← Back to RubyFICA

Privacy Policy

Last updated: 20 April 2026

1. Who We Are

RubyFICA is operated by Rubynet (Pty) Ltd (Registration Number: 2026/345895/07), a South African company based in Durban, KwaZulu-Natal. We provide digital compliance tools for property practitioners.

Information Officer: Ray Roberts — [email protected]

2. What Data We Collect

We collect the following categories of personal information:

  • Identity data: Full name, South African ID number or passport number, date of birth, nationality, gender
  • Contact data: Email address, phone number, residential address
  • Employment data: Role, designation, employer details (for juristic entity representatives)
  • Documents: Copies of ID documents, proof of residential address, company registration documents, powers of attorney
  • Signatures: Digital signatures captured during the verification process
  • Technical data: IP address, browser type, device information, session timestamps
  • Screening data: Results of automated checks against sanctions lists, PEP databases, adverse media sources, and law enforcement databases

3. Why We Collect It

We process personal information to assist property practitioners with their legal obligations under the Financial Intelligence Centre Act 38 of 2001 (the FIC Act), specifically:

  • Customer due diligence (CDD) and enhanced due diligence (EDD)
  • Politically Exposed Person (PEP) screening
  • Sanctions and watchlist screening
  • Adverse media screening
  • Record keeping and audit trail maintenance
  • Risk assessment and reporting

4. Legal Basis

We process personal information on the following grounds under POPIA:

  • Compliance with law (Section 11(1)(c)) — the FIC Act requires Accountable Institutions to collect and verify this information
  • Consent (Section 11(1)(a)) �� data subjects consent by completing the FICA form
  • Legitimate interest (Section 11(1)(f)) — property practitioners have a legitimate interest in complying with their legal obligations efficiently

5. Who We Share Data With

  • The property practitioner (agent or agency) who initiated the FICA verification request
  • PEP and sanctions screening database providers (for compliance checks only)
  • Email service providers (SMTP2GO) for delivering notifications
  • We do not sell personal information to any third party

6. International Data Transfers

Some data is processed through international service providers:

  • Cloudflare (USA) — for security, DDoS protection, and content delivery
  • SMTP2GO (New Zealand) — for email delivery

These providers maintain adequate data protection standards. All primary database storage remains in South Africa.

AI-powered features: AI-powered features (risk report generation) use anonymized data only. No personally identifiable information (names, identity numbers, addresses, or contact details) is transmitted to AI service providers. Only anonymized, non-identifying facts (such as screening match results and risk indicators) are used for report generation, with personal details added locally on our South African servers.

7. Data Retention

  • FICA records: Retained for a minimum of 5 years after the completion of the business relationship, as required by Section 23 of the FIC Act
  • Account data: Retained for the duration of the business relationship plus 5 years
  • Technical logs: Retained for 12 months

8. Data Security

We implement appropriate technical and organisational measures including:

  • Encryption in transit (TLS/HTTPS)
  • ClamAV antivirus scanning of all uploaded files
  • Role-based access controls
  • Comprehensive audit logging
  • Regular encrypted backups
  • File integrity monitoring

9. Your Rights Under POPIA

You have the right to:

  • Access — request a copy of the personal information we hold about you
  • Correction — request correction of inaccurate personal information
  • Deletion — request deletion of your personal information (subject to the 5-year FICA retention requirement)
  • Objection — object to the processing of your personal information
  • Data portability — request your data in a machine-readable format

To exercise any of these rights, email [email protected] or [email protected].

10. Cookies

We use:

  • Session cookies — essential for authentication and security. Cannot be disabled.
  • Analytics — we use Umami, a privacy-focused analytics tool that does not collect personal data, does not use cookies for tracking, and does not share data with third parties.

11. Children

We do not knowingly collect personal information from persons under the age of 18. If you believe a child's data has been submitted, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users via email of any material changes. The “Last updated” date at the top of this page indicates the most recent revision.

13. Contact and Complaints

Information Officer: Ray Roberts
Email: [email protected]

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:

Email: [email protected]
Phone: 012 406 4818
Website: inforegulator.org.za

TermsPrivacyPOPIAPAIA

© 2026 Rubynet (Pty) Ltd. All rights reserved.