Privacy Policy and Disclaimer

Privacy Policy

Scope, application, and relationship to other documents

1. Scope
   1. This Privacy Policy applies to personal information processed through Archinet, including when Users browse the website, register an Account, post on the Forum, purchase Digital Products, subscribe to paid services, or engage with Advertising and Partner Listings. 
   2. This policy applies to processing by Independent Architectural Services (IAS) as the Responsible Party (data controller equivalent under POPIA terminology).
2. Cross-reference
   1. This policy must be read with the Archinet Terms. Where the Terms address transaction records, refunds, account suspension, or content takedown, those provisions apply in addition to this policy.
3. POPIA conditions
   1. Archinet commits to the POPIA conditions for lawful processing, including accountability, purpose specification, information quality, openness, security safeguards, and data subject participation.
4. Responsible party details and contact
   1. Responsible Party
      • Responsible Party: Independent Architectural Services (IAS) (placeholder legal name format to be confirmed).
        • Registration number: [●]
        • Physical address: [●]
        • Email: [●]
        • Phone: [●]
5. Information Officer
   The Responsible Party will designate an Information Officer and, where required, register the Information Officer and Deputy Information Officers with the Information Regulator in line with the Regulator’s guidance. 
6. Categories of personal information collected
   1. Information you provide
      • phone number. 
      • Professional credentials (optional): SACAP registration number, category, practice name, province, and verification status if you request a “verified” profile or access controlled professional features. 
      • Purchases and subscriptions: billing contact details, invoice history, subscription plan, and transaction references issued by the Payment Gateway. 
      • Communications: support tickets, emails, form submissions, and feedback
7. .Forum and community data
   1. User Content: forum posts, comments, uploaded files, and profile biography fields.
   2. Moderation records: flags, moderation actions, and takedown communications.
8. Automatically collected data
   1. Technical identifiers: IP address, device type, browser, operating system, and approximate location derived from IP (coarse).
   2. Usage data: page visits, clicks, session duration, referral source, and error logs.
9. Cookies and tracking technologies
   1. Cookies used for: login session management, security controls, analytics, advertising measurement, affiliate tracking, and preference storage. 
   2. Cookie choices: Users can manage or block cookies via browser settings; some functions may not work without cookies.
10. Lawful bases for processing under POPIA
    1. Processing grounds
       • Archinet processes personal information only when one or more POPIA justifications apply, including: consent, contract performance, legal obligation, protection of a legitimate interest of the data subject, public-law duties (where relevant), or legitimate interests of the Responsible Party or a third party. 
       • Where processing is based on consent, Archinet will maintain records sufficient to demonstrate that consent was obtained.
11. Notification at collection
    Archinet will take reasonably practicable steps to notify data subjects of required information at collection, including what is collected, purpose, responsible party contact details, and how to exercise rights.
12. Purposes of processing
    1. Platform operation
       • Create and manage Accounts, authenticate sessions, and control access to features. 
       • Provide downloads, tools, and saved workflows linked to an Account.
13. Forum and community
    1. Enable users to publish User Content and participate in discussions, subject to moderation. 
    2. Detects spam, coordinated abuse, infringement, and prohibited content.
14. E-commerce, subscriptions, and refunds
    1. Process purchases and subscriptions, issue invoices, and manage access entitlements. 
    2. Handle refunds, chargebacks, and disputes using transaction logs and Payment Gateway references. 
    3. Prevent and investigate fraud and payment abuse using security logs and risk signals consistent with POPIA minimality and purpose limitation principles.
15. Analytics and service improvement
    Understand usage patterns to improve usability, performance, and reliability.
16. Advertising, affiliate links, and sponsored content
    1. Measure ad performance and manage Advertising placements.
    2. Where affiliate tracking is used, affiliate links will be identified on the relevant page or placement to reflect commercial relationships.
17. Legal and regulatory obligations
    Maintain records required by law for accounting and tax compliance, and to respond to lawful requests and enforce platform terms.
18. Special personal information
    1. Archinet’s position
       • Archinet does not intentionally require or request Special Personal Information for normal platform operation. 
       • Users must not post Special Personal Information in public forum areas unless they have a lawful basis and authority to do so.
19. If Special Personal Information is submitted
    1. Archinet may remove or restrict access to User Content containing Special Personal Information where it is inappropriate, unlawful, excessive, or creates risk to the data subject or third parties. 
    2. If Archinet plans any processing that would require prior authorization (for example, categories described by the Information Regulator guidance), Archinet will obtain legal advice and apply to the Regulator if required. 
20. Children and age limits
    1. Minimum age
       • Archinet is intended for built environment professionals and students. Accounts and e-commerce functions are restricted to Users 18 years and older. 
       • If Archinet becomes aware that an Account is held by a child as defined in POPIA, Archinet may suspend and delete the account and associated data, subject to legal retention obligations. 
       • If Archinet ever intends to process personal information of children in a manner requiring authorization, it will follow Information Regulator guidance and authorization processes.
21. Sharing, operators, and third-party processors
    1. Operators and processors
       • Archinet may use Operators for hosting, analytics, email delivery, customer support systems, and payment processing. 
       • Where personal information is processed by an Operator, Archinet will require contractual commitments consistent with POPIA Operator provisions, including processing only with authorization and maintaining appropriate security measures.
22. Payment gateways and PCI scope
    1. Payment card data is processed by the Payment Gateway. Archinet should not store full primary account numbers, card verification values, or raw magnetic-stripe/chip data.
    2. Archinet will implement Payment Gateway configurations that reduce PCI DSS scope where possible (hosted payment pages, tokenization). PCI DSS is the baseline standard published by the PCI Security Standards Council for environments storing, processing, or transmitting payment account data. 
23. Advertising and analytics partners
    1. Analytics and advertising technologies may set cookies or collect device identifiers. Archinet will disclose those uses and provide cookie control mechanisms. 
24. Partner listings and referrals
    • If a user requests contact with a listed partner, Archinet will disclose what information will be shared and the purpose of sharing before transferring any personal information. 
    • Archinet does not sell personal information to partners.
25. International transfers
    1. Cross-border processing
       • Archinet may use cloud providers and service providers with infrastructure outside South Africa. 
       • Archinet will only transfer personal information outside South Africa where POPIA’s cross-border transfer requirements are satisfied (including appropriate legal protection, binding agreements, or other lawful transfer mechanisms).
26. Security measures and breach notification
    1. Security safeguards
       • Archinet will maintain appropriate technical and organizational measures to safeguard personal information, as required by POPIA’s security safeguards condition.
       • Security controls will include access control, least-privilege permissions, logging, backups, encrypted transport (HTTPS/TLS), and secure password storage practices.
27. Security compromise notification
    1. If there are reasonable grounds to believe personal information has been accessed or acquired by an unauthorized person, Archinet will notify the Information Regulator and affected data subjects as soon as reasonably possible, subject to legally permitted delay for criminal investigation constraints. 
    2. Notifications will include sufficient information to allow affected data subjects to take protective measures, and will follow the Information Regulator’s prescribed form and guidance. 
    3. The Information Regulator’s published guidance indicates there is no reporting threshold for security compromises and that responsible parties must report security compromises. 
28. Direct marketing and communications
    1. Marketing consent and opt-out
       • Archinet will not send unsolicited electronic direct marketing unless POPIA conditions are met, including opt-in consent where required, and compliant opt-out mechanisms. 
       • Users can opt out using unsubscribe links in emails and account preference settings. Archinet will maintain suppression records to respect opt-out choices.
29. One-time consent request
    Where POPIA restricts repeated consent requests, Archinet will apply the limitation described in POPIA’s direct marketing provisions and Regulator guidance.
30. CPA and ECT implications
    1. Archinet will present notices in plain, understandable language where required for consumer-facing disclosures and marketing practices.
    2. For electronic transactions, Archinet will publish and maintain accessible privacy and security procedure disclosures in line with ECT Act requirements for online suppliers.
31. Automated decision-making and profiling
    1. Use of automated decisions
       • Archinet may use automated controls for security and fraud prevention (for example, rate-limiting, credential-stuffing detection, and payment abuse checks). 
       • If Archinet implements automated decision-making that produces legal effects or similarly significant effects on Users, Archinet will comply with POPIA’s automated decision-making provisions and will disclose the logic and impact at a level appropriate to the risk.
32. Public content, moderation, and takedown
    1. Public forum content
       • Forum posts and profile content can be public by default. Users should not post personal information they do not want to be public.
       • Users must not post personal information of third parties unless they have authority and a lawful basis.
33. Moderation and removal
    Archinet may edit, restrict, or remove User Content to enforce platform rules, reduce risk, and respond to privacy complaints
34. Takedown procedure for unlawful content
    • Archinet will make available a takedown contact method and will act expeditiously to remove or disable access to unlawful content upon receipt of a valid takedown notice, consistent with ECT Act service provider frameworks. 
    • Archinet may require sufficient detail to identify content, the right infringed, and the complainant’s contact details as specified under the ECT Act takedown notification provisions. 
35. Data subject rights and how to exercise them
    1. Rights under POPIA
       • Data subjects may request access to personal information held by Archinet and may request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained. 
       • Data subjects may object to processing in circumstances provided by POPIA, including objection to direct marketing. 
       • Data subjects may withdraw consent where processing is based on consent; withdrawal does not affect processing already performed lawfully before withdrawal.
36. How to submit requests
    1. Requests can be submitted to: [privacy email placeholder].
    2. Archinet may require identity verification before disclosing or deleting data to prevent unauthorized access. 
    3. Archinet will support the Information Regulator’s request forms where appropriate, including objection and correction/deletion forms made available by the Regulator.
37. Data portability
    1. POPIA does not provide a general “data portability” right equivalent to some foreign frameworks.
    2. Archinet may provide an export of Account data in a commonly used format where technically feasible and where this does not prejudice third-party rights or Archinet security. Legal review required for practical scope and exclusions.
38. Complaints to the Information Regulator
    Users may lodge POPIA complaints with the Information Regulator using published contact channels and processes.
39. Retention periods and criteria
    • General retention rule
      Archinet will not retain personal information longer than necessary for the purpose for which it was collected, unless retention is required or permitted by law. 
40. Retention schedule examples
    1. Account records: retained while the Account remains active, and for a limited period after deletion to complete dispute handling, security review, and legal compliance. 
    2. Transaction and invoice records: retained for statutory accounting and tax purposes. SARS guidance indicates retention periods commonly apply for at least five years from relevant submission dates, depending on circumstances. 
    3. Security logs: retained for a defined period appropriate to detect and investigate abuse and meet audit requirements, then deleted or de-identified. 
41. Record-keeping, audit trail, and policy versioning
    • Consent logs and version control
      Archinet will maintain a record of the Privacy Policy version accepted (timestamp and Account identifier) where consent-based processing or contractual assent requires it.
42. Transaction records
    For electronic transactions, Archinet will provide Users access to transaction records and will retain transaction records in a form accessible for subsequent reference consistent with ECT retention requirements. 
43. Changes to this Privacy Policy
    1. Updates
       • Archinet may update this Privacy Policy to reflect platform changes, legal developments, or operational requirements. 
       • Material changes will be communicated via website notice or Account email notification where feasible.
44. Effective date
    1. Effective date: 18 February 2026.
    2. Policy version: 1.0.
45. Disclaimer
    • Archinet provides architectural knowledge resources, workflow tools, templates, checklists, links, forum discussions, advertising, and partner listings for general informational use. Content on this platform is not legal advice, not project-specific professional advice, not a professional appointment, and not confirmation of compliance with the National Building Regulations, SANS standards, municipal by-laws, or any other applicable law. Users remain responsible for obtaining current official standards, confirming statutory and municipal requirements, and applying professional judgment. Use of Archinet does not create a professional-client relationship with Independent Architectural Services (IAS) or any listed partner. Partner listings and advertisements are not endorsements and do not guarantee competence, registration status, availability, or performance. 
46. Consent capture and UI text
    1. Separate checkboxes for: (a) Terms acceptance; (b) marketing opt-in; (c) cookie preferences (where applicable). 
    2. Provide POPIA section 18 collection notice at registration and checkout (what is collected, purpose, contact details, rights).
47. Retention schedule configuration
    1. Implement a retention matrix by data class (Account, payments, forum content, logs, marketing).
    2. Ensure accounting/tax retention aligns with SARS guidance for retention periods. 
48. Breach response checklist
    1. Internal steps: detect, contain, preserve logs, assess impacted data, notify Payment Gateway where relevant, prepare notifications. 
    2. External steps: notify Information Regulator using SCN1 and notify affected data subjects with protective guidance. 
49. Vendor and operator contracts
    1. Operator agreements must address POPIA operator duties, confidentiality, security safeguards, breach notification timelines, and audit rights.
    2. Cross-border providers: document the POPIA section 72 transfer mechanism used and store it with the vendor due diligence file.
50. Data subject request workflow
    1. Standard operating procedure: intake → identity verification → data mapping → response → closure log. 
    2. Provide links to Information Regulator forms for objection and correction/deletion. 
51. Forum moderation and takedown
    1. Publish a takedown contact method and process aligned to ECT takedown notification requirements.
    2. Train moderators on removal of personal information and special personal information in public posts.
52. DPIA recommendation for high-risk processing
    1. Perform and document a privacy risk assessment before enabling: identity verification, automated risk scoring, large-scale profiling, or cross-platform ad targeting. 
    2. Legal review required to confirm whether any planned processing triggers prior authorization requirements. 
53. Staff training checklist
    1. Annual training for staff and moderators on POPIA principles, breach handling, phishing awareness, and secure handling of support tickets containing personal information.

Primary sources and official guidance

• POPIA (Act 4 of 2013).
• Information Regulator: guidance on security compromise notifications and prescribed SCN1 form.
• Information Regulator: guidance note on direct marketing under POPIA.
• Information Regulator: guidance notes on processing children’s information and special personal information (authorization contexts).
• ECT Act (Act 25 of 2002): supplier disclosure duties including privacy policy and security procedures, consumer cancellation rights for electronic transactions, and unsolicited commercial communications requirements. 
• CPA (Act 68 of 2008): direct marketing control and plain-language requirements (consumer-facing notices).
• Information Regulator contact channels for complaints.

Archinet processes personal information to operate user accounts, provide tools and downloads, support forum participation, and manage subscriptions and purchases. Processing is conducted in line with POPIA, with security safeguards, defined retention criteria, and rights for access, correction, deletion, and objection. Payment card transactions are handled by third-party payment gateways, and users control marketing opt-in and cookie preferences. Archinet is an informational platform and does not create a professional-client relationship; users must obtain professional advice and verify statutory requirements where needed.