Your Privacy, Our Responsibility

In accordance with the Electronic Communications and Transactions Act (ECTA) and the Companies Act 71 of 2008, we are required to disclose our business identity clearly.

Ikhayalami operates in full compliance with the following South African statutes. Where these laws impose obligations on us, we honour them. Where they grant rights to you, we facilitate them.

Information You Provide Directly

• Account registration details (name, email address, phone number)
• Property listing information (address, price, description, photographs)
• Enquiry and contact form submissions
• Search preferences and saved property lists
• Any messages sent through our platform enquiry system
• Identity & biometric verification data — where you use a feature that requires identity verification (for example, the Student Accommodation category and other verified-user journeys), this includes an uploaded government-issued identity document or passport, your identity number, and live facial-recognition data captured during a liveness check. This is special personal information under POPIA §26 and is processed strictly as described in Section 14S.8

Information Collected Automatically

• Device information (browser type, operating system, screen resolution)
• IP address and approximate geographic location (used for hyper-local search, only when enabled)
• Pages visited, search terms entered, and feature interactions — analytics only with your consent
• Session duration and navigation patterns — analytics only with your consent
• Cookies and local browser storage (see Section 6)

We Do Not Collect

• Financial or payment card information (no payment processing on this platform)
• Sensitive personal information as defined in POPIA §26 (race, health, religion, etc.), unless explicitly required and consented to
• Biometric data — except the live facial-recognition data used solely for identity verification where you choose to use a verified feature, processed lawfully and with your explicit consent as set out in Section 14S.8

POPIA's purpose limitation principle (§13) requires that personal information may only be collected for a specific, explicitly defined, and lawful purpose. We collect and process your information for:

• Delivering the core Property Intelligence service
• Processing and displaying property enquiries between buyers/renters and listers
• Personalising search results using hyper-local location, if enabled by you
• Remembering your preferences between visits, with your consent
• Improving platform features and AI-driven search accuracy, with analytics consent
• Complying with legal obligations and responding to lawful requests
• Communicating important service updates (not marketing without separate consent)
• Preventing fraud and ensuring platform security and integrity

We only process personal information where we have a lawful ground under POPIA §11:

We use a three-tier storage system. Essential storage is required for the site to function and does not require consent under POPIA (disclosure is sufficient). All other storage requires your explicit consent, which you manage via Settings → Privacy, Cookies & Legal.

Tier 1 — Essential (Always Active)

• ikh_consent_v1 — records your analytics consent decision
• ikh_lang — your selected language preference
• ikhayalami_a11y — your accessibility preferences (font size, contrast, etc.)

Tier 2 — Preferences (Optional, Your Control)

• Recent search history, hyper-local location cache, UI hint dismissal states
• Disable and clear at any time via Settings → Privacy, Cookies & Legal

Tier 3 — Analytics (Google Analytics 4, Requires Consent)

• GA4 is implemented with Consent Mode v2 — no data is collected and no cookies are written until you explicitly accept
• IP addresses are anonymised before any data reaches Google
• No advertising or cross-site profiling cookies are used
• Withdraw consent at any time via Settings → Data & Analytics

We do not sell, rent, or trade your personal information. We may share data only in the following limited circumstances:

• Service Providers (Operators under POPIA): Hosting, cloud infrastructure, and analytics providers who process data strictly on our behalf under written data processing agreements
• SMS / OTP delivery (Twilio): For account security on the Tenant+ operating system and the Stay platform, we use Twilio as an operator to deliver one-time passwords (OTPs). Where you have registered a mobile number and choose SMS verification — for example during a password reset — your number and the OTP message are transmitted to Twilio solely to deliver that security message. Twilio processes this data on our behalf under a data processing agreement and may not use it for any other purpose (see also Sections 11 and 13)
• Property Enquiries: When you submit an enquiry, your contact details are shared with the relevant property lister for the sole purpose of responding to your enquiry
• Google Analytics: Anonymised, aggregated usage data — only with your explicit consent (see Section 6)
• Legal Requirements: Where compelled by a court order, PAIA request, or lawful statutory authority under South African law

All third-party operators are contractually bound to process data only as instructed and to maintain equivalent data protection standards as required by POPIA §21.

POPIA §19 requires us to implement appropriate, reasonable technical and organisational measures to prevent loss, damage, or unauthorised access to personal information. Our measures include:

• HTTPS / TLS encryption for all data transmitted to and from the platform
• Secure server infrastructure with strict access controls and least-privilege principles
• Regular security assessments and vulnerability monitoring
• Minimal data collection — we only collect what is strictly necessary
• Staff awareness and training on data protection obligations

In addition to POPIA, we are bound by the Electronic Communications and Transactions Act (ECTA) 25 of 2002 to secure the integrity and confidentiality of your data. We implement robust technical and organisational measures to prevent loss, damage, or unauthorised access to the information we hold and transmit.

Your Obligations

As a user, you are obligated to provide complete and accurate information. Where identity verification applies, you must present a legitimate, government-issued identification document as defined by the Identification Act 68 of 1997, which provides for the issuing of official identity documents.

• Any submission of false information, impersonation, or attempt to defraud the system or its verification process constitutes a serious offence
• Such actions will be investigated and may lead to suspension or permanent termination of your account, and/or criminal prosecution under the Criminal Procedure Act 51 of 1977 and the Cybercrimes Act 19 of 2020
• You are responsible for maintaining the confidentiality of any access credentials (passwords, one-time passwords, and verification codes) issued to or created by you

Disclaimer & Limitation of Liability

After the relevant retention period, personal information is securely deleted or anonymised. You may request earlier deletion subject to our legal obligations (see Section 10).

As a data subject under POPIA, you have the following rights:

To exercise any of these rights, contact us at info@ikhayalami.properties. We will respond within 30 days as required by POPIA. If you are unsatisfied, escalate to the Information Regulator at www.justice.gov.za/inforeg.

RICA governs the monitoring and storage of electronic communications. In compliance with RICA, we disclose the following:

• Enquiry messages submitted through the platform may be stored for delivery to the intended recipient and for quality assurance purposes
• Platform communications (enquiries, listing submissions) may be logged for security, fraud prevention, and legal compliance purposes
• We do not intercept, read, or commercially exploit the content of private communications between users for any purpose other than those disclosed here
• Communications may be disclosed to law enforcement authorities where required by a lawful court order under South African law
• Where you have registered a mobile number, we may send transactional security messages — most importantly one-time passwords (OTPs) for password resets on the Tenant+ operating system and the Stay platform — to that number via our SMS operator (Twilio). These are security and account-management communications, not marketing, and are sent only in response to an action you initiate or to protect your account

The Promotion of Access to Information Act gives everyone the right to request access to records held by private bodies. As a private body subject to PAIA, Ikhayalami is required to maintain a PAIA Manual in terms of §51.

• Our PAIA Manual is available on written request to info@ikhayalami.properties
• PAIA requests must be submitted using the prescribed Form C (available from the South African Human Rights Commission)
• We will respond to PAIA requests within the statutory timeframe prescribed by the Act
• Fees applicable to PAIA requests are set by the Promotion of Access to Information Act Regulations

Some of our service providers (such as Google Analytics and our SMS/OTP provider Twilio) process data on servers outside of South Africa. Where this occurs, we ensure compliance with POPIA §72, which permits cross-border transfers only where:

• The recipient country has equivalent data protection laws, or
• The recipient is bound by contractual data protection clauses equivalent to POPIA standards, or
• You have consented to the transfer — which you do when accepting analytics in the consent banner

Google Analytics is governed by Google's data processing terms, which incorporate standard contractual clauses and comply with applicable data protection frameworks globally.

Ikhayalami is not directed at children under the age of 18. We do not knowingly collect personal information from minors. POPIA §35 prohibits the processing of a child's personal information without prior consent from a competent person (parent or guardian).

If you believe a child has provided us with personal information without parental consent, please contact us immediately at info@ikhayalami.properties and we will delete it promptly.

14S.1 — Data We Collect from Students

When a student uses the Student Accommodation category, we may process the following personal information, in addition to our standard data set described in Section 3:

• Academic institution — the university, TVET college, or higher education institution the student is attending or plans to attend, used to surface proximity-relevant listings
• Year of study / programme — optionally provided to help match listings to relevant lease terms (e.g., academic year vs. full year)
• NSFAS beneficiary status — optionally indicated by the student to filter for NSFAS-accredited accommodation; this is treated as financial data and handled with heightened sensitivity under POPIA §26
• Enquiry content — messages sent to landlords via the platform's enquiry feature, which may contain details about budget, living preferences, or personal circumstances
• Search behaviour — suburb searches, price filters, and listing views within the student category, used to improve search relevance and identify fraudulent listing patterns

14S.2 — Legal Basis for Processing Student Data

We process student-related personal information on the following grounds under POPIA §11:

• Performance of a service — to facilitate the student's search for accommodation and connect them with legitimate landlords
• Legitimate interest — to detect, investigate, and prevent deposit fraud and scam listings that disproportionately target students, provided this interest does not override the student's fundamental rights
• Consent — where optional profile fields (e.g., NSFAS status) are completed voluntarily; students may omit these without being excluded from the platform

14S.3 — What Landlords & Listers May NOT Do with Student Data

Where a student's personal information is disclosed to a landlord or lister through our platform (e.g., via an enquiry), that lister is a data operator under POPIA §1 and is bound by the following restrictions:

• Student data received via Ikhayalami may only be used to respond to the specific accommodation enquiry — it may not be used for any other marketing, profiling, or commercial purpose without the student's explicit separate consent
• Student data may not be shared with any third party, including other landlords, letting agents, or data brokers, without the student's explicit written consent
• A student's NSFAS status, academic institution, or financial circumstances may not be used as grounds to refuse accommodation or impose discriminatory terms — this would violate PEPUDA (Act 4 of 2000) §6 and the Constitution §9
• Student personal data received through enquiries must be deleted or securely destroyed when it is no longer needed for the rental transaction, per POPIA §14
• Any lister found to have harvested, sold, or misused student data obtained through Ikhayalami will have their account permanently terminated and will be reported to the Information Regulator of South Africa and law enforcement, as this may constitute a criminal offence under the Cybercrimes Act 19 of 2020 §14 (unlawful interception of data)

14S.4 — Anti-Profiling & Non-Discrimination

Ikhayalami does not use student data — including institution, year of study, or NSFAS status — to algorithmically rank or deprioritise student renters in search results, or to charge differential fees. Any use of data in our platform is solely to improve the relevance of search results and to protect students from fraudulent listings.

Ikhayalami's AI-powered features (where applicable) do not generate recommendations that discriminate on the basis of any protected characteristic under PEPUDA or the Constitution.

14S.5 — Fraud Investigation & Data Sharing with Authorities

Where Ikhayalami identifies or receives a credible report of student accommodation fraud on our platform, we may share relevant data — including lister account details, listing information, communication logs, and payment-related data — with the following authorities without prior notice to the suspected fraudster:

• The South African Police Service (SAPS)
• The National Consumer Commission (under the CPA)
• The Information Regulator of South Africa (if a data breach is involved)
• NSFAS (if NSFAS accreditation fraud is suspected)
• The student's academic institution (only where requested by the student or SAPS)

This disclosure is lawful under POPIA §11(1)(f) (necessary for pursuit of a legitimate interest overriding the data subject's interest) and POPIA §11(1)(c) (compliance with a legal obligation).

14S.6 — Student Data Retention

Student-specific data is subject to the general retention periods in Section 9. In addition:

• Fraud-related data (flagged listings, reports, investigation records) is retained for a minimum of 5 years to support law enforcement investigations and prevent repeat offenders from re-registering
• Enquiry data is deleted within 12 months of the enquiry being closed or the listing being removed, unless retained pursuant to an active fraud investigation
• NSFAS status data provided voluntarily is deleted upon account closure

14S.7 — Student Data Rights

All rights described in Section 10 of this Policy apply equally to student users. In addition, students may specifically:

• Request deletion of their NSFAS status or academic institution data from their profile at any time, without affecting their access to general property search
• Request a record of all personal data shared with any landlord via our enquiry system
• Report a suspected privacy breach by a landlord to both Ikhayalami (info@ikhayalami.properties) and directly to the Information Regulator (www.justice.gov.za/inforeg)

14S.8 — Identity & Biometric Verification

Student accommodation attracts a high volume of deposit and listing scams, including fraudsters who use stolen or fabricated identities. To protect students and legitimate listers, certain verified journeys require you to complete an identity-verification step. This step processes biometric information (live facial data), which is special personal information under POPIA §26.

What the verification step involves:

• Liveness (aliveness) check — we confirm that a live person is present at the time of verification, rather than a photograph, video replay, mask, or deepfake. This is the single most effective defence against fraudsters using stolen identity images
• Facial geometry capture — using the Google MediaPipe Face Mesh API, we derive a map of up to 468 three-dimensional facial landmarks. This geometric map is compared against the photograph on the identity document or passport you upload, to confirm that the live person and the document refer to the same individual
• Identity document upload — you provide a government-issued identity document or passport. We require this because the document photograph is the reference the face-match is measured against; without a trusted reference image, a face scan alone cannot establish whose face it is. Requiring an official document is what binds a real, accountable identity to the account and meaningfully reduces impersonation and stolen-identity fraud
• Identity number validation (Luhn check) — the identity number you provide is validated using the Luhn algorithm, which verifies the final check digit and confirms that the number is structurally valid (correctly formed). For transparency: the Luhn check does not confirm that the number is registered to you or exists on any government register. We currently do not perform a live check against the Department of Home Affairs National Population Register. The biometric face-match against your document photograph is therefore our compensating control — it is what links the validated number and document to the live person in front of the camera

14S.9 — Legal Basis, Your Consent & Rights

Because biometric information is special personal information, we may only process it where an authorisation in POPIA §27 applies. We rely on POPIA §27(1)(b) — processing that is necessary for the establishment, exercise, or defence of a right or obligation in law (here, preventing fraud and protecting other users and listers) — together with your explicit consent under POPIA §27(1)(a) and §11(1)(a).

14S.10 — Your Obligations

As a user, you are obligated to provide complete and accurate information. You must present a legitimate, government-issued identification document as defined by the Identification Act 68 of 1997, which provides for the issuing of official identity documents.

• Any submission of false information, impersonation, or attempt to defraud the verification system constitutes a serious offence
• Such actions will be investigated and may lead to permanent termination of your account and/or criminal prosecution under the Criminal Procedure Act 51 of 1977 and the Cybercrimes Act 19 of 2020
• You are responsible for maintaining the confidentiality of any access credentials and one-time passwords issued to you

14S.11 — Disclaimer & Limitation of Liability

• Material changes will be notified via a prominent notice on our website and, where possible, by email to registered users
• The "Last Updated" date at the top of this policy will always reflect the most recent revision
• Continued use of the platform after a policy update constitutes acceptance of the revised terms
• If a change requires new consent under POPIA, we will seek that consent before processing your data under the new terms

For any privacy-related queries, requests, or complaints, please contact our Information Officer. We are committed to resolving any privacy concerns within 30 days.