1. Introduction

SafeFire ("we", "us", "our") is committed to protecting the personal information of all persons who interact with our platform. This Privacy Policy explains how we collect, use, store, share, and protect personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and any applicable regulations promulgated thereunder.

By registering on or using the SafeFire platform, you acknowledge that you have read this Privacy Policy and consent to the processing of your personal information as described herein.

POPIA applies. SafeFire processes personal information of South African data subjects and is subject to the jurisdiction of the Information Regulator (South Africa). Our Information Officer contact details are set out in section 14 of this policy.

2. Definitions

In this Privacy Policy, the following definitions apply unless the context otherwise requires:

3. Information We Collect

We collect personal information in the following categories depending on how you use our platform:

3.1 Applicator Registration Information

When an Applicator registers on SafeFire, we collect:

3.2 Supporting Documents

During registration, Applicators upload the following documents for verification purposes:

3.3 Job and Certificate Data

When an Applicator logs a job and generates a Certificate of Compliance, we collect:

3.4 Payment Information

SafeFire uses Yoco as its payment processing partner. When you make a payment on the platform, your card details are collected and processed directly by Yoco and are not stored on SafeFire's servers. We retain only transaction reference numbers, amounts, and status records for accounting and audit purposes.

3.5 Account and Usage Data

We collect technical data relating to your use of the platform, including your IP address, browser type, device type, login timestamps, pages accessed, and actions taken within your account. This data is used to maintain platform security and improve our service.

3.6 Communication Data

If you contact us via email or through our support channels, we retain records of that correspondence including your name, email address, and the content of your communications.

4. Purpose of Processing

We process personal information only for specific, explicitly defined, and lawful purposes. The table below sets out the primary purposes for which we process each category of information:

Information Category Purpose Lawful Basis (POPIA)
Registration details Create and manage Applicator accounts; verify identity and business legitimacy; populate public Directory listings Contract performance; consent
Identity number (sole traders) Verify natural person identity in the absence of a CIPC number Legitimate interest; consent
Supporting documents Manual verification of registration credentials by SafeFire administrators Contract performance; legal obligation
Job and certificate data Generate, store, and provide public verification of Certificates of Compliance; maintain audit trail of treatment work Contract performance; legal obligation (National Building Regulations)
Payment records Billing, accounting, tax compliance, fraud prevention Contract performance; legal obligation
Account and usage data Platform security, fraud detection, service improvement, technical support Legitimate interest
Communication data Respond to queries; maintain support records Legitimate interest; consent

We do not process personal information for purposes incompatible with those stated above without obtaining fresh consent from the data subject.

5. Public Certificate Verification

SafeFire's core function is to provide publicly verifiable Certificates of Compliance. When a certificate is generated, the following limited information is made publicly accessible via the certificate verification page at safire.co.za/verify:

By logging a job and generating a certificate on SafeFire, Applicators expressly acknowledge and consent to the above information being publicly accessible for verification purposes. This is a core platform function and is necessary for the certificate to have any legal or practical utility.

Personal contact information of property owners, individual identity numbers, detailed chemical formulations, and uploaded documents are never made publicly accessible.

6. Applicator Directory

SafeFire maintains a public directory of approved Applicators to assist property owners in finding verified service providers. Directory listings are only activated after an Applicator's account has been approved by SafeFire administrators.

The following information may appear in a public directory listing:

Applicators may request removal from the public directory at any time by contacting us at privacy@safefire.co.za. Removal from the directory does not affect your account status or certificate history.

7. Sharing of Personal Information

We do not sell personal information to third parties. We share personal information only in the following limited circumstances:

7.1 Service Providers (Operators)

We use the following third-party service providers who process personal information on our behalf as "operators" under POPIA. Each provider is contractually bound to process personal information only for the purposes we specify and to maintain appropriate security measures:

7.2 Legal and Regulatory Disclosure

We may disclose personal information if required to do so by law, court order, or regulation, including requests from the Information Regulator, SARS, or any competent authority. We will, where legally permissible, notify the relevant data subject of such a disclosure.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal information held by SafeFire may be transferred to the acquiring entity, provided that entity agrees to be bound by terms no less protective than this Privacy Policy.

7.4 No Other Sharing

We do not share personal information with any other third parties for marketing, analytics, or any other purposes without your explicit consent.

8. Cross-Border Transfers

Personal information processed on the SafeFire platform is stored on Supabase infrastructure located in Germany (AWS eu-west-1). This constitutes a cross-border transfer of personal information under section 72 of POPIA.

We are satisfied that this transfer is lawful on the following grounds:

9. Retention of Personal Information

We retain personal information only for as long as is necessary for the purpose for which it was collected, or as required by law. The following retention periods apply:

Information Category Retention Period Basis
Applicator account records Duration of account + 5 years after closure Tax and legal compliance
Certificates of Compliance Indefinite (certificates are permanent records) National Building Regulations; verification utility
Uploaded registration documents Duration of account + 3 years after closure Audit and dispute resolution
Payment records 5 years from transaction date Income Tax Act 58 of 1962; VAT Act 89 of 1991
Account and usage logs 12 months rolling Security and fraud prevention
Support communications 3 years from last correspondence Dispute resolution; legitimate interest

Where personal information is no longer required, we will securely delete or anonymise it in accordance with our internal data destruction policy.

10. Security of Personal Information

We implement reasonable and appropriate technical and organisational measures to protect personal information against unauthorised access, loss, destruction, alteration, or disclosure. These measures include:

Notwithstanding the above, no method of electronic transmission or storage is completely secure. In the event of a security compromise that is likely to prejudice the rights of data subjects, we will notify the Information Regulator and affected data subjects in accordance with section 22 of POPIA within 72 hours of becoming aware of the breach.

11. Rights of Data Subjects

Under POPIA, data subjects have the following rights in respect of their personal information:

11.1 Right of Access

You have the right to request a description of the personal information we hold about you and to obtain a copy of that information. Requests must be submitted in writing to our Information Officer (see section 14). We will respond within 30 days.

11.2 Right to Correction

You have the right to request correction of inaccurate, incomplete, or outdated personal information. Where possible, you may update your details directly within your account dashboard. For information that cannot be self-corrected, submit a request to our Information Officer.

11.3 Right to Deletion

You have the right to request deletion of personal information that we no longer have a lawful reason to retain. Please note that certain information — such as Certificates of Compliance and associated job records — is retained indefinitely as a matter of public record and cannot be deleted even upon request.

11.4 Right to Object

You have the right to object to the processing of your personal information on grounds of legitimate interest. Where we process personal information on the basis of your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred prior to withdrawal.

11.5 Right to Complain

If you believe that we have infringed your rights under POPIA, you may lodge a complaint with the Information Regulator of South Africa:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za
Website: www.justice.gov.za/inforeg

We encourage you to contact us directly before lodging a complaint so that we may attempt to resolve the matter.

12. Cookies and Tracking Technologies

SafeFire uses a limited set of technically necessary mechanisms to enable core platform functionality:

13. Children

SafeFire is a business-to-business compliance platform intended solely for use by registered businesses and adult sole traders. We do not knowingly collect personal information from persons under the age of 18. If you believe a minor has provided personal information to us, please contact our Information Officer immediately and we will take steps to delete that information.

14. Information Officer

SafeFire has designated an Information Officer as required by section 55 of POPIA. All requests relating to access, correction, deletion, or objection to processing, as well as any privacy-related complaints or enquiries, should be directed to:

Information Officer — SafeFire
Onellys CC t/a SafeFire (Reg. No. 2008/048842/23)
Email: privacy@safefire.co.za
PO Box 25477, Oos-Rand, Gauteng, 1462

We will acknowledge your request within 5 business days and respond fully within 30 days. Where the volume or complexity of a request requires additional time, we will notify you of the extended timeline.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform functionality. Where changes are material, we will notify registered Applicators by email at least 14 days before the changes take effect. The current effective date is displayed at the top of this document.

Continued use of the SafeFire platform after the effective date of any updated Privacy Policy constitutes acceptance of the revised terms.

16. Governing Law

This Privacy Policy is governed by the laws of the Republic of South Africa, including POPIA and the Electronic Communications and Transactions Act 25 of 2002. Any disputes arising from this Privacy Policy shall be subject to the jurisdiction of the South Gauteng High Court, Johannesburg.