⚠ Draft for legal review, placeholder wording. Replace highlighted fields and have a qualified attorney / information officer review before publishing.
Legal

Privacy Policy

Effective date: June 2026 · Last updated: June 2026
Note for the team (remove before publishing): Starting template aligned to South Africa's Protection of Personal Information Act (POPIA). It is not legal advice. Confirm your actual data flows, sub-processors, and retention periods, fill every highlighted field, appoint and register an Information Officer, and have it reviewed before going live.
Contents 1. Who we are 2. What we collect 3. Why we use it 4. Who we share with 5. Cross-border 6. Retention 7. Security 8. Your rights 9. Cookies 10. Children 11. Information Officer 12. Changes

1. Who we are (Responsible Party)

For the purposes of POPIA, the Responsible Party for personal information processed through Blue Heart Circle is UPMRKT T/A Blue Heart Circle (registration number CK/2003/079981/23), of 5 Mountain Road, Heatherlands, George, Western Cape, 6529. This policy explains what personal information we collect, why, and your rights.

Where a Community Owner uses the Platform to collect information about their own Members, that Owner is also a Responsible Party for that information and is responsible for their own compliance.

2. What information we collect

3. Why we use your information (purpose & lawful basis)

We process personal information to: create and manage accounts; verify members and issue Verified IDs; process subscription payments and payouts; send service emails such as receipts, renewals, and login links; provide support; comply with legal and tax obligations; and keep the Platform secure. We rely on lawful bases under POPIA including performance of a contract, our legitimate interests, your consent (where applicable), and compliance with law.

4. Who we share information with

We share personal information only as needed to run the Services, with operators (sub-processors) such as our payment provider (PayFast), email provider (Resend), and hosting/database providers (Supabase, Netlify). Community Owners can see information about their own Members. We may disclose information where required by law. We do not sell your personal information.

5. Cross-border transfers

Some of our service providers may process information outside South Africa. Where this happens, we take reasonable steps, as required by POPIA, to ensure the information receives an adequate level of protection. Our payment provider PayFast processes data in South Africa. Our hosting, database, email and AI providers (including Netlify, Supabase, Resend and Anthropic) may process data outside South Africa. Where data is processed cross-border we take reasonable steps to ensure it receives an adequate level of protection as required by POPIA.

6. How long we keep it

We keep personal information for as long as needed to provide the Services and to meet legal, accounting, and tax requirements (for example, transaction and invoice records may be retained for the period required by South African law). When no longer required, we delete or de-identify it. Financial and transaction records are retained for at least five years as required by South African tax law. Account data is kept while your membership is active and for a reasonable period afterwards, after which it is deleted or de-identified.

7. How we protect it

We use reasonable technical and organisational measures to protect personal information, including encryption in transit, access controls, and reputable infrastructure providers. No system is perfectly secure, but we take steps to reduce risk and will notify you and the Information Regulator of a compromise where the law requires.

8. Your rights

Subject to POPIA, you may: ask what personal information we hold about you; ask us to correct or delete it; object to certain processing; and withdraw consent where processing is based on consent. You may also complain to the Information Regulator. To exercise these rights, contact our Information Officer below.

9. Cookies and analytics

We use only the cookies and storage needed to keep you logged in and to run the Platform. We do not use third-party analytics or advertising cookies.

10. Children

The Services are intended for adults and businesses. We do not knowingly collect personal information from children. If you believe a child has provided information, contact us and we will remove it.

11. Information Officer and complaints

Our Information Officer can be reached at Gustav Penny (support@blhrt.net). You also have the right to lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za).

12. Changes to this policy

We may update this policy from time to time. We will post the updated version with a new effective date and, where changes are material, take reasonable steps to notify you.

See also our Terms of Service.