Privacy Policy & POPIA Compliance Notice

This Privacy Policy complies with the Protection of Personal Information Act 4 of 2013 (“POPIA”) and the General Data Protection Regulation (“GDPR”) where applicable.

1. Responsible Party

Square 15 Facility Solutions (Pty) Ltd (“Square 15”, “we”, “us”)

Email: privacy@square15.co.za

Website: www.square15.co.za

Information Officer: The Managing Director

2. Information We Collect

2.1 Personal Information Provided by You:

• Full name, surname, and identity number (Artisans only)
• Email address and phone number
• Physical address and GPS location (during service delivery)
• Profile photograph
• Payment information (card details are tokenised — we do not store raw card numbers)
• Qualifications and trade certificates (Artisans)
• Vehicle registration (Artisans, if applicable)

2.2 Information Collected Automatically:

• Device information (model, OS version, unique device identifiers)
• App usage data (screens visited, features used, session duration)
• IP address and approximate location
• Push notification tokens
• Crash reports and performance metrics

2.3 Information from Third Parties:

• Payment verification data from Ozow, PayFast/PayGate
• Identity verification results
• WhatsApp profile name and phone number (when using WA booking)
• Voice recordings and transcriptions (when using Lizzy voice assistant)

3. Purpose of Processing

We process your personal information for the following lawful purposes under POPIA Section 11:

3.1 Contract Performance (Section 11(1)(b)):

• Creating and managing your account
• Processing bookings and connecting you with Artisans
• Processing payments, refunds, and payouts
• Communicating booking status and updates (in-app, WhatsApp, SMS, email)

3.2 Legitimate Interest (Section 11(1)(f)):

• Improving Platform functionality and user experience
• Fraud prevention and security monitoring
• Analytics and service optimisation
• AI-powered features (quality verification, diagnostic tools, voice assistant)

3.3 Legal Obligation (Section 11(1)(c)):

• Tax compliance and financial record-keeping
• Responding to lawful requests from authorities
• Consumer Protection Act compliance

3.4 Consent (Section 11(1)(a)):

• Marketing communications (opt-in only)
• Sharing your information with BNPL providers
• Processing biometric data (voice recognition)

4. How We Use Your Data

4.1 Booking and Service Delivery: Your name, phone, and address are shared with the assigned Artisan for the duration of the booking. After completion, the Artisan no longer has access to your address.

4.2 WhatsApp Communications: When you book via WhatsApp, your phone number and messages are processed by our AI assistant (Lizzy). Conversations are stored securely for service quality and dispute resolution.

4.3 Voice Assistant: Lizzy (voice) uses real-time speech-to-text processing. Voice data is processed via LiveKit and OpenAI. We do not permanently store raw audio recordings. Transcripts may be retained for 90 days for quality assurance.

4.4 AI Photo Analysis: Before/after work photos may be analysed by AI for quality verification. Images are stored in Firebase Cloud Storage with encryption at rest.

4.5 Payment Processing: Payment card details are handled by PCI-DSS-compliant third parties (Ozow, PayGate). We store only tokenised references, never raw card numbers. Wallet transactions are logged in our secure database.

5. Data Sharing

5.1 We share personal information only with:

• Assigned Artisans (name, phone, address — for active bookings only)
• Payment processors (Ozow, PayGate, PayJustNow, MoreTyme, Happy Pay, Mobicred)
• Cloud infrastructure providers (Google Firebase, Render)
• AI service providers (OpenAI — for voice/chat/image analysis)
• Law enforcement (only when legally compelled)

5.2 We do NOT sell your personal information to third parties.

5.3 We do NOT share your data for unrelated marketing purposes.

6. Data Retention

• Active accounts: Data retained for the duration of your account plus 5 years.
• Deleted accounts: Personal information anonymised within 30 days; financial records retained for 5 years per tax law (Tax Administration Act 28 of 2011).
• Chat support messages: Retained for 2 years.
• Voice transcripts: 90 days.
• Before/after photos: 1 year after booking closure.
• Payment records: 5 years per legal requirements.

7. Data Security

7.1 All data transmitted is encrypted using TLS 1.2+.

7.2 Data at rest is encrypted using AES-256 via Google Firebase.

7.3 Access to production systems requires multi-factor authentication.

7.4 Regular security audits and penetration testing are conducted.

7.5 Staff access to personal data is restricted on a need-to-know basis.

7.6 We maintain incident response procedures and will notify affected data subjects within 72 hours of a confirmed breach, as required by POPIA Section 22.

8. Your Rights Under POPIA

As a data subject, you have the right to:

• Access (Section 23): Request a copy of the personal information we hold about you.
• Correction (Section 24): Request correction of inaccurate or incomplete data.
• Deletion (Section 24): Request deletion of your data where there is no legal obligation to retain it.
• Objection (Section 11(3)): Object to the processing of your data for direct marketing.
• Restrict Processing: Request that we limit how we use your data.
• Data Portability: Request your data in a structured, machine-readable format.
• Withdraw Consent: Withdraw consent at any time for processing based on consent.
• Complain: Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, email privacy@square15.co.za or use Profile → Settings → Delete Account.

9. Children’s Privacy

9.1 Our Platform is not intended for persons under 18 years of age.

9.2 We do not knowingly collect personal information from children.

9.3 If we become aware that a child’s data has been collected, we will delete it promptly.

10. Cookies and Tracking (Website)

10.1 Our website uses essential cookies for functionality.

10.2 Analytics cookies (Google Analytics) are used with anonymised IP addresses.

10.3 You can manage cookie preferences through your browser settings.

11. Cross-Border Data Transfers

11.1 Your data may be processed in countries where our cloud providers operate (e.g., Google Cloud regions, OpenAI servers in the United States).

11.2 We ensure adequate protection through contractual safeguards and compliance with POPIA Section 72.

12. Changes to This Policy

12.1 We may update this Policy from time to time. Material changes will be communicated via in-app notification.

12.2 The “Last Updated” date at the top reflects the most recent revision.

13. Information Regulator Contact

Information Regulator of South Africa

Email: inforeg@justice.gov.za

Website: https://inforegulator.org.za

Tel: 012 406 4818

14. Contact Us

Square 15 Facility Solutions (Pty) Ltd

Privacy Enquiries: privacy@square15.co.za

General Support: support@square15.co.za

Website: www.square15.co.za