Privacy Policy
Last updated: 2026-04-151. Introduction
This Privacy Policy describes how SA FitFoodz (Pty) Ltd (trading as PropChat, registration number 2018/559835/07, VAT number 4050298597), a private company incorporated in South Africa, collects, uses, shares, and protects personal information when you use the PropChat service at propchat.co.za.
PropChat is a WhatsApp messaging platform for South African real estate agencies. We help agencies send neighbourhood farming campaigns, qualify leads, and manage conversations with homeowners on WhatsApp — operating as a Meta Tech Provider under the WhatsApp Business Platform.
Our registered address is 77 Walter Sisuku Street, Potchefstroom, North West, South Africa.
This policy is issued in compliance with the Protection of Personal Information Act, 4 of 2013 ("POPIA") and, where relevant, the General Data Protection Regulation ("GDPR"). It uses plain language as required by POPIA Section 18(1)(h).
2. Our dual role under POPIA
PropChat plays two different roles depending on the type of personal information involved. It is important to understand which role applies to you.
We are the Responsible Party for:
- Agency account data — the names, email addresses, phone numbers, passwords, and login activity of agency owners and their staff who sign up to use PropChat
- Billing data — subscription plan, seats, payment records, invoices, and related communications with PayFast
- Support communications — any emails, messages, or requests you send to us directly
For this category of data, PropChat is the Responsible Party (the "data controller" in GDPR terms) and has full obligations under POPIA: lawful basis, data subject rights, security safeguards, and breach notification.
We are an Operator for:
- End-customer (homeowner) data that estate agencies upload to and process through PropChat — including phone numbers, names, addresses, property details, message content, WhatsApp profile names, opt-in status, and message timestamps
For this category of data, the estate agency is the Responsible Party and PropChat acts as an Operator (the "data processor" in GDPR terms) on the agency's documented instructions, pursuant to POPIA Sections 20 and 21 and the written Data Processing Annex in our Terms of Service.
If you are a homeowner who has received a WhatsApp message from a PropChat-powered estate agency and you wish to exercise your POPIA rights over that data, please contact the agency directly. They are your Responsible Party. PropChat will assist the agency in responding to your request but cannot act on your behalf without the agency's instructions.
3. Information we collect
From agency owners and staff (we are Responsible Party)
- Full name, email address, mobile phone number, role within the agency
- Password — stored as a bcrypt hash; we never see or store the plain password
- IP address and browser user-agent at login (for security logging)
- Session tokens (httponly, secure cookies)
- Billing contact details — agency name, billing email, VAT number (optional)
We do not collect or store credit card, bank account, or other payment card details. Payment information is handled exclusively by PayFast (Pty) Ltd, which is PCI DSS compliant. PropChat only receives payment confirmation signals and the last four digits or token reference of the payment instrument.
From end-customers (homeowners) — we are Operator for the agency
- Phone number (typically in E.164 format, e.g. +27 82 123 4567)
- Name and surname (as provided by the agency in their contact list or as reported by WhatsApp)
- Physical address, suburb, city, property details (from the agency's contact list)
- WhatsApp profile display name (when visible via Meta webhook)
- Message content — inbound messages sent by the homeowner, and outbound messages the agency sends
- Message timestamps, delivery status, and read receipts
- Opt-in and opt-out status (including reason and timestamp)
- Campaign interaction analytics (e.g. reply rate, click-through)
4. How we collect it
- Directly from the agency at signup and during ongoing use — contact imports, campaign creation, agent profile updates, message sends
- From the Meta WhatsApp Business Platform — every inbound message, delivery receipt, and status update is received by our webhook endpoint, scoped to the agency's WhatsApp Business Account (WABA)
- From PayFast — subscription payment events via Instant Transaction Notification (ITN) webhook, including transaction ID, amount, status, and non-sensitive payment method information
-
From cookies — a single session cookie
(
session_token) set on login, markedHttpOnly; Secure; SameSite=Lax. No third-party tracking, no advertising cookies, no analytics cookies
5. Why we collect it (lawful basis under POPIA Section 11)
| Data type | Lawful basis |
|---|---|
| Agency account data | Contractual necessity (Section 11(1)(b)) — we cannot provide the service without it |
| Billing data | Contractual necessity and legal obligation (Section 11(1)(c)) — SARS tax retention requirements |
| Homeowner data (as Operator) | Processed on the agency's instructions. The agency relies on its own lawful basis — typically explicit opt-in consent (Section 11(1)(a)) or the agency's legitimate interest combined with the homeowner's reasonable expectation that an estate agency may contact them about property matters |
| Security logs | Legitimate interest (Section 11(1)(f)) in protecting the service against fraud, abuse, and unauthorised access |
6. Who we share it with
We share personal information only with the third-party service providers necessary to operate PropChat. We do not sell, rent, or trade personal information to anyone for any purpose.
| Recipient | Purpose | Location | Safeguards |
|---|---|---|---|
| Meta Platforms Ireland Ltd (WhatsApp Business Platform) | Delivering and receiving WhatsApp messages on behalf of agencies | Ireland and United States | Meta Standard Contractual Clauses, Meta's own privacy policy and security controls |
| PayFast (Pty) Ltd | Processing subscription payments and white-glove setup fees | South Africa | PCI DSS Level 1 compliant; regulated by South African Reserve Bank |
| xneelo (Pty) Ltd | Hosting the PropChat application and database | South Africa | ISO 27001 certified data centre; encryption in transit via TLS; disk-level encryption at rest |
| Let's Encrypt / Internet Security Research Group | TLS certificate issuance for propchat.co.za | United States | Automated issuance only; no personal information shared |
We may add additional subprocessors as the service evolves. Material changes to this list will be announced via email to agency owners and via a dashboard banner at least 30 days before the change takes effect, giving agencies an opportunity to object.
7. Cross-border transfers (POPIA Section 72)
Some of the personal information we process is transferred outside the Republic of South Africa — specifically to servers operated by Meta Platforms in Ireland and the United States as part of the WhatsApp Business Platform. This transfer is necessary to deliver WhatsApp messages.
PropChat relies on POPIA Section 72(1)(a) and Meta's published Standard Contractual Clauses to provide adequate protection for these transfers. Meta is subject to the EU-U.S. Data Privacy Framework for transfers from the European Economic Area to the United States.
By using PropChat to send messages over WhatsApp, you acknowledge and consent to this cross-border transfer where your instructions cannot be carried out without it.
8. How long we keep your information
| Data type | Retention period |
|---|---|
| Active agency account data | For as long as the subscription is active, plus 90 days after cancellation |
| Message content (inbound and outbound) | Up to 12 months by default; may become configurable per agency in future releases |
| Billing and invoice records | 5 years (required by SARS under the Tax Administration Act) |
| Server logs (access, error, audit) | 30 days |
| Closed account data (non-billing) | Deleted within 90 days of cancellation |
| Do Not Contact list | Retained indefinitely to honour opt-outs, even after account closure |
9. Your POPIA rights (Sections 23, 24 and 25)
If you are an agency owner, agent, or staff member whose data PropChat holds as Responsible Party, you have the following rights under POPIA:
- Right to access — confirm what personal information we hold about you and receive a copy
- Right to correction — correct information that is inaccurate, irrelevant, excessive, outdated, misleading, or obtained unlawfully
- Right to deletion — request deletion of personal information we no longer need or that we are processing unlawfully (subject to our legal retention obligations)
- Right to object to processing — object on reasonable grounds relating to your particular situation
- Right to object to direct marketing — opt out of any direct marketing at any time, at no cost
- Right to data portability — receive your data in a structured, commonly used format (POPIA offers narrower portability rights than GDPR; we provide best-effort export)
- Right not to be subject to automated decision-making — we do not currently make automated decisions with legal or similarly significant effects about you
- Right to lodge a complaint with the Information Regulator — see Section 15 below
If you are a homeowner whose data is processed through an agency's PropChat account, please contact the agency directly to exercise these rights, as the agency is your Responsible Party.
10. How to exercise your rights
To exercise any of the rights in Section 9, send an email to our Information Officer at privacy@propchat.co.za. We will confirm receipt within 3 business days and respond substantively within 30 days, extended only as permitted by POPIA. We do not charge a fee for reasonable requests and will explain any exceptional fee before charging it.
We may need to verify your identity before processing your request. If we cannot verify you, we may decline the request and tell you why.
11. Security (POPIA Section 19)
We take appropriate, reasonable technical and organisational measures to protect personal information from loss, unauthorised access, interference, modification, destruction, and disclosure:
- All connections to propchat.co.za use TLS 1.2 or higher (HTTPS only, HSTS enforced)
- Passwords are hashed using bcrypt with an industry-standard work factor
- Session cookies are marked
HttpOnly,Secure, andSameSite=Lax - Login endpoints are rate-limited to mitigate brute-force attacks
- The production database runs on an ISO 27001 certified data centre with disk-level encryption at rest
- Backups are taken regularly and stored in isolation from production
- Access to production systems is limited to the Information Officer and requires SSH key-based authentication
- Security headers are enforced: HSTS, X-Frame-Options DENY, Content-Security-Policy upgrade-insecure-requests
- We continuously review and improve these safeguards
12. Data breach notification (POPIA Section 22)
If we become aware that personal information we hold has been compromised — meaning that an unauthorised person has, or could reasonably have, acquired access to it — we will notify affected data subjects and the Information Regulator as soon as reasonably possible after discovering the compromise, as required by POPIA Section 22.
If PropChat becomes aware of a compromise affecting personal information we process as an Operator on behalf of an agency, we will notify that agency without undue delay so they can fulfil their own Section 22 obligations to their data subjects.
Notifications will include the nature of the compromise, the categories and approximate number of affected records, the likely consequences, the measures we have taken in response, and recommended actions for data subjects.
13. Cookies
PropChat uses only essential cookies necessary for the service to function. We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies. Because all our cookies are strictly necessary, we do not display a consent banner — this is permitted under the ePrivacy Directive and the POPIA interpretation for essential cookies.
| Cookie | Purpose | Lifetime |
|---|---|---|
session_token |
Keeps you logged in after authentication | 72 hours from last sign-in |
14. Information Officer details
Information Officer
Willem Reynders
Email: privacy@propchat.co.za
Postal: 77 Walter Sisuku Street, Potchefstroom, North West, South Africa
The Information Officer of SA FitFoodz (Pty) Ltd is designated pursuant to POPIA Section 55 and is responsible for encouraging compliance with POPIA, dealing with requests made to the company, working with the Information Regulator, and otherwise ensuring compliance with POPIA.
15. Lodging a complaint with the Information Regulator
If you believe PropChat has failed to comply with POPIA and you have been unable to resolve the matter with our Information Officer, you may lodge a complaint with:
Information Regulator (South Africa)
JD House, 27 Stiemens Street
Braamfontein, Johannesburg, 2001
Email: complaints.IR@justice.gov.za
Website: inforegulator.org.za
16. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced at least 30 days before taking effect via:
- Email to the billing address on each active agency
- A banner on your PropChat dashboard
- An updated Last updated date at the top of this page
Continued use of PropChat after a change takes effect constitutes acceptance of the updated policy. If you do not agree to a change, you may cancel your subscription before the change takes effect.
17. Contact us
For general support questions, email support@propchat.co.za.
For privacy questions, data subject requests, or POPIA matters, email privacy@propchat.co.za.
For legal notices, email legal@propchat.co.za.
18. Effective date
This Privacy Policy is effective as of 2026-04-15.