Privacy Policy
1. Who We Are
Estavo (Pty) Ltd (Registration No. Registration pending - CIPC registration in progress) ("Estavo", "we", "us", "our") is a South African company that develops and operates the Estavo Estate Operating System — a software platform for residential gated communities and their managing agents.
Information Officer: Bryson Mabilo
Contact: privacy@estavo.co.za
Registered Address: Pretoria, South Africa
We are in the process of registering with the Information Regulator of South Africa as required under the Protection of Personal Information Act 4 of 2013 (POPIA).
2. Scope of This Policy
This policy applies to:
- Residents and occupants of estates using the Estavo platform
- Visitors and guests accessing estates via Estavo guest codes
- Estate managers, trustees, and staff using Estavo's management tools
- Visitors to estavo.co.za and all Estavo subdomains
3. Personal Information We Collect
3.1 Residents and Occupants
- Full name and contact details (email, phone number)
- South African ID number
- Unit/property address within the estate
- Vehicle registration numbers and vehicle details
- Driver's licence (scanned via barKoder for identity verification at gate — see section 4)
- Access history (gate events tied to your identity)
- Levy/rental payment records
3.2 Guests and Visitors
- Phone number (for OTP delivery via WhatsApp)
- Name (if provided by the hosting resident)
- Vehicle registration (if provided)
- Visit log (date, time, gate used)
3.3 Estate Managers and Staff
- Full name, contact details, role within the estate
- Login credentials (hashed — we do not store plain-text passwords)
- Action logs within the management dashboard
3.4 Technical Data (All Users)
- IP address and device type (for security and fraud prevention)
- Session logs
- Error reports
4. Driver's Licence Scanning
Estavo uses barKoder technology to scan and decode driver's licences at estate gates. We wish to be transparent about how this works:
- The scan extracts the identity data encoded in the driver's licence barcode (name, ID number, licence categories).
- This data is used to verify identity at the point of entry.
- Raw scan data is not retained beyond the verification event — only the extracted identity record is stored, linked to the access log.
- This processing is conducted on the lawful basis of legitimate interest (estate security) and, where required, with the resident's or visitor's informed consent.
5. Why We Process Personal Information
| Purpose | Legal Basis under POPIA |
|---|---|
| Estate access control and gate management | Legitimate interest (security); consent where required |
| Resident identity verification | Legitimate interest; contractual necessity |
| Levy and rental administration | Contractual necessity |
| Guest OTP generation and delivery | Contractual necessity; consent |
| Security incident investigation | Legitimate interest |
| Platform operation and maintenance | Contractual necessity |
| Regulatory compliance | Legal obligation |
| AI-generated estate reports | Legitimate interest (anonymised/aggregate — no raw PII used in AI processing) |
We do not sell personal information. We do not use personal information for advertising.
6. Third Parties We Share Information With
We work with trusted third-party processors to run the Platform. All partners are bound by compliance agreements equivalent to POPIA standards:
| Party | Purpose | Location |
|---|---|---|
| Supabase | Database and file storage | EU West (Frankfurt) |
| Twilio | WhatsApp OTP delivery | United States (with compliant DPA) |
| Resend | Transactional email | United States (with compliant DPA) |
| Anthropic | AI narrative report generation | United States (aggregate/anonymised data only — no raw PII) |
| Cloudflare | CDN, DNS, security | Global (with compliant DPA) |
We do not share personal information with any other third party without your consent, except where required by law or court order.
7. Data Retention
| Category | Retention Period |
|---|---|
| Resident PII | Duration of active estate subscription + 6 months post-termination |
| Access logs | 12 months active, 24 months archive |
| Guest records and OTP logs | 90 days |
| Driver's licence scan extracts | Retained as part of access log (subject to access log retention) |
| Manager/staff records | Duration of active role + 6 months |
| Payment records | 5 years (tax and accounting obligations) |
8. Your Rights as a Data Subject
Under POPIA, you have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information (subject to legal retention obligations)
- Objection: Object to processing of your personal information in certain circumstances
- Complaint: Lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, contact: privacy@estavo.co.za. We will respond within 30 days of receipt of your request.
9. Security
Estavo implements the following technical and organisational safeguards:
- All data in transit is encrypted using TLS
- All data at rest is encrypted in Supabase (EU West Frankfurt)
- Row-level security (RLS) policies ensure estate data is isolated — no estate can access another estate's data
- Access to production systems is restricted to authorised personnel only
- No service role keys are exposed client-side
In the event of a data breach that may cause harm to data subjects, we will notify the Information Regulator and affected individuals as required by POPIA Section 22.
10. Cookies and Tracking
The Estavo web platform uses:
- Essential cookies: Required for session management and authentication. Cannot be disabled without breaking the platform.
- No advertising or tracking cookies.
The Estavo mobile app does not use cookies.
11. Children
Estavo does not knowingly collect personal information from persons under the age of 18 without the consent of a competent person (parent or guardian) as defined in POPIA. If you believe a minor's information has been submitted without proper consent, contact privacy@estavo.co.za immediately.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be notified to estate managers via the platform and via email. The updated effective date will appear at the top of this document.
13. Contact and Complaints
Information Regulator of South Africa:
Website: inforegulator.org.za
Email: inforeg@justice.gov.za
Tel: 010 023 5207