GemFinder (“GemFinder”, “we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share and safeguard your personal information when you use our website (gemfinder.co.za) and related applications (collectively, “the Service”).
This policy is issued in compliance with the Protection of Personal Information Act, 4 of 2013 (“POPIA”) and the Electronic Communications and Transactions Act, 2002. By using the Service you confirm that you have read and understood this Privacy Policy.
1. Responsible Party and Information Officer
For the purposes of POPIA, the Responsible Party in relation to your personal information is:
- Responsible party: GemFinder
- Email: support@gemfinder.co.za
Our Information Officer is the accountable person under POPIA section 55:
- Name: GemFinder
- Email: support@gemfinder.co.za
Our Information Officer will be registered with the Information Regulator of South Africa as required by POPIA.
2. The POPIA Conditions We Apply
POPIA requires every processing of personal information to comply with eight conditions. We commit to:
- Accountability — we are responsible for ensuring that the conditions below are met for any processing we perform.
- Processing limitation — we process personal information lawfully, in a reasonable manner, and only to the extent necessary for the stated purpose.
- Purpose specification — we collect personal information for specific, explicitly defined, lawful purposes set out in this policy.
- Further processing limitation — we will not further process your personal information in a way that is incompatible with the original purpose.
- Information quality — we take reasonable steps to ensure your personal information is complete, accurate and up to date.
- Openness — we maintain this Privacy Policy and notify you of material changes.
- Security safeguards — we apply reasonable technical and organisational measures to protect personal information against loss, damage or unauthorised access.
- Data subject participation — you have the rights set out in section 8 below.
3. Information We Collect
3.1 Personal information you provide
- Name, email address, and (where supplied) phone number.
- Login credentials (passwords are stored only as salted hashes).
- Billing information (for paid subscriptions) — your card details are collected and stored by our payment processor, Paystack; we receive only a tokenised reference and the last four digits of the card.
- Account, team and workflow data you create within the Service (notes, tags, watchlist entries, reminders).
- Communications you send us (support emails, contact form submissions).
3.2 Usage data we collect automatically
- IP address, browser type and version, device type and operating system.
- Pages visited, features used, session duration and clickstream within the Service.
- Referrer URL and UTM parameters where applicable.
- Error and performance diagnostics.
3.3 Cookies and similar technologies
We use cookies and similar local-storage technologies to:
- Keep you signed in (essential session cookies).
- Remember preferences (functional cookies).
- Analyse usage so we can improve the Service (Google Analytics — see section 6).
- Protect against fraud and spam (reCAPTCHA — see section 6).
You can disable non-essential cookies in your browser settings. Essential cookies cannot be disabled without breaking core Service functionality.
3.4 Special personal information
We do not intentionally collect special personal information as defined in POPIA section 26 (race, health, religion, biometric data, criminal behaviour, etc.). Please do not submit such information through the Service.
4. How We Use Your Information and Lawful Basis
| Purpose | Lawful basis (POPIA s.11) |
|---|---|
| Create and maintain your account; provide the Service | Performance of contract |
| Process payments and manage subscriptions | Performance of contract; legal obligation (tax records) |
| Send transactional emails (receipts, password resets, system notices) | Performance of contract |
| Send service-related communications (auction alerts you opted into) | Consent |
| Send marketing communications | Consent (or existing-customer exception per POPIA s.69) |
| Analytics and product improvement | Legitimate interest, balanced against your privacy |
| Fraud, abuse and security monitoring | Legitimate interest; legal obligation |
| Respond to legal requests, comply with court orders or regulatory obligations | Legal obligation |
5. Data Sharing and Recipients
GemFinder does not sell your personal information.
We share personal information only with the following categories of recipients, under written processing agreements where required by POPIA:
5.1 Operators (third-party processors)
| Recipient | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and primary data storage | South Africa (af-south-1, Cape Town) |
| Paystack | Payment processing | South Africa / Nigeria (group) |
5.2 Legal disclosures
We may disclose personal information where required by applicable law, court order, regulator request or law-enforcement requirement, or where reasonably necessary to protect GemFinder's legal rights.
6. Cross-border Transfers (POPIA s.72)
Your primary data is hosted in South Africa (AWS af-south-1, Cape Town). However, some of our operators listed in section 5.1 may transfer or process personal information outside South Africa. Where this happens, we ensure that one or more of the following applies:
- The recipient is subject to a law or binding agreement providing an adequate level of protection substantially similar to POPIA;
- You have consented to the transfer; or
- The transfer is necessary for the performance of a contract between you and us, or in your interest.
7. Security Safeguards
We apply industry-standard technical and organisational measures to protect your personal information, including:
- TLS encryption for data in transit;
- Encryption at rest for database backups;
- Hashed and salted password storage;
- Network isolation and least-privilege access controls in AWS;
- Logging, monitoring and intrusion detection;
- Regular security review of third-party processors.
No internet transmission or electronic storage method is completely secure. We cannot guarantee absolute security, but we will continue to update our safeguards as threats evolve.
7.1 Security breach notification (POPIA s.22)
If we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will notify you and the Information Regulator as soon as reasonably possible after the discovery, as required by POPIA section 22. The notification will identify (so far as is reasonably possible) the nature of the breach, the personal information involved, and the measures we recommend you take.
8. Your Rights as a Data Subject
Under POPIA you have the right to:
- Be notified when your personal information is collected and when it has been accessed by an unauthorised person.
- Access your personal information and request a copy.
- Correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
- Object to the processing of your personal information on reasonable grounds, and specifically to processing for the purposes of direct marketing.
- Withdraw consent at any time where processing is based on consent (this does not affect the lawfulness of processing done before withdrawal).
- Submit a complaint to the Information Regulator (see section 13).
- Institute civil proceedings regarding alleged interference with your personal information.
To exercise any of these rights, email support@gemfinder.co.za. We may need to verify your identity before acting on the request. We will respond within a reasonable time, and in any event within the time periods prescribed by POPIA.
You may also lodge a request under the Promotion of Access to Information Act, 2 of 2000 (PAIA) using the prescribed forms. Our PAIA manual will be made available on request.
9. Direct Marketing (POPIA s.69)
We will only send you direct marketing by electronic communication if:
- You have given us your specific consent; or
- You are an existing customer and (i) we obtained your details in connection with a previous purchase, (ii) the marketing relates to similar products or services, and (iii) you have a reasonable opportunity to opt out — both initially and in every subsequent message.
Every marketing email contains an unsubscribe link. You can also unsubscribe at any time by emailing support@gemfinder.co.za.
10. Data Retention
We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law. Indicative retention periods:
| Category | Retention period |
|---|---|
| Account and profile data | For the life of your account, plus 12 months after account closure |
| Billing and invoice records | 5 years after the tax year of issue (SARS / VAT requirements) |
| Support correspondence | 2 years after the matter is closed |
| Usage and analytics data | 26 months (Google Analytics default) |
| Marketing preferences | Until consent is withdrawn or 3 years of inactivity |
| Security and access logs | 12 months |
Where you request deletion under section 8, we will delete or anonymise your data unless we are required to retain it by law (for example, tax records).
11. Third-party Websites
The Service may contain links to external sites. We are not responsible for the privacy practices of those sites; please review their own privacy policies.
12. Children’s Privacy (POPIA s.34–35)
The Service is intended for users aged 18 and over. We do not knowingly process the personal information of children (under 18). If you believe we have inadvertently collected information from a child, please contact support@gemfinder.co.za and we will delete it.
13. The Information Regulator
You have the right to lodge a complaint with the Information Regulator (South Africa) regarding our processing of your personal information.
- Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
- General enquiries: enquiries@inforegulator.org.za
- Complaints: complaints.IR@justice.gov.za or PAIAcomplaints@inforegulator.org.za
- Telephone: +27 10 023 5200
- Website: inforegulator.org.za
We ask that you contact our Information Officer first so we can attempt to resolve any concerns before you approach the Regulator.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page indicates when this policy was last revised.
15. Contact
For any questions, concerns or requests regarding this Privacy Policy or your personal information, please contact:
GemFinder — Information Officer
Email: support@gemfinder.co.za
This Privacy Policy is provided in plain language. It is not a substitute for legal advice; if you need clarification, please consult an attorney admitted in South Africa.