Privacy Policy

Last updated: June 2026Effective date: Coming soon

1. Who We Are

Estavo (Pty) Ltd (Registration No. Registration pending - CIPC registration in progress) ("Estavo", "we", "us", "our") is a South African company that develops and operates the Estavo Estate Operating System — a software platform for residential gated communities and their managing agents.

Information Officer: Bryson Mabilo

Contact: privacy@estavo.co.za

Registered Address: Pretoria, South Africa

We are in the process of registering with the Information Regulator of South Africa as required under the Protection of Personal Information Act 4 of 2013 (POPIA).

2. Scope of This Policy

This policy applies to:

  • Residents and occupants of estates using the Estavo platform
  • Visitors and guests accessing estates via Estavo guest codes
  • Estate managers, trustees, and staff using Estavo's management tools
  • Visitors to estavo.co.za and all Estavo subdomains

3. Personal Information We Collect

3.1 Residents and Occupants

  • Full name and contact details (email, phone number)
  • South African ID number
  • Unit/property address within the estate
  • Vehicle registration numbers and vehicle details
  • Driver's licence (scanned via barKoder for identity verification at gate — see section 4)
  • Access history (gate events tied to your identity)
  • Levy/rental payment records

3.2 Guests and Visitors

  • Phone number (for OTP delivery via WhatsApp)
  • Name (if provided by the hosting resident)
  • Vehicle registration (if provided)
  • Visit log (date, time, gate used)

3.3 Estate Managers and Staff

  • Full name, contact details, role within the estate
  • Login credentials (hashed — we do not store plain-text passwords)
  • Action logs within the management dashboard

3.4 Technical Data (All Users)

  • IP address and device type (for security and fraud prevention)
  • Session logs
  • Error reports

4. Driver's Licence Scanning

Estavo uses barKoder technology to scan and decode driver's licences at estate gates. We wish to be transparent about how this works:

  • The scan extracts the identity data encoded in the driver's licence barcode (name, ID number, licence categories).
  • This data is used to verify identity at the point of entry.
  • Raw scan data is not retained beyond the verification event — only the extracted identity record is stored, linked to the access log.
  • This processing is conducted on the lawful basis of legitimate interest (estate security) and, where required, with the resident's or visitor's informed consent.

5. Why We Process Personal Information

PurposeLegal Basis under POPIA
Estate access control and gate managementLegitimate interest (security); consent where required
Resident identity verificationLegitimate interest; contractual necessity
Levy and rental administrationContractual necessity
Guest OTP generation and deliveryContractual necessity; consent
Security incident investigationLegitimate interest
Platform operation and maintenanceContractual necessity
Regulatory complianceLegal obligation
AI-generated estate reportsLegitimate interest (anonymised/aggregate — no raw PII used in AI processing)

We do not sell personal information. We do not use personal information for advertising.

6. Third Parties We Share Information With

We work with trusted third-party processors to run the Platform. All partners are bound by compliance agreements equivalent to POPIA standards:

PartyPurposeLocation
SupabaseDatabase and file storageEU West (Frankfurt)
TwilioWhatsApp OTP deliveryUnited States (with compliant DPA)
ResendTransactional emailUnited States (with compliant DPA)
AnthropicAI narrative report generationUnited States (aggregate/anonymised data only — no raw PII)
CloudflareCDN, DNS, securityGlobal (with compliant DPA)

We do not share personal information with any other third party without your consent, except where required by law or court order.

7. Data Retention

CategoryRetention Period
Resident PIIDuration of active estate subscription + 6 months post-termination
Access logs12 months active, 24 months archive
Guest records and OTP logs90 days
Driver's licence scan extractsRetained as part of access log (subject to access log retention)
Manager/staff recordsDuration of active role + 6 months
Payment records5 years (tax and accounting obligations)

8. Your Rights as a Data Subject

Under POPIA, you have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information (subject to legal retention obligations)
  • Objection: Object to processing of your personal information in certain circumstances
  • Complaint: Lodge a complaint with the Information Regulator of South Africa

To exercise any of these rights, contact: privacy@estavo.co.za. We will respond within 30 days of receipt of your request.

9. Security

Estavo implements the following technical and organisational safeguards:

  • All data in transit is encrypted using TLS
  • All data at rest is encrypted in Supabase (EU West Frankfurt)
  • Row-level security (RLS) policies ensure estate data is isolated — no estate can access another estate's data
  • Access to production systems is restricted to authorised personnel only
  • No service role keys are exposed client-side

In the event of a data breach that may cause harm to data subjects, we will notify the Information Regulator and affected individuals as required by POPIA Section 22.

10. Cookies and Tracking

The Estavo web platform uses:

  • Essential cookies: Required for session management and authentication. Cannot be disabled without breaking the platform.
  • No advertising or tracking cookies.

The Estavo mobile app does not use cookies.

11. Children

Estavo does not knowingly collect personal information from persons under the age of 18 without the consent of a competent person (parent or guardian) as defined in POPIA. If you believe a minor's information has been submitted without proper consent, contact privacy@estavo.co.za immediately.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be notified to estate managers via the platform and via email. The updated effective date will appear at the top of this document.

13. Contact and Complaints

Information Officer: Bryson Mabilo

Email: privacy@estavo.co.za

Address: Pretoria, South Africa

Information Regulator of South Africa:

Website: inforegulator.org.za

Email: inforeg@justice.gov.za

Tel: 010 023 5207

This policy is governed by the Protection of Personal Information Act 4 of 2013 and applicable South African law.