Privacy Policy

Last updated: August 28, 2025

Effective Date: August 28, 2025

1. Data Collection & Purpose

1.1 Information We Collect

Account Information

  • Personal Details: Name, email address, company name
  • Authentication Data: Password (encrypted), login timestamps
  • Billing Information: Payment details (processed via PayFast)
  • Purpose: Account management, billing, and service delivery

Website Analysis Data

  • URLs & Domains: Websites you submit for analysis
  • SEO Metrics: Page speeds, meta tags, content analysis
  • Crawl Results: Site structure, internal links, technical data
  • Purpose: Providing SEO analysis and recommendations

Usage Analytics

  • Platform Usage: Features accessed, analysis frequency
  • Performance Data: API calls, report generations, search queries
  • Device Information: Browser type, IP address, user agent
  • Purpose: Service improvement and usage monitoring

Communication Data

  • Support Interactions: Help desk conversations, feedback
  • Email Communications: Newsletters, service updates
  • Marketing Data: Email open rates, click tracking
  • Purpose: Customer support and service communications

2. Legal Basis for Processing (POPIA/GDPR)

2.1 Consent

  • Marketing emails and promotional communications
  • Non-essential cookies and analytics tracking
  • Newsletter subscriptions and content downloads

2.2 Contract Performance

  • Providing SEO analysis services you've subscribed to
  • Processing payments and managing your account
  • Delivering reports and technical support

2.3 Legitimate Interests

  • Platform security and fraud prevention
  • Service improvement and feature development
  • Business analytics and performance monitoring

2.4 Legal Obligations

  • Compliance with tax and financial reporting requirements
  • Responding to valid legal requests and court orders
  • Meeting data protection and regulatory obligations

3. Data Sharing & Third Parties

3.1 Service Providers

PayFast (Payment Processing)

  • Data Shared: Billing information, transaction details
  • Purpose: Secure payment processing
  • Location: South Africa
  • Safeguards: PCI DSS compliance, encryption

Brevo/SendGrid (Email Services)

  • Data Shared: Email addresses, communication preferences
  • Purpose: Transactional and marketing emails
  • Location: EU/US with adequacy decisions
  • Safeguards: GDPR compliance, data processing agreements

PostgreSQL Hosting (Database Services)

  • Data Shared: All platform data (encrypted)
  • Purpose: Data storage and processing
  • Location: South Africa or EU
  • Safeguards: Encryption, access controls, regular backups

3.2 We Do NOT Share Data With

  • Data brokers or marketing companies
  • Social media platforms (except for consented advertising)
  • Competitors or unauthorized third parties
  • Government agencies (except when legally required)

4. International Data Transfers

4.1 Primary Data Storage

Your data is primarily stored and processed in South Africa using local infrastructure.

4.2 International Transfers

Limited data may be transferred internationally for:

  • Email Services: EU (Brevo) and US (SendGrid) with adequacy decisions
  • CDN Services: Global distribution for performance
  • Support Tools: EU-based customer support platforms

4.3 Transfer Safeguards

  • Standard Contractual Clauses (SCCs) for non-adequate countries
  • Adequacy decisions where available
  • Regular review of transfer necessity and security

5. Data Retention Periods

5.1 Active Accounts

  • Account Data: Retained while account is active plus 2 years
  • Analysis Results: Retained per plan limits (30 days to 2 years)
  • Usage Analytics: Aggregated data retained for 5 years

5.2 Inactive/Cancelled Accounts

  • Personal Data: Deleted 90 days after cancellation
  • Billing Records: Retained 7 years for tax compliance
  • Anonymized Analytics: Retained indefinitely for business intelligence

5.3 Legal Hold

Data may be retained longer when required by legal proceedings, regulatory investigations, or court orders.

6. User Rights & Access Procedures

6.1 Your Rights Under POPIA

Right of Access

  • Request copies of your personal information
  • Understand how your data is being processed
  • How to Exercise: Email privacy@rf19.com with your request
  • Response Time: 30 days maximum

Right to Rectification

  • Correct inaccurate or incomplete personal information
  • Update your account details directly in the platform
  • How to Exercise: Account settings or contact support

Right to Erasure ("Right to be Forgotten")

  • Request deletion of your personal information
  • Subject to legal retention requirements
  • How to Exercise: Account deletion or privacy@rf19.com
  • Processing Time: 30 days for deletion confirmation

Right to Restrict Processing

  • Limit how we process your information
  • Suspend processing while disputes are resolved
  • How to Exercise: Contact privacy@rf19.com

Right to Data Portability

  • Export your data in machine-readable format
  • Transfer data to another service provider
  • How to Exercise: Request via account settings or support

Right to Object

  • Object to processing for direct marketing (immediate)
  • Object to processing based on legitimate interests
  • How to Exercise: Unsubscribe links or privacy@rf19.com

7. Security Measures

7.1 Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based permissions and multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and monitoring
  • Database Security: Row-level security and customer data isolation

7.2 Organizational Measures

  • Staff Training: Regular privacy and security awareness training
  • Access Limitation: Need-to-know basis for data access
  • Incident Response: Defined procedures for data breaches
  • Regular Audits: Security assessments and compliance reviews

7.3 Breach Notification

In case of a data breach affecting your personal information:

  • We'll notify the Information Regulator within 72 hours
  • Affected users will be informed within 72 hours when required
  • We'll provide clear information about the breach and remedial actions

8. Cookie Usage

8.1 Essential Cookies

  • Purpose: Authentication, security, site functionality
  • Basis: Strictly necessary for service operation
  • Consent: Not required (essential functionality)

8.2 Analytics Cookies

  • Purpose: Usage statistics, performance monitoring
  • Providers: Google Analytics, internal analytics
  • Consent: Required - managed via cookie banner

8.3 Marketing Cookies

  • Purpose: Advertising effectiveness, remarketing
  • Providers: Facebook Pixel, Google Ads
  • Consent: Required - can be withdrawn anytime

8.4 Cookie Management

You can manage cookie preferences through:

  • Our cookie consent banner (first visit)
  • Account settings (logged-in users)
  • Browser settings (all cookie types)

9. Contact Information for Data Queries

9.1 Data Protection Officer

  • Email: privacy@rf19.com
  • Response Time: 5 business days for acknowledgment
  • Resolution Time: 30 days maximum

9.2 General Support

  • Email: support@rf19.com
  • Phone: [Support Phone Number]
  • Address: [Company Address], South Africa

9.3 Legal Department

  • Email: legal@rf19.com
  • Purpose: Legal requests, compliance matters

10. Complaint Procedures

10.1 Internal Complaints

  1. Submit Complaint: Email privacy@rf19.com with details
  2. Acknowledgment: We'll respond within 5 business days
  3. Investigation: Thorough review within 30 days
  4. Resolution: Written response with outcome and actions
  5. Appeal: Escalation to management if unsatisfied

10.2 External Complaints (South Africa)

If unsatisfied with our response, you may lodge a complaint with:

  • Information Regulator of South Africa
  • Website: www.justice.gov.za/inforeg/
  • Email: complaints.IR@justice.gov.za
  • Phone: +27 12 406 4818

10.3 EU Residents

EU residents may also complain to their local supervisory authority.

11. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware of child data collection, we will delete it immediately and may terminate the account.

12. Changes to This Privacy Policy

12.1 Notification Methods

  • Email: Direct notification for material changes
  • Platform Notice: Prominent banner for 30 days
  • Updated Date: Revised effective date at top of policy

12.2 Consent for Changes

  • Continued use implies acceptance of minor changes
  • Explicit consent required for material changes affecting your rights
  • 30-day notice period for objections or account cancellation

Your Privacy Matters

We're committed to protecting your privacy and complying with South African data protection laws. This policy is designed to be transparent about our data practices while ensuring your rights are protected.

Legal Review Required: This privacy policy should be reviewed by qualified legal counsel familiar with POPIA, GDPR, and South African privacy law before implementation.

Back to Home