Legal
Privacy Notice
Effective June 2026· Urbanlink Networks (Pty) Ltd
Urbanlink Networks (Pty) Ltd (“Urbanlink”, “we”, “us”, “our”) is committed to processing personal information responsibly and lawfully. This Privacy Notice describes the personal information we collect, the purposes for which we use it, who we share it with, and the choices and rights available to you, in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”) and other applicable laws of the Republic of South Africa.
1. Scope
This Notice applies to personal information we process about:
- visitors to and prospective customers of our website and platform;
- users of Urbanlink PMS (our property management software);
- recipients of communications we send (newsletters, service notifications, sales outreach);
- job applicants, business partners and service providers.
When you onboard your organisation onto Urbanlink PMS, your organisation becomes the responsible party in respect of the personal information of its tenants, landlords, vendors, employees and other data subjects whose information is uploaded to the platform. Urbanlink processes that information as an operator under a Data Processing Addendum — see our Data Processing Addendumfor the operator’s obligations.
2. Categories of personal information we collect
We process the following categories of personal information:
- Identification & contact data: name, surname, work email address, mobile and landline numbers, job title, organisation name and role.
- Authentication data: hashed passwords, multi-factor authentication secrets (encrypted at rest), session identifiers and login timestamps.
- Billing and account data:organisation legal name, VAT and company registration numbers, billing address, invoice history. We do not store payment card numbers — these are tokenised by our payment processor.
- Usage and device data: request paths, response times, error traces, browser type, operating system, IP address, approximate geographic location derived from IP, and pages visited.
- Communications: email correspondence with our support and sales teams, content of support tickets, and feedback you submit.
- Marketing and preference data: subscription preferences for newsletters and product updates, opt-out records.
We do not knowingly process special personal information (s26 of POPIA) or the personal information of children (s34 of POPIA) about the data subjects we deal with directly. Where such information is processed by a customer organisation through Urbanlink PMS, the customer is the responsible party and remains accountable for its lawful collection.
3. Sources
We obtain personal information from the following sources:
- directly from you when you complete a form, sign up, contact us or use our service;
- automatically through cookies and telemetry when you use the platform;
- from your organisation when an administrator adds you as a user;
- from publicly available sources, such as a company’s public website or the CIPC register, for business development purposes.
4. Purposes & lawful basis
We process personal information for the following purposes:
| Purpose | Lawful basis (POPIA s11) |
|---|---|
| Providing and operating Urbanlink PMS to our customers | Performance of a contract; legitimate interest |
| Authenticating users and securing accounts | Performance of a contract; legal obligation; legitimate interest |
| Billing, invoicing and collecting subscription fees | Performance of a contract; legal obligation (tax law) |
| Communicating service notices, security advisories and product updates | Performance of a contract; legitimate interest |
| Direct marketing (only to existing customers or with consent) | Consent; legitimate interest with opt-out (POPIA s69) |
| Responding to enquiries and providing customer support | Performance of a contract; legitimate interest |
| Detecting, investigating and preventing fraud or security incidents | Legitimate interest; legal obligation |
| Complying with regulatory, tax and accounting obligations | Legal obligation |
| Improving the platform, debugging, and analytics | Legitimate interest |
| Establishing, exercising or defending legal claims | Legitimate interest; legal obligation |
5. Recipients of personal information
We may share personal information with:
- Sub-operators who provide infrastructure, communications, payment and security services on our behalf. A current list is maintained in our Data Processing Addendum.
- Professional advisors— auditors, attorneys, insurers and consultants — subject to confidentiality undertakings.
- Regulatory authorities and courts where we are legally obliged to disclose, for example in response to a valid subpoena or order of court.
- Acquirers in the event of a corporate transaction (merger, sale of business), subject to confidentiality and the continued application of equivalent privacy protections.
We do not sell personal information.
6. Cross-border transfers
Where personal information is transferred to a recipient outside the Republic of South Africa, we comply with section 72 of POPIA. The recipient is either subject to a law or binding corporate rules that provide an adequate level of protection equivalent to POPIA, is bound by contractual provisions providing such protection, or the transfer is necessary for the performance of a contract with you or in your interest.
7. Retention
We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements. Retention periods follow the longer of:
- the period during which we maintain a relationship with you or your organisation;
- statutory retention periods under the Financial Intelligence Centre Act (FICA) — five years from the end of the business relationship;
- tax-record retention under the Tax Administration Act — five years from the end of the relevant tax year;
- any retention period imposed by the Companies Act or other applicable legislation.
On expiry of the applicable retention period, personal information is securely deleted or de-identified, except where we are required to retain it for the establishment, exercise or defence of legal claims.
8. Security
We implement appropriate technical and organisational measures to protect personal information against loss, unauthorised access, destruction and disclosure, in accordance with section 19 of POPIA. These measures include strong, industry-standard encryption at rest and in transit, modern password handling with multi-factor authentication, hard per-tenant isolation enforced beneath the application layer, tamper-evident audit logging, and regular security reviews.
In the event of a personal information breach we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with section 22 of POPIA.
9. Your rights as a data subject
Under POPIA you have the right to:
- be notified that your personal information is being collected and of any compromise of your information (sections 18 and 22);
- request access to the personal information we hold about you and details of who else has had access to it (section 23);
- request correction or deletion of inaccurate or excessive information (section 24);
- object to the processing of your personal information on reasonable grounds (sections 11 and 69);
- object to direct marketing and withdraw your consent to direct marketing at any time (section 69);
- not be subject to a decision based solely on automated processing that has legal or significant effects on you (section 71);
- submit a complaint to the Information Regulator (section 74) if you believe we have contravened POPIA.
To exercise any of these rights, email [email protected] with the subject line “POPIA request”. We will respond within the period prescribed by POPIA. We may charge a prescribed fee for access requests in accordance with Regulation 3 to POPIA.
10. Cookies and tracking
We use cookies and similar technologies to keep you signed in, remember your preferences (such as theme), and measure the performance of the platform. Strictly necessary cookies are set without consent because they are essential for the service to function. Non-essential cookies, where used, are subject to consent. You can control cookies through your browser settings; disabling strictly necessary cookies will prevent the platform from functioning correctly.
11. Direct marketing
We may send you marketing communications about Urbanlink products and services where permitted by POPIA section 69 — namely, where you are an existing customer in respect of similar products and services, or where you have provided consent. You can opt out of marketing communications at any time by following the unsubscribe instructions in any marketing email, or by emailing [email protected].
12. Automated decision-making
We do not make decisions that have legal or similarly significant effects on you based solely on automated processing of personal information. Where automated processing is used to support a decision (for example, fraud screening), a human reviews the outcome before any action is taken that materially affects you.
13. Children
Urbanlink PMS is a business-to-business service. We do not knowingly collect personal information from children under the age of 18. If you believe that a child has provided personal information to us, please contact us so that we can take appropriate action.
14. Changes to this Notice
We may update this Privacy Notice from time to time. The current version is identified by the “Effective” date at the top of this page. Material changes will be communicated to active customers by email and posted on this page at least 30 days before they take effect.
15. Information Officer
Our designated Information Officer in terms of section 55 of POPIA is contactable at [email protected]. Customer organisations designate their own Information Officer during onboarding.
16. Complaints
If you believe we have processed your personal information in a manner that contravenes POPIA, please contact us first so that we can attempt to resolve the matter. You may also lodge a complaint with the Information Regulator (South Africa) at:
- Website: inforegulator.org.za
- Email: [email protected]
- Postal address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001