Legal
POPIA Notice
Effective June 2026· Urbanlink Networks (Pty) Ltd
This Notice is provided in compliance with sections 17 and 18 of the Protection of Personal Information Act 4 of 2013 (“POPIA”) and explains how Urbanlink Networks (Pty) Ltd (“Urbanlink”) processes personal information in its capacity as both a responsible party and an operator. It should be read together with our Privacy Notice and Data Processing Addendum.
1. Identity of the responsible party
Urbanlink Networks (Pty) Ltd is incorporated in the Republic of South Africa and operates Urbanlink PMS, a multi-tenant property management platform. We are the responsible party for personal information we collect directly from website visitors, prospective customers, customer administrators, and individuals who contact us. For personal information uploaded by our customers into the platform (about their tenants, landlords, vendors, employees and other data subjects), the customer organisation is the responsible party and Urbanlink is the operator under section 1 of POPIA.
2. Capacity in which we process
| Capacity | Applies to |
|---|---|
| Responsible party (s1) | Information about our prospects, customer administrators, billing contacts, support correspondents, website visitors, job applicants and direct marketing recipients. |
| Operator (s1, s20–21) | Information our customers upload to the platform about tenants, landlords, vendors, employees and other data subjects. |
3. Purpose of processing
We process personal information to deliver Urbanlink PMS and adjacent services to our customers, specifically for the following purposes:
- account creation, authentication and access management;
- lease administration, listings, tenant communications and maintenance workflows;
- trust accounting and double-entry financial recordkeeping;
- POPIA-compliance tooling (DSAR portal, breach assessment) for customer use;
- FICA know-your-customer capture and risk-rating for customer use;
- SARS-aligned reporting (VAT201, IT3(b), section 35A withholding);
- billing, invoicing and collection of subscription fees;
- customer support, security operations, fraud prevention;
- direct marketing to existing customers under POPIA section 69;
- compliance with applicable South African law.
4. Categories of data subjects
- customer organisation users (administrators, staff, agents);
- tenants and prospective tenants;
- landlords, property owners and beneficial owners;
- vendors and service providers in the maintenance workflow;
- body-corporate members, trustees and managing agents;
- website visitors, prospects and job applicants.
5. Categories of personal information
- Identification: name, ID number or passport, date of birth, photograph (where supplied), nationality.
- Contact: physical address, email, telephone numbers, emergency contact.
- Financial: bank account details, income proof, payment history, credit and rental references.
- Property and lease records: rental terms, deposit, inspection reports, maintenance history.
- Communications: content of email, SMS, WhatsApp and in-app messages sent through the platform.
- Audit and access logs: sign-in times, IP addresses, actions taken within the platform.
- FICA records:proof of identity, proof of residence, source of funds, risk rating — processed on behalf of the customer.
6. Whether supply is voluntary or mandatory
For the personal information we collect directly, supply is generally voluntary, however certain information is required to create an account, raise an invoice or comply with applicable law (for example, billing details and VAT identification). Where supply is mandatory and you do not supply the information, the consequence is that we may be unable to provide the Service or perform the contract.
7. Source of personal information
We collect personal information directly from data subjects, from customer administrators (in respect of Users they add to the platform), from publicly available sources for limited business development purposes, and automatically through telemetry when the platform is used.
8. Recipients
We share personal information only as necessary to deliver the Service, comply with the law or protect the rights of Urbanlink or others. Recipients include our sub-operators (infrastructure, communications, payment, security), our professional advisors, regulatory authorities and courts where legally required, and acquirers in the event of a corporate transaction. A current list of sub-operators is maintained in the Data Processing Addendum.
9. Cross-border transfers
Where personal information is transferred to a recipient outside the Republic of South Africa, we comply with section 72 of POPIA. The recipient is either subject to a law or binding rules that provide an adequate level of protection equivalent to POPIA, is contractually bound to provide such protection, or the transfer is necessary for the conclusion or performance of a contract with the data subject or in the data subject’s interest.
10. Retention & deletion
Personal information is retained only for as long as is necessary to achieve the purpose for which it was collected, and thereafter as required by applicable law (FICA five-year retention from the end of the business relationship, Tax Administration Act five-year retention from the relevant tax year, and other statutory periods). On expiry, personal information is securely deleted or de-identified, subject to lawful retention for the establishment, exercise or defence of legal claims.
11. Security safeguards
We implement the technical and organisational measures required by section 19 of POPIA, including:
- strong, industry-standard encryption of sensitive data at rest;
- strong, industry-standard encryption in transit;
- hard per-tenant data isolation enforced beneath the application layer;
- tamper-evident, append-only audit logging;
- modern password handling with multi-factor authentication;
- daily encrypted backups with industry-standard cryptography;
- regular security reviews, vulnerability patching and access governance.
12. Personal information breaches
In the event of a personal information breach affecting Urbanlink, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with section 22 of POPIA. Where Urbanlink processes personal information as an operator and becomes aware of a breach, we will notify the responsible party customer without undue delay so that the customer can perform its own notification obligations.
13. Your rights as a data subject
POPIA grants you the following rights, which you may exercise without charge:
- Notification— to be notified that personal information is being collected (s18).
- Access— to confirm that we hold personal information about you and to request a copy, subject to the prescribed access fee (s23).
- Correction or deletion— to request correction of inaccurate, misleading or out-of-date information, or deletion of information that is no longer authorised to be retained (s24).
- Objection— to object on reasonable grounds to the processing of your personal information (s11(3)).
- Direct marketing— to object to processing of your personal information for direct marketing at any time (s69).
- Automated decision-making— not to be subject to a decision based solely on automated processing that has legal or significant effects (s71).
- Complaint— to submit a complaint to the Information Regulator if you believe we have contravened POPIA (s74).
Where Urbanlink processes your personal information as an operator on behalf of a customer, you should direct your request in the first instance to that customer organisation. We will assist the customer in responding to your request as required by the Data Processing Addendum.
14. How to exercise your rights
Send a written request to [email protected] with the subject line “POPIA request”. We may require proof of identity before we can act on a request. We will respond within the period prescribed by POPIA (currently 30 days, extendable in defined circumstances).
Forms prescribed under POPIA (such as Form 1 for objections, Form 2 for correction or deletion, and Form 4 for marketing objections) are available on the Information Regulator’s website at inforegulator.org.za.
15. Information Officer
Our Information Officer in terms of section 55 of POPIA can be contacted at:
- Email: [email protected] (subject line: “Information Officer”)
Customer organisations onboarded onto Urbanlink PMS must designate their own Information Officer at the time of organisation creation, and remain responsible for appointing and supporting that officer as required by POPIA.
16. Information Regulator (South Africa)
Complaints relating to the processing of personal information may be lodged with the Information Regulator at:
- Website: inforegulator.org.za
- Email (general): [email protected]
- Email (complaints): [email protected]
- Postal address: The Information Regulator (South Africa), JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
17. Updates to this Notice
We may update this POPIA Notice from time to time. The effective date appears at the top of this page. Material changes will be communicated by email to active customers and posted on this page at least 30 days before they take effect.