RegalisRegalisProperty Ops
Legal

Privacy Policy

Last updated: 8 May 2026

This policy explains how Regalis Property Group (Pty) Ltd ("Regalis", "we", "us") processes personal information when you or your tenants use the Regalis property-management platform. We aim to comply with the Protection of Personal Information Act, 2013 (POPIA) and to give you a clear, operational view of what we do with data.

1. Who we are

Regalis Property Group (Pty) Ltd is the Responsible Party for personal information you submit to your own Regalis workspace, and the Operator (in POPIA terms, s.21) for personal information your agency uploads about its landlords, tenants and applicants.

Our Information Officer can be contacted at:

2. Information we collect

We collect the following categories of personal information:

  • Identity data — full name, ID or passport number, date of birth.
  • Contact data — email address, mobile and landline numbers, postal and physical addresses.
  • Financial data — bank account details for trust transfers, payslips and bank statements supplied with rental applications, payment history and arrears.
  • Tenancy data — lease terms, deposits held, inspection records, maintenance tickets, communications and notices.
  • Location data — property addresses, unit identifiers and inspection geotags where supplied.
  • Signing-event metadata— when a tenant electronically signs a lease, renewal or notice through the platform we record the typed legal name, the timestamp, the IP address and browser user-agent, and (only with the signer's explicit consent at the moment of signing) device geolocation. This metadata is retained for the lifetime of the lease plus the legal retention period, and is the evidentiary record we rely on under section 13 of the Electronic Communications and Transactions Act 25 of 2002.
  • Communications data — emails, SMS, in-app messages and call notes between your agency and tenants or landlords through the platform.
  • Screening data — credit-bureau reports, affordability assessments and reference checks that you choose to run via our integrated screening providers.
  • Technical data — IP address, browser metadata, login timestamps and audit logs needed to secure your account.

3. Why we collect it (lawful bases)

POPIA s.11 requires every processing activity to rest on a justification. Ours are:

  • Performance of a contract — to operate the platform you (or your agency) have subscribed to, and to enable leases, payments and statements.
  • Legal obligation — to comply with the Rental Housing Act, the Estate Agency Affairs Act, FICA, tax law and POPIA itself (including the s.18 collection notice you are reading).
  • Consent — for credit checks, prospect direct marketing under POPIA s.69(1), and any other processing that does not fit the bases above. For direct marketing of similar services to existing customers, we rely on the s.69(3)(c) opt-out exception (you may opt out at any time by following the unsubscribe link or writing to the Information Officer). Consent can be withdrawn at any time.
  • Legitimate interest — for fraud prevention, platform security, audit logging and product analytics on aggregated, non-identifying data.

4. How long we keep it

We retain personal information only as long as needed for the purpose it was collected, or for any longer period required by law. Indicative periods:

  • Active tenant and landlord records — for the life of the relationship.
  • Closed leases and statements — 5 years after termination (FICA / tax).
  • Failed rental applications — 12 months, then deleted or anonymised.
  • Marketing consent records — until consent is withdrawn, plus 3 years (s.69).
  • Audit logs and security events — 7 years, in line with FICA Regulation 23, section 30 of the Companies Act and section 29 of the Tax Administration Act.
  • Backups — rolling 35-day window, then overwritten.

5. Who we share it with

We share personal information with vetted sub-operators who help us run the platform — hosting, database, email delivery, SMS gateway, payment and screening providers. The full current list, with country of processing and purpose, is published at /privacy/subprocessors. Each sub-operator is bound by a written agreement that mirrors our POPIA s.21 obligations.

We do not sell personal information, and we do not share it with third parties for their own marketing.

6. Cross-border transfers

Some of our hosting, database, object-storage and email providers operate from data centres outside the Republic. Where this is the case we rely on the conditions in POPIA s.72 — either the destination has comparable data-protection law, or the transfer is necessary for the contract you have asked us to perform, or the sub-operator is bound by binding rules that meet POPIA's standard. Specifics for each provider are noted on the subprocessor page.

7. Cookies and analytics

Regalis uses first-party functional cookies that store your authenticated session and the "view-as" role used by agency staff — these are strictly necessary for the platform to operate. We also use Google Ads cookies (gtag.js, conversion ID AW-18185546277) to measure the effectiveness of our advertising and to attribute sign-ups that originate from our campaigns. These advertising cookies are set when you arrive on the site; by continuing to use the site you accept their use, as set out in the notice shown on your first visit. You may withdraw at any time by clearing cookies, using your browser's cookie controls, or adjusting your Google ad settings at adssettings.google.com. Aggregated product usage metrics are still derived from server logs, never from cookies.

8. Your rights under POPIA

POPIA s.23 to s.25 give every data subject the right to:

  • Access the personal information we hold about you.
  • Have inaccurate or out-of-date information corrected.
  • Have information deleted where we no longer need it.
  • Object to processing on legitimate-interest grounds.
  • Withdraw consent for any consent-based processing.
  • Restrict processing while a dispute is being resolved.
  • Lodge a complaint with the Information Regulator at inforegulator.org.za.

To exercise any of these rights, use our data-subject request form at /privacy/request. We respond within 30 days as required by the Act.

9. Children's data

Regalis is a business tool for adult landlords, tenants and agency staff. We do not knowingly collect personal information from children under 18. If you believe a minor has submitted information through the platform, contact our Information Officer and we will delete the record.

10. Security

In line with POPIA s.19 we apply encryption in transit (TLS) and at rest, role-based access controls, multi-factor authentication for staff accounts, and a documented incident-response workflow. Suspected breaches are reported to the Information Regulator and affected data subjects within the timeframes required by s.22.

11. Changes to this policy

We may update this policy as the platform changes or as the law develops. The "Last updated" date at the top reflects the current version. Material changes are also announced inside the app, and where the change requires fresh consent we ask for it before the change takes effect.

12. Contact

For anything in this policy, contact our Information Officer (Liam James Parker) at privacy@regalis.co.za. You can also reach the broader privacy team via the privacy centre.