SafeFire ("we", "us", "our") is committed to protecting the personal information of all persons who interact with our platform. This Privacy Policy explains how we collect, use, store, share, and protect personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and any applicable regulations promulgated thereunder.
By registering on or using the SafeFire platform, you acknowledge that you have read this Privacy Policy and consent to the processing of your personal information as described herein.
POPIA applies. SafeFire processes personal information of South African data subjects and is subject to the jurisdiction of the Information Regulator (South Africa). Our Information Officer contact details are set out in section 14 of this policy.
In this Privacy Policy, the following definitions apply unless the context otherwise requires:
We collect personal information in the following categories depending on how you use our platform:
When an Applicator registers on SafeFire, we collect:
During registration, Applicators upload the following documents for verification purposes:
When an Applicator logs a job and generates a Certificate of Compliance, we collect:
SafeFire uses Yoco as its payment processing partner. When you make a payment on the platform, your card details are collected and processed directly by Yoco and are not stored on SafeFire's servers. We retain only transaction reference numbers, amounts, and status records for accounting and audit purposes.
We collect technical data relating to your use of the platform, including your IP address, browser type, device type, login timestamps, pages accessed, and actions taken within your account. This data is used to maintain platform security and improve our service.
If you contact us via email or through our support channels, we retain records of that correspondence including your name, email address, and the content of your communications.
We process personal information only for specific, explicitly defined, and lawful purposes. The table below sets out the primary purposes for which we process each category of information:
| Information Category | Purpose | Lawful Basis (POPIA) |
|---|---|---|
| Registration details | Create and manage Applicator accounts; verify identity and business legitimacy; populate public Directory listings | Contract performance; consent |
| Identity number (sole traders) | Verify natural person identity in the absence of a CIPC number | Legitimate interest; consent |
| Supporting documents | Manual verification of registration credentials by SafeFire administrators | Contract performance; legal obligation |
| Job and certificate data | Generate, store, and provide public verification of Certificates of Compliance; maintain audit trail of treatment work | Contract performance; legal obligation (National Building Regulations) |
| Payment records | Billing, accounting, tax compliance, fraud prevention | Contract performance; legal obligation |
| Account and usage data | Platform security, fraud detection, service improvement, technical support | Legitimate interest |
| Communication data | Respond to queries; maintain support records | Legitimate interest; consent |
We do not process personal information for purposes incompatible with those stated above without obtaining fresh consent from the data subject.
SafeFire's core function is to provide publicly verifiable Certificates of Compliance. When a certificate is generated, the following limited information is made publicly accessible via the certificate verification page at safire.co.za/verify:
By logging a job and generating a certificate on SafeFire, Applicators expressly acknowledge and consent to the above information being publicly accessible for verification purposes. This is a core platform function and is necessary for the certificate to have any legal or practical utility.
Personal contact information of property owners, individual identity numbers, detailed chemical formulations, and uploaded documents are never made publicly accessible.
SafeFire maintains a public directory of approved Applicators to assist property owners in finding verified service providers. Directory listings are only activated after an Applicator's account has been approved by SafeFire administrators.
The following information may appear in a public directory listing:
Applicators may request removal from the public directory at any time by contacting us at privacy@safefire.co.za. Removal from the directory does not affect your account status or certificate history.
We do not sell personal information to third parties. We share personal information only in the following limited circumstances:
We use the following third-party service providers who process personal information on our behalf as "operators" under POPIA. Each provider is contractually bound to process personal information only for the purposes we specify and to maintain appropriate security measures:
We may disclose personal information if required to do so by law, court order, or regulation, including requests from the Information Regulator, SARS, or any competent authority. We will, where legally permissible, notify the relevant data subject of such a disclosure.
In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal information held by SafeFire may be transferred to the acquiring entity, provided that entity agrees to be bound by terms no less protective than this Privacy Policy.
We do not share personal information with any other third parties for marketing, analytics, or any other purposes without your explicit consent.
Personal information processed on the SafeFire platform is stored on Supabase infrastructure located in Germany (AWS eu-west-1). This constitutes a cross-border transfer of personal information under section 72 of POPIA.
We are satisfied that this transfer is lawful on the following grounds:
We retain personal information only for as long as is necessary for the purpose for which it was collected, or as required by law. The following retention periods apply:
| Information Category | Retention Period | Basis |
|---|---|---|
| Applicator account records | Duration of account + 5 years after closure | Tax and legal compliance |
| Certificates of Compliance | Indefinite (certificates are permanent records) | National Building Regulations; verification utility |
| Uploaded registration documents | Duration of account + 3 years after closure | Audit and dispute resolution |
| Payment records | 5 years from transaction date | Income Tax Act 58 of 1962; VAT Act 89 of 1991 |
| Account and usage logs | 12 months rolling | Security and fraud prevention |
| Support communications | 3 years from last correspondence | Dispute resolution; legitimate interest |
Where personal information is no longer required, we will securely delete or anonymise it in accordance with our internal data destruction policy.
We implement reasonable and appropriate technical and organisational measures to protect personal information against unauthorised access, loss, destruction, alteration, or disclosure. These measures include:
Notwithstanding the above, no method of electronic transmission or storage is completely secure. In the event of a security compromise that is likely to prejudice the rights of data subjects, we will notify the Information Regulator and affected data subjects in accordance with section 22 of POPIA within 72 hours of becoming aware of the breach.
Under POPIA, data subjects have the following rights in respect of their personal information:
You have the right to request a description of the personal information we hold about you and to obtain a copy of that information. Requests must be submitted in writing to our Information Officer (see section 14). We will respond within 30 days.
You have the right to request correction of inaccurate, incomplete, or outdated personal information. Where possible, you may update your details directly within your account dashboard. For information that cannot be self-corrected, submit a request to our Information Officer.
You have the right to request deletion of personal information that we no longer have a lawful reason to retain. Please note that certain information — such as Certificates of Compliance and associated job records — is retained indefinitely as a matter of public record and cannot be deleted even upon request.
You have the right to object to the processing of your personal information on grounds of legitimate interest. Where we process personal information on the basis of your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred prior to withdrawal.
If you believe that we have infringed your rights under POPIA, you may lodge a complaint with the Information Regulator of South Africa:
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za
Website: www.justice.gov.za/inforeg
We encourage you to contact us directly before lodging a complaint so that we may attempt to resolve the matter.
SafeFire uses a limited set of technically necessary mechanisms to enable core platform functionality:
SafeFire is a business-to-business compliance platform intended solely for use by registered businesses and adult sole traders. We do not knowingly collect personal information from persons under the age of 18. If you believe a minor has provided personal information to us, please contact our Information Officer immediately and we will take steps to delete that information.
SafeFire has designated an Information Officer as required by section 55 of POPIA. All requests relating to access, correction, deletion, or objection to processing, as well as any privacy-related complaints or enquiries, should be directed to:
Information Officer — SafeFire
Onellys CC t/a SafeFire (Reg. No. 2008/048842/23)
Email: privacy@safefire.co.za
PO Box 25477, Oos-Rand, Gauteng, 1462
We will acknowledge your request within 5 business days and respond fully within 30 days. Where the volume or complexity of a request requires additional time, we will notify you of the extended timeline.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform functionality. Where changes are material, we will notify registered Applicators by email at least 14 days before the changes take effect. The current effective date is displayed at the top of this document.
Continued use of the SafeFire platform after the effective date of any updated Privacy Policy constitutes acceptance of the revised terms.
This Privacy Policy is governed by the laws of the Republic of South Africa, including POPIA and the Electronic Communications and Transactions Act 25 of 2002. Any disputes arising from this Privacy Policy shall be subject to the jurisdiction of the South Gauteng High Court, Johannesburg.