-public to someone viewing their listing. Tenant profiles are not browsable by the public; they’re only visible to landlords they engage with. We do not publish tenant personal data openly.

We also might publish aggregated insights or success metrics that contain no personal identifiers (like “Over 1000 tenants found homes using GetSmartLease in 2025, with an average rent of R8000”). That’s not personal information and could be shared publicly for marketing.

17.7. Third-Party Marketing or Data Sharing:
Importantly, we do not sell or rent your personal information to third-party marketers. We don’t provide your details to other companies for them to market to you without your explicit consent. For example, we’re not handing our user list to an insurance company to cold-email you about renters insurance. If there’s something beneficial (like a partnership where, say, you could click to get a quote for rental insurance or moving services), that’s always at your instigation and we’d clearly indicate data sharing if you proceed.

If we ever offer an integration where you ask us to share your data (e.g., “Connect with my accounting software” which would send rent payment data to QuickBooks), we will do so only with your instruction and clearly let you know what’s being shared.

In summary, we share data primarily to facilitate the services you signed up for, with parties you interact with (landlords/tenants), and with service providers under contract to support those services. Other sharing is limited to legal compliance or with your consent. We strive for transparency about this – if you have specific concerns (“Will X see my info?”) you can ask us anytime.

18. Cross-Border Transfers

18.1. Storage Location: The personal information we collect is primarily stored on servers located in South Africa [or specify if elsewhere]. We understand POPIA’s requirements regarding transferring personal data outside of South Africa. Our aim is to store and process data in South Africa whenever feasible. However, some of our third-party service providers (operators) or backup servers might be located in, or have equipment in, other countries (for example, using a cloud provider whose data center is in Europe or the US, or using an email service that routes through a global network).

18.2. Cross-Border Conditions: POPIA Section 72 permits cross-border transfers of personal information under certain conditions, such as: (a) the recipient country or organization has laws or agreements providing similar data protection as POPIA, (b) we have consent from the data subject, (c) the transfer is necessary for a contract with or in interest of the data subject, or (d) the transfer is for the benefit of the data subject and it’s impractical to get consent (with some safeguards). We evaluate our transfers under these criteria.

18.3. Our Safeguards: When we transfer personal data out of South Africa, we ensure adequate protection. For instance:
- If using a service provider in the US or EU, we verify that they are subject to robust privacy frameworks (the EU’s GDPR is considered to have strong protections often “substantially similar” to POPIA; for the US, we may rely on standard contractual clauses or a similar mechanism).
- We include contractual data protection clauses (binding the recipient to protect the info per standards similar to POPIA). Many of our providers are globally certified (like ISO27001 for security).
- For example, our cloud host [if applicable] might host in Europe, which has GDPR – meeting the “similar laws” criterion. If not, we ensure contract and consent.
- We will not transfer your special personal information or bulk user data to a foreign third party without ensuring one of POPIA’s allowed bases: often we rely on the necessity for contract (e.g., sending email via an overseas server is necessary to deliver the service to you, implicitly in your interest) or explicit consent if required.

18.4. Examples:
- Our support desk software might be US-based, meaning if you email us, the content (including personal info you share) might be stored on a US server. We mitigate by choosing a provider that complies with privacy shield frameworks or SCCs and is well reputed.
- If a landlord or tenant is overseas and we need to share information with them or their verified agent (like a landlord traveling abroad wants to download a lease), that inherently moves data to where they are – which is fulfilling our contract with them.
- In some cases, we might need to transfer to a foreign regulator or authority (unlikely, but say a foreign investor owner subject to another law). That would typically be with consent or legal requirement.

18.5. User Consent for Transfers: By using our Platform, you understand that your data may be transferred cross-border as described, and you consent to such transfers where required. We only do so to countries or parties with appropriate protections or as allowed by law. If we need your explicit consent for a particular transfer (like sending your info to a landlord in a country without equivalent laws and no other basis covers it), we will inform you and obtain that consent (which you can withdraw).

18.6. Data Localization: If at any point South African law mandates certain data remain in-country (some sectors have that), we will adhere. Currently, POPIA allows transfers given the above conditions. We regularly review our data flows to ensure compliance with any updates in cross-border regulations and will update this policy if our cross-border practices change materially.

In summary, we treat your data with the same level of protection regardless of where it is processed, and we take the necessary steps to ensure any foreign processing is done securely and lawfully.

19. Data Retention and Deletion

19.1. Retention Principle: We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required/allowed by law. This is in line with POPIA’s Purpose Specification and Retention conditions. When we no longer need personal data, we either de-identify it (anonymize) or securely destroy it.

19.2. Retention Periods: The retention time can vary based on the type of information and our legal/operational needs:

  • Account Information: Your account data (name, contact, profile, listings) is kept for as long as you have an active account. If you choose to delete your account, we will initiate deletion of personal data associated with it, except as mentioned below for data we may need to keep longer. Inactive accounts (no login for a prolonged period, say 24 months) may be archived or deleted after reaching out to you via your last known email to confirm if you want to keep it.
  • Listings and Transaction Records: Rental listings data may be kept in our archives for record-keeping even after the listing is removed, especially if a transaction (lease) occurred, but it will no longer be publicly visible. We keep historical rental transaction records (like leases, payment history) for a reasonable period (at least 5 years) because of potential legal disputes and accounting requirements. This benefits both parties in case of disputes – we can provide history if needed. It also covers obligations like the Rental Housing Act requiring that leases be in writing (so we keep a copy as evidence it was).
  • Tenant Application Data: If you as a tenant do not get the property and want your application removed, you can delete or withdraw it, and we will purge it from the landlord’s view. However, we might retain a copy in our system logs/backups for a short period, and certain elements (like the fact you applied to X property on Y date) for audit trail (typically anonymized or minimal). If you want us to completely delete your application data, see Section 20 on rights – we will comply unless a landlord has a legal reason to keep it (which is rare if you didn’t rent). If you do become a tenant, your data is kept as part of the lease record as mentioned.
  • Communications: Support emails and chat logs are usually retained for a period (e.g., 2 years) to help with any follow-ups and to train our team. In-platform messages between users we retain as part of the transaction record (at least as long as the lease or until a dispute is resolved plus some buffer). If no lease resulted and time has passed, these can be purged or anonymized on request.
  • Financial Records: Payment transaction data and invoices we keep for at least 5 years per tax law and financial regulations. POPIA allows retention if required by law – e.g., SARS expects retention of records for 5 years from tax submission.
  • Screening Reports: Credit checks and similar are time-sensitive. We typically don’t store full credit reports longer than necessary – perhaps until the rental decision is made plus a short grace period, unless the landlord downloads and attaches it to a lease file (then it becomes part of record). We might keep a note that a screening was done and the outcome (like “pass” or “recommend with caution”) for audit, but full details can be deleted to reduce risk. In any event, we wouldn’t use an old report for a new decision without running a fresh check.
  • Analytics Data: Aggregated analytics may be stored indefinitely (as it has no personal identifiers). Raw logs with personal info (IP addresses etc.) we try to pseudonymize and delete after some months, unless needed for security analysis. For instance, web server logs might be kept 6-12 months then purged or anonymized.

19.3. Deletion Procedures: When data is due for deletion, we follow secure methods: - We may run periodic purges on our database for data no longer needed. - For backups, they are rotated and eventually old backups (with old data) are destroyed or overwritten. Note that if you request deletion, we will remove from active database immediately (and confirm to you), but backup tapes may hold remnants for a while until they cycle out. We secure those and restrict any restore unless absolutely needed. - Physical documents (if any) are shredded or incinerated if containing personal data, once not needed.

19.4. Anonymization: In some cases rather than outright deletion, we anonymize data so it can no longer be linked to you. For example, we might keep statistical information like “Number of tenants with credit score > 600” but that doesn’t have names attached. Or if we want to keep how many properties you listed for trends, we could replace your identity with a code that cannot be traced back. Anonymized data is not governed by POPIA as personal info, since it’s irreversibly de-identified. We primarily do this for data analytics or if we want to maintain realistic test data in our system without real personal info.

19.5. Legal Holds: If we are in a legal dispute or under investigation, we may retain relevant information until that is resolved, even if it would otherwise be deleted, to ensure we have evidence (this is allowed under POPIA if retention is for legal purposes). During that time, it will be securely stored and isolated.

19.6. Account Deletion by User: You can request deletion of your account via the Platform settings or by contacting us (details in Contact section). We may ask to verify the request (to avoid someone else deleting your account maliciously). Once confirmed, we will: - Mark your account as closed. - Remove or anonymize personal profile information. - Remove your listings from public view. - Cease any further processing of your data except for what we retain as per above necessities.

We will also notify any landlords or tenants you were engaged with that your account is closed (if relevant, like if you’re in midst of applying, they’ll see your profile no longer accessible).

19.7. A Note on Backups: As mentioned, because of how backups work, it might take a bit of time (up to a few weeks) for deletion to fully propagate through all systems, but we ensure that once you request deletion, your data is no longer accessible in the live system and will not be restored from backup unless needed for some disaster recovery (and even then, we’d re-delete it or keep it inaccessible).

19.8. Confirmation: Upon completing your deletion request, we can (on request) provide a confirmation of deletion, listing what categories of data were removed and what remain (if any, for legal reasons).

Our goal is to not keep personal data longer than we absolutely have to. If you have questions about our retention for specific data, please contact us. We can also accommodate special requests like “please delete my document uploads now that verification is done” – as long as it doesn’t conflict with legal requirements, we’ll do so.

20. Your Rights as a Data Subject

POPIA and related regulations give data subjects (you) certain rights regarding your personal information. We are committed to honoring these rights. Below we outline those rights and how you can exercise them, as relevant to the data we hold:

20.1. Right of Access: You have the right to request a copy of the personal information we hold about you. This is sometimes called a Subject Access Request or PAIA request (Promotion of Access to Information Act, which interfaces with POPIA). Upon your request and verification of identity, we will provide: - Confirmation of whether we hold personal information about you. - A copy or description of the record of that personal information, including categories of data, and who it has been shared with (if applicable). - Details about the source if not directly from you (if available).

We will do so within a reasonable time (as required by law, typically within 30 days). We generally do not charge for this service, but if a request is unfounded or excessive or additional copies are requested, a nominal fee to cover administrative costs may be applied as allowed by law. We will inform you upfront if any cost applies.

How to request: Contact us via the dedicated privacy email (or webform if available) – see Section 14.10. Please specify what information you seek. For example, “I’d like all info associated with my account” or something more specific like “the credit check result you obtained on [date]” or “chat logs with user X”. More specific requests help us respond faster.

20.2. Right to Correct/Rectify: If you believe any personal information we hold is inaccurate, irrelevant, out of date, or incomplete, you have the right to ask us to correct it. On your account, much of your data (profile info, listings) you can edit yourself when logged in. For things you cannot change (like if you want to update a document or change an application after submission), you can request correction via support.

We may need to verify the correct information (for example, if you say our record of your ID number is wrong, we might ask for confirmation). Once corrected, if applicable, we’ll notify any third parties who received the incorrect data (if required by law and feasible) so they can update it too.

20.3. Right to Deletion (“Right to be Forgotten”): As detailed in Retention (Section 19) you may request that we delete personal information we hold about you in certain circumstances: e.g., if it’s no longer necessary for the purpose collected, or if you withdraw consent (where consent was basis), or if you object to processing and we have no overriding grounds to continue, or if we processed unlawfully.

We will evaluate such requests and, if appropriate, execute deletion (with the noted exceptions like data we must keep by law or that is needed to establish/defend a legal claim). If we cannot delete something for a valid reason, we will explain that to you (e.g., “We cannot delete your transaction records from last year due to tax retention laws, but we can assure you they are stored securely and only used for that purpose.”). Also note, as in Section 19, deletion of your data from our active systems will be done promptly, but complete expungement from backups follows shortly after.

20.4. Right to Object to Processing: You have the right, in certain situations, to object to our processing of your personal information. For example: - You may object to processing for direct marketing at any time, and we will stop using your data for that purpose immediately (no justification needed). - If we are processing based on legitimate interests, you can object if you feel it impacts your rights and we will re-evaluate. If your rights outweigh our interests, we will cease that processing. E.g., if you object to us using your data for analytics because you believe it’s profiling you in a way that affects you, we will either exclude your data from such analysis or explain why our interest overrides (which rarely would be the case for analytics – we’d likely just exclude to be safe). - If processing is for research or statistical purposes, you can also object on compelling grounds. - If we ever process for public interest or official authority (not typical for us), you could object.

To object, contact us with your specific objection. For example, “I object to my data being used for automated tenant recommendations” – we can then possibly exclude you or offer an opt-out toggle if available. For marketing, just use the unsubscribe link or tell us “stop sending me newsletters”.

Note: There are some processing activities you generally cannot object to if they are compulsory – like we cannot stop processing your data that is required to actually fulfill your contract (other than by you terminating service entirely), or processing required by law.

20.5. Right to Withdraw Consent: Where we rely on consent for processing, you can withdraw that consent at any time. For instance, if you consented to a credit check, you can withdraw before it’s executed (after it’s done, the result might already be delivered but we won’t do further checks). If you consented to marketing, withdrawing means no more marketing. Withdrawing consent won’t affect processing already done while consent was in effect, and it might mean we can’t provide certain services (we will inform you if so). There’s no penalty for withdrawing consent for optional processing. Some consents (like for a credit check) are one-time; others (like marketing) are ongoing until withdrawn.

20.6. Right re: Automated Decisions: Under POPIA Section 71, you have the right not to be subject to a decision resulting in legal or significant effect that is based solely on automated processing of personal info, unless certain exceptions apply. In our context, we do not make final decisions solely by algorithms – any rental approval is made by a human landlord. If we ever introduce fully automated decision (e.g., an instant lease approval without human involvement), we will ensure it either falls under an exception (like your request to execute contract, and with measures to protect you) or we will get your consent. Regardless, you have the right to query and request human intervention in any automated assessment we provide. For example, if our system “scores” you in a way you feel is unfair, you can contact us and we will have a human review the factors or at least explain the logic to you and allow you to contest any inaccuracies. We also generally provide the landlord with info but not a yes/no decision; they decide. If you believe a landlord relied solely on our algorithm, that’s more on their practice, but we will assist in making sure our tools are transparent. Essentially: any automated profiling we do (credit scoring, etc.) – you can ask for details about how that works and we’ll provide info on the logic in general terms (e.g., “the credit score is calculated based on your payment history, debt-to-income ratio, etc., sourced from the credit bureau’s algorithm”). If you feel the result is wrong, you can give us information to adjust (like “that record is incorrect, I paid that debt” – then we’d help you correct via the bureau).

20.7. Right to Data Portability: POPIA doesn’t explicitly name data portability like the EU’s GDPR does, but as good practice, if you want a copy of your data in a structured, commonly used format, we will accommodate that where feasible. For example, if you want a CSV of all your listings or all your communications, we can prepare that (provided it doesn’t affect others’ privacy). Or if you move to another rental platform and want your basic profile or listing info, we can assist in exporting it. This might be subject to technical ability.

20.8. Right to Complain: If you have concerns about how we handle your personal info, you have the right to lodge a complaint with the Information Regulator of South Africa. We encourage you to contact us first to resolve any issue, but it’s your right to go directly to the Regulator. Contact details (at time of writing): - Website: www.justice.gov.za/inforeg/ - Email: complaints.IR@justice.gov.za (for POPIA complaints). We will cooperate fully with the Regulator.

20.9. Right to Object to Direct Marketing: Worth reiterating: any time you get marketing from us that you don’t want, you can object or opt out and we’ll stop. This includes profiling related to direct marketing (e.g., if we were tailoring offers to you, opting out of marketing covers that too).

20.10. Right to Institute Civil Proceedings: POPIA allows you to sue if you’ve suffered damage due to our interference with your personal info in violation of the Act. We strive to never let that happen, but acknowledging your right – you could seek judicial recourse.

Exercising Your Rights: To exercise any of these rights, please contact us at the contact info in Section 14.10 (or use any provided account mechanisms). We may need to verify your identity (to ensure, say, it’s really you asking for your data, not someone else). Verification might be through security questions or requiring a signed request or ID copy (we’ll handle any such ID copy securely and only to verify). We will respond in the timeframe required by law (usually 30 days) and will always try to be sooner. If we need an extension (up to another 30 days) due to complexity, we’ll inform you within the first 30 days.

We will do our best to fulfil your requests except where an exemption applies (e.g., if fulfilling it would violate others’ privacy or a legal requirement). If we refuse (rare), we’ll provide you the reason and reference to the legal basis for refusal (for example, PAIA might have exemptions for certain records).

Your rights are important to us – our goal is to be transparent and fair, so please do not hesitate to use these rights. We see it as part of an open, trust-based relationship.

21. Data Security Measures

We take the security of personal information very seriously. In accordance with Section 19 of POPIA and good industry practices, we have implemented appropriate technical and organizational measures to prevent loss, damage, unauthorized destruction, and unauthorized access to personal information.

Here’s an overview of our security measures:

21.1. Technical Safeguards:
- Encryption: The Platform uses encryption protocols (TLS/SSL) for all data transmissions between your browser/app and our servers, which means personal data is encrypted in transit. Sensitive data (like passwords and credit card details) are stored in encrypted or hashed form. Passwords are hashed with a strong algorithm (e.g., bcrypt or SHA-256 with salt), so even we cannot read them – only you know your password.
- Access Control: Our databases and systems are protected by access control mechanisms. Only authorized personnel who need to access data for their job (e.g., a support agent helping with an issue) can do so, and even then, they have limited access depending on their role. We follow the principle of least privilege and staff access to personal info is logged and monitored.
- Firewalls and Network Security: We employ firewalls, intrusion detection systems, and regular network monitoring to guard against external attacks. Our servers sit in a secure network segment, with stringent rules on what traffic is allowed.
- Anti-Malware: We run security software to detect and block malware or unauthorized code injection. Our development team also uses secure coding practices to minimize vulnerabilities like SQL injection or XSS. We regularly update our software and dependencies to patch security issues.
- Backup and Recovery: We maintain regular backups of critical data (with encryption for backups as well). This protects against data loss, and backups are stored securely. We have a disaster recovery plan to restore availability of data in case of a major incident.
- Audit Logs: We keep logs of key activities (logins, changes, etc.) and our system alerts us to suspicious behavior (e.g., multiple failed login attempts, unusual data export). This helps detect and respond to possible breaches or misuse.

21.2. Organizational Measures:
- Information Officer: We have appointed an Information Officer (and deputies if needed) as required by POPIA, who is responsible for encouraging and ensuring compliance with the Act within our organization. They also handle requests and breaches.
- Policies and Training: We maintain internal privacy and security policies that all employees and contractors must follow. We train our staff on data protection principles, confidentiality, and how to handle personal data. Those who have deeper access (e.g., developers, support) get specialized training on secure data handling and spotting social engineering attempts.
- Confidentiality Agreements: Every employee, and any contractor or service provider with access to personal data, is bound by a confidentiality agreement or clause. They understand the legal consequences (including disciplinary action or termination) if they misuse user data.
- Vendor Management: We carefully select third-party service providers and ensure they also employ strong security (as described in Section 17). We often review their security documentation. For critical providers, we have data processing agreements in place that specify security requirements and breach notification duties.
- Regular Assessments: We periodically assess our security controls via audits or testing. This might include vulnerability scanning, penetration testing by third parties, and risk assessments to identify any new threats. We adjust measures as needed (the threat landscape evolves, as do our services).

21.3. Storage Security:
- Personal data is mainly stored in databases with strict access controls. The physical or cloud servers hosting these are in secure facilities with 24/7 monitoring, biometric access controls, etc. For cloud, we rely on providers with high security standards.
- Where data is in physical form (e.g., if we print something for offline processing, which is rare), it’s kept in locked cabinets with controlled access and shredded when no longer needed.

21.4. Payment Data:
- We do not store full payment card details on our systems. Our payment processing is outsourced to PCI-compliant providers. Any stored reference (token) cannot be used outside that context.
- If we store bank account details for payouts or debit orders, those are in encrypted form in our database. Access to decrypt such info is very restricted (only perhaps our finance officer or system under certain processes).

21.5. Monitoring and Incident Response:
- In line with POPIA’s requirements, we have procedures in place to detect, report, and investigate data breaches. If a security compromise occurs that affects personal information, we will notify the Information Regulator and the affected data subjects in line with Section 22 of POPIA. The notification will include what happened and what we are doing about it, per law. We have an incident response plan that assigns roles, outlines steps (containment, assessment, remediation, communication), and includes communication templates to ensure timely and clear notifications.
- We log access and changes to detect anomalies. If suspicious activity is detected (like large data export or unusual admin access), our team investigates immediately.

21.6. No Guarantee: While we implement robust security, it’s important to note no system can be 100% secure. Cyber threats evolve, and unforeseen breaches can happen. However, we commit to using all reasonable and appropriate measures to protect your data. We also urge you to help: use a strong password and do not share it, enable 2FA if we offer it, and alert us if you notice any suspicious activity on your account.

21.7. Data Minimization: Security is also about not collecting unnecessary data in the first place. As detailed in other sections, we avoid collecting more personal info than needed, which in effect reduces the risk surface (less sensitive data stored means lower impact even if a breach happens).

21.8. Verification: If you need more technical details about our security (within reason), we can provide our latest security whitepaper or answer specific concerns. We might not publicly detail every security measure (for security’s sake), but trust that we align with industry standards and legal requirements.

By using our Platform, you acknowledge these measures are in place and accept that while risk can be mitigated, it cannot be entirely eliminated. We appreciate your trust and continuously work to maintain it by safeguarding your information.

22. Updates to this Privacy Policy

We may update or revise this Privacy Policy from time to time, to reflect changes in our services, legal requirements, or data processing practices. When we do so:

  • Version Changes: We will change the “Last Updated” date at the top to indicate the revision date. For significant changes, we may also provide a summary of what’s different (either in this document’s history or in a notice).
  • Notifications: If any changes are material (for example, if we start collecting new types of data or using data in a new way that you wouldn’t expect under the current policy), we will take additional steps to inform you. This could be via an email to your registered address, an in-app notification, or a pop-up on our website. We will do this prior to the change taking effect, whenever feasible, to give you time to review.
  • Consent for New Uses: If the change involves a new purpose requiring consent, we will obtain your consent. For instance, if we decide to share data with a new partner for a new service, we’d ask you first.
  • Legal Compliance: We won’t contravene any legal obligations in making policy changes. If the law changes (like a new regulation affecting your rights), we’ll update our policy accordingly.

We encourage you to periodically review this Privacy Policy to stay informed about how we protect your personal information. Continuing to use GetSmartLease after a policy update will signify acceptance of the revised terms (to the extent permitted by law). If you do not agree with the changes, you should let us know and consider discontinuing use of the Platform where applicable.

For any substantial changes, we may also archive previous versions of this Privacy Policy and make them available for reference (so you can see how things evolved).

23. Notices and Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. We are here to help and address your privacy-related matters.

Contact Details:
- Email: privacy@getsmartlease.co.za (dedicated to privacy inquiries)
- Phone: +27 60 585 1784 (ask for the Information Officer or Privacy Team)
- Postal Address: Privacy Officer – Sunrise Technosystems (Pty) Ltd, C101 Rosewalk Gardens, Rosewalk Street, Parkmore, Sandton, 2196, South Africa.

Information Officer: [Name of Info Officer], who is our designated Information Officer as per POPIA. You can address correspondence to their attention. If you have lodged a request or complaint, they or their delegate will respond.

Lodging Complaints: As mentioned in Section 20, you have the right to complain to the Information Regulator:
- Website: https://www.justice.gov.za/inforeg/
- Email: inforeg@justice.gov.za or complaints.IR@justice.gov.za
- Phone: +27 10 023 5200.
- Physical: JD House, 27 Stiemens Street, Braamfontein, Johannesburg.

We would appreciate the chance to address your concerns first. Most issues can be resolved through our support or privacy team within a short time. Your trust is vital, so we aim to be responsive: we typically acknowledge queries within 2 business days and resolve most issues within 14 days or shorter.

Language: This policy is provided in English. If we provide translations, the English version will prevail in case of conflict (but we will try to ensure consistency). Under South African law, documents should be in plain language – we have tried to write this clearly, but if you have any confusion or need assistance understanding any part of it, let us know and we will explain.

Thank you for taking the time to read our Privacy Policy. By using GetSmartLease, you entrust us with your personal information – we honor that trust by handling it with care and transparency.

If you have further questions or suggestions about privacy or data protection on our Platform, we welcome your feedback.

End of Privacy Policy