1) Who We Are
This Privacy Policy explains how Propworths.com Head Office ("Propworths.com", "we", "us") collects, uses, shares, and protects personal data when you use the Platform.
2) Data We Collect
- Account data (name, email, phone, password hash, preferences)
- Verification data (identity and address documents, where required)
- Transaction data (bids, accepted bids, fees/commission events, invoices)
- Technical data (IP address, device/browser identifiers, logs, cookies)
- Communications (support messages, dispute communications)
3) Why We Use Data (Purposes)
- Provide and secure the Platform and auctions
- Verify identity and prevent fraud/manipulation
- Process payments and enforce fees/commission
- Comply with legal obligations (AML/KYC where applicable)
- Improve platform performance and user experience
4) Sharing & International Transfers
We share the minimum personal data necessary with a small set of named service providers to operate the platform. Each is bound by a Data Processing Agreement covering the categories below. Cross-border transfers are made under appropriate safeguards as required by applicable law (Standard Contractual Clauses where applicable).
Sub-processors
| Processor | Purpose | Data shared |
|---|---|---|
| Brevo (Sendinblue) | Transactional email — signup confirmation, password reset, payment receipts, security alerts | Name, email |
| Twilio | OTP and payment-confirmation SMS / WhatsApp | Name, phone number |
| Peach Payments | Card, Apple Pay and EFT payment processing (PCI-DSS scope is theirs, not ours) | Name, email, billing address, payment instrument (tokenised; we never see card numbers) |
| Google Maps Platform | Address autocomplete and map embeds on listings | Listing addresses (no buyer-side PII) |
| Google Analytics 4 | Aggregate site-usage statistics — only loaded after you accept analytics cookies | Pseudonymous device identifiers and page-view events; no email or phone |
5) Retention
The following windows are enforced automatically by a nightly cleanup job on our server. The same code that enforces them is published in the repository for transparency.
| Data | Retention | Why |
|---|---|---|
| Account profile | While your account is active + 30 days after you delete it | Dispute window after deletion |
| Login / authentication audit log | 90 days | Brute-force investigation, anomaly review |
| New-device / new-network sign-in alerts | 90 days | Account-takeover forensics |
| Form rate-limit + bot-protection events | 90 days | Spam-pattern detection |
| Admin-dashboard access log | 365 days | Internal accountability |
| Payment-webhook events (Peach) | 365 days | Payment dispute window |
| Invoices and signed listing agreements | 5 years | SARS Tax Administration Act, contract-law statute of limitations |
| Marketing / cookie-consent preference | 12 months from last action | Industry standard for refreshed consent |
When a retention window expires, the relevant rows are removed and any remaining audit log references are replaced with a one-way hash so totals stay accurate but you are no longer identifiable.
6) Your Rights
If you have a Propworths account you can exercise these rights yourself, online, without waiting for us. If you do not have an account, email privacy@propworths.com and we will respond within 30 days (POPIA s.23 / GDPR Art. 12(3)).
- Right of access (GDPR Art. 15 / POPIA s.23). Sign in and visit
/data-export.php. You get an immediate JSON download of every record we hold about you, plus a list of the sub-processors that data has been shared with. - Right to rectification (GDPR Art. 16 / POPIA s.24). Edit your name, agency, email and phone from your account settings, or email us.
- Right to erasure / be forgotten (GDPR Art. 17 / POPIA s.24). Sign in and use
/delete-account.php. We confirm with your current password, then wipe your profile, login history and pre-launch signup. Invoices and signed contracts are retained per Section 5 with your name removed. - Right to restrict or object (GDPR Art. 18 + 21). Email us and we will pause processing while we review.
- Right to data portability (GDPR Art. 20). The
/data-export.phpfile is machine-readable JSON — load it into any system that accepts the format. - Right to lodge a complaint. South Africa: the Information Regulator at inforegulator.org.za. EU/UK: your local data-protection authority.
7) Cookies
We use cookies and similar technologies for security, session management, analytics, and preferences. A cookie banner may be used where required.
8) Contact
Privacy: privacy@propworths.com | Head Office: [Entity + Address]