← Back to RubyFICA

Privacy Policy

Last updated: 21 June 2026

1. Who We Are

RubyFICA is operated by Rubynet (Pty) Ltd, a South African company. We provide digital compliance tools for property practitioners.

Rubynet (Pty) Ltd
Registration number: 2026/345895/07
Registered office and postal address: 4 Flack Place, Durban North, KwaZulu-Natal, 4051, South Africa

Information Officer: Reinhardt Roberts — [email protected]

2. What Data We Collect

We collect the following categories of personal information:

  • Identity data: Full name, South African ID number or passport number, date of birth, nationality, gender
  • Contact data: Email address, phone number, residential address
  • Employment data: Role, designation, employer details (for juristic entity representatives)
  • Documents: Copies of ID documents, proof of residential address, company registration documents, powers of attorney
  • Signatures: Digital signatures captured during the verification process
  • Technical data: IP address, browser type, device information, session timestamps
  • Screening data: Results of automated checks against sanctions lists, PEP databases, adverse media sources, and law-enforcement wanted-person lists

3. Why We Collect It

We process personal information to assist property practitioners with their legal obligations under the Financial Intelligence Centre Act 38 of 2001 (the FIC Act), specifically:

  • Customer due diligence (CDD) and enhanced due diligence (EDD)
  • Politically Exposed Person (PEP) screening
  • Sanctions and watchlist screening
  • Adverse media screening
  • Record keeping and audit trail maintenance
  • Risk assessment and reporting

4. Legal Basis

Most personal information we process for FICA customer due diligence, screening and record-keeping is processed because it is necessary to comply with an obligation imposed by law — in particular the Financial Intelligence Centre Act 38 of 2001 — as contemplated in section 11(1)(c) of POPIA. This processing is mandatory and is not based on consent; it cannot be stopped by withdrawing consent, because the law requires it. We rely on consent only for processing that is genuinely optional, such as marketing communications, which you may withdraw at any time.

5. Automated Processing and Decisions

Sanctions, PEP and adverse-media screening, and any AI-assisted risk indicators produced by RubyFICA, are decision-support tools only. They do not, on their own, make any decision about a data subject. The property practitioner using RubyFICA reviews the results and makes the final compliance decision. Data subjects have the rights set out in section 71 of POPIA in relation to automated decision-making.

6. Who We Share Data With

  • The property practitioner (agent or agency) who initiated the FICA verification request
  • PEP and sanctions screening database providers (for compliance checks only)
  • Email service providers (SMTP2GO) for delivering notifications
  • We do not sell personal information to any third party

7. International Data Transfers

Some data is processed through international service providers, for example:

  • Cloudflare (USA) — for security, DDoS protection, and content delivery
  • SMTP2GO (New Zealand) — for email delivery

Some of our service providers are located outside South Africa (for example, hosting and email-delivery providers). Where personal information is transferred outside South Africa, we do so in accordance with section 72 of POPIA — because the recipient is subject to laws, binding rules or a written agreement providing an adequate level of protection, or because the transfer is necessary to perform our contract with you. Screening analysis performed with the assistance of AI service providers is carried out on de-identified information: identifying details are removed and the analysis refers only to “the subject”. All primary database storage remains in South Africa.

8. Data Retention

  • FICA records: Retained for a minimum of 5 years after the completion of the business relationship, as required by the FIC Act
  • Account data: Retained for the duration of the business relationship plus 5 years
  • Technical logs: Retained for 12 months

9. Data Security

We implement appropriate technical and organisational measures including:

  • Encryption in transit (TLS/HTTPS)
  • ClamAV antivirus scanning of all uploaded files
  • Role-based access controls
  • Comprehensive audit logging
  • Regular encrypted backups
  • File integrity monitoring

10. Security Compromises

If there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and the affected data subjects as soon as reasonably possible after becoming aware of the compromise, as required by section 22 of POPIA, unless a public body responsible for criminal matters directs otherwise. Notifications to affected data subjects will be in writing and will describe, as far as known, the compromise and the steps they can take to protect themselves.

11. Our Role as Operator

When you use RubyFICA to process personal information about your own clients, you are the “responsible party” for that information and Rubynet acts as your “operator”, processing it only on your documented instructions and for the purpose of providing the service. We process such information under a written operator agreement and in accordance with section 21 of POPIA, maintain the security measures required by section 19, and will assist you as far as reasonably possible with data-subject requests and with any security compromise. We will not engage a sub-operator to process this information without your authorisation.

12. Your Rights Under POPIA

You have the right to: be told what personal information we hold about you and to access it; ask us to correct or delete information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained; object, on reasonable grounds, to the processing of your personal information; withdraw consent where processing is based on consent (this does not apply to processing the law requires, such as FICA record-keeping); and lodge a complaint with the Information Regulator. You may exercise these rights using the contact details above, and we will respond as POPIA requires. Personal information processed for FICA purposes must be retained for the period required by the FIC Act (generally five years) and cannot be deleted before then.

13. Cookies

We use:

  • Session cookies — essential for authentication and security. Cannot be disabled.
  • Analytics — we use Umami, a privacy-focused analytics tool that does not collect personal data, does not use cookies for tracking, and does not share data with third parties.

14. Children

We do not knowingly collect personal information from persons under the age of 18. If you believe a child's data has been submitted, please contact us immediately.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users via email of any material changes. The “Last updated” date at the top of this page indicates the most recent revision.

16. Contact and Complaints

Information Officer: Reinhardt Roberts
Email: [email protected]

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, 2017
Telephone: 010 023 5200
Toll-free: 080 001 7160
General enquiries: [email protected]
POPIA complaints: [email protected]
PAIA complaints: [email protected]
Website: inforegulator.org.za

© 2026 Rubynet (Pty) Ltd. All rights reserved.