Privacy Policy

SAPawn ("we", "us", "our") is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable South African privacy legislation. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform.

1. Who We Are

SAPawn is a cloud-based pawnshop management platform operating at sapawn.co.za. We provide software tools to pawnshop businesses across South Africa. We act as both:

• Responsible Party for data we collect directly (account registrations, platform usage).
• Operator for data that pawnshop businesses enter about their customers (processing on behalf of the shop).

2. Information We Collect

2.1 Shop Owner and Staff Information

Data	Purpose	Legal Basis
Full name, email, phone	Account creation and communication	Contract / Consent
Business registration number	Verify lawful pawnshop operation	Legal obligation
VAT and NCR registration numbers	Tax and credit compliance	Legal obligation
Business address and contact details	Service delivery, public storefront	Contract
Bank account details	Displayed to customers for EFT payments	Contract / Consent
Login credentials (password hashed)	Authentication	Contract

2.2 Pawnshop Customer Information

Pawnshops enter the following customer data into the Platform. The pawnshop is the Responsible Party for this data; SAPawn processes it on their behalf.

Data	Purpose	Legal Basis
Full name	Customer identification, agreements	Legal obligation (Second-Hand Goods Act)
South African ID number	Identity verification, legal requirement	Legal obligation (Second-Hand Goods Act)
Phone number, email	Communication, notifications, portal access	Contract / Legitimate interest
Physical address	Legal requirement for pawn agreements	Legal obligation
ID document photo	Identity verification, fraud prevention	Legal obligation / Legitimate interest
Transaction history	Pawn, sale, and payment records	Contract / Legal obligation

2.3 Marketplace Buyer Information

Data	Purpose	Legal Basis
Full name, email, phone	Order processing and communication	Contract
Delivery address	Shipping and courier services	Contract
Payment reference (via PayGate)	Payment verification	Contract
IP address, browser info	Fraud prevention	Legitimate interest

2.4 Automatically Collected Information

When you use the Platform, we may automatically collect:

• Browser type and version
• IP address
• Pages visited and features used
• Date and time of access
• Device information

This data is used for security monitoring, performance optimisation, and service improvement.

3. How We Use Your Information

We use personal information to:

• Provide, maintain, and improve the Platform.
• Process transactions and manage subscriptions.
• Send service-related notifications (expiry reminders, payment confirmations).
• Comply with legal obligations, including police integration under the Second-Hand Goods Act.
• Prevent fraud and ensure platform security.
• Generate anonymised, aggregated analytics for business reporting.
• Respond to support enquiries.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Information Sharing

We may share personal information only in these circumstances:

4.1 With Pawnshops (for Customer Data)

Customer data entered by a pawnshop is accessible to that pawnshop's owner and authorised staff. Multi-shop businesses can access data across their shops.

4.2 With Law Enforcement

The Platform integrates with the South African Police Service as required by the Second-Hand Goods Act. Police officers with approved access may:

• Search for items matching stolen goods reports.
• View item details, customer names, and transaction dates for items in their jurisdiction.
• Place investigation locks on items.

All police access is logged and auditable. Police users must be approved before access is granted.

4.3 With Service Providers

We use the following third-party services:

Provider	Purpose	Data Shared
PayGate / DPO Group (South Africa)	Payment processing	Payment amount, reference
Cloudinary	Image storage (item and ID photos)	Uploaded images
Cloudflare R2	File storage (desktop sync)	Uploaded files
Render.com	Cloud hosting	All platform data (encrypted at rest)

4.4 With Marketplace Buyers

When a customer purchases an item on the Marketplace, the selling pawnshop receives the buyer's name, phone number, email, and delivery details to fulfil the order.

4.5 Legal Requirements

We may disclose information if required by law, court order, or valid legal process.

5. Data Storage and Security

5.1 Where Data is Stored

• Cloud: Data is stored on secure servers hosted by Render.com. The database is PostgreSQL with encryption at rest.
• Desktop App: When using the offline desktop application, data is stored locally in an encrypted SQLite database and synchronised to the cloud when connected.

5.2 Security Measures

We implement industry-standard security measures, including:

• HTTPS encryption for all data in transit (TLS 1.2+).
• Password hashing using PBKDF2 with SHA-256.
• API key authentication with SHA-256 hashing for sync endpoints.
• Content Security Policy (CSP) headers to prevent cross-site scripting.
• Input sanitisation to prevent injection attacks.
• Rate limiting on authentication endpoints.
• Audit logging of security-relevant actions.
• Automatic session expiry after periods of inactivity.

5.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will:

• Notify the Information Regulator as required by POPIA.
• Notify affected individuals as soon as reasonably possible.
• Take immediate steps to contain and remediate the breach.

6. Data Retention

Data Type	Retention Period	Reason
Pawn transaction records	5 years minimum	Second-Hand Goods Act requirement
Customer ID records	5 years minimum	Legal compliance
Financial records	5 years minimum	Tax and audit requirements
Account data (active accounts)	Duration of account	Service provision
Account data (after cancellation)	90 days	Grace period for reactivation
Audit logs	2 years	Security and compliance
Police query logs	5 years	POPIA accountability
Sync deletion records	90 days	Desktop sync consistency

7. Your Rights Under POPIA

As a data subject, you have the right to:

• Access — Request confirmation of what personal information we hold about you.
• Correction — Request correction of inaccurate or incomplete information.
• Deletion — Request deletion of your personal information, subject to legal retention requirements.
• Objection — Object to the processing of your personal information on reasonable grounds.
• Data Portability — Request your data in a structured, commonly used format.
• Withdraw Consent — Where processing is based on consent, you may withdraw it at any time.
• Complain — Lodge a complaint with the Information Regulator if you believe your rights have been violated.

To exercise any of these rights, contact us at accounts@sapawn.co.za. We will respond within 30 days.

8. Cookies and Tracking

The Platform uses the following cookies:

Cookie	Purpose	Duration
csrftoken	Cross-site request forgery protection (security)	Session
sessionid	User authentication session	2 weeks
dark-mode	User display preference (localStorage)	Persistent
dashboard-widgets	Dashboard layout preference (localStorage)	Persistent

We do not use third-party advertising or analytics cookies. We do not track users across websites.

9. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. Pawnshop transactions in South Africa require customers to be at least 18 years of age.

10. International Data Transfers

Some of our service providers (Cloudinary, Cloudflare) may process data outside South Africa. Where this occurs, we ensure appropriate safeguards are in place as required by POPIA section 72, including contractual protections and the provider's adherence to comparable privacy standards.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users via email of material changes at least 14 days before they take effect. The "Last Updated" date at the top of this page indicates the most recent revision.

12. Information Regulator

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: enquiries@inforegulator.org.za
Tel: 012 406 4818

13. Contact Us

For privacy-related enquiries or to exercise your POPIA rights:

• Email: accounts@sapawn.co.za
• Website: sapawn.co.za

---

© 2026 SAPawn. All rights reserved. Made with love in South Africa.