Privacy Policy

Last updated: 8 March 2026

1. Introduction

Crimate ("we", "us", "our") is committed to protecting your personal information. This policy explains how we collect, use, store, and share your data in compliance with the Protection of Personal Information Act (POPIA) and, where applicable, the General Data Protection Regulation (GDPR).

2. Information We Collect

Account Information

When you create an account: email address, full name, and optional company name. Passwords are hashed with bcrypt before storage.

API Usage Data

When you use our APIs: API key identifier (hashed), endpoint called, HTTP method, response status code, response time, and request IP address. This data is used for billing, rate limiting, and service improvement.

Payment Information

Payment details are processed by our payment gateway (PayFast). We store transaction references and amounts but never store credit card numbers or bank details.

3. How We Use Your Information

  • To provide and maintain the Service
  • To authenticate your identity and authorize API access
  • To process payments and manage subscriptions
  • To enforce rate limits and usage quotas
  • To detect and prevent abuse or security threats
  • To send important service notifications (not marketing)
  • To improve the Service based on aggregate usage patterns

4. Data We Serve via APIs

Crimate serves data aggregated from public sources. For data containing personal information (e.g., company director details from CIPC):

  • South African ID numbers are SHA-256 hashed before storage — raw ID numbers are never persisted
  • Director personal details are accessible only through authenticated API calls with active subscriptions
  • We apply data minimization — only fields necessary for the API product's purpose are stored

5. Data Retention

Account data is retained while your account is active. Usage logs are retained for 12 months for billing and analytics, then aggregated and anonymized. Payment transaction records are retained for 7 years as required by South African tax law.

6. Your Rights

Under POPIA and GDPR, you have the right to:

  • Access: Request a copy of your personal data via dashboard settings
  • Correction: Update your profile information in the dashboard
  • Deletion: Delete your account and all associated data via dashboard settings
  • Portability: Export your data in machine-readable format
  • Objection: Object to processing of your personal data

To exercise these rights, use the dashboard settings or contact privacy@crimate.net.

7. Security

We implement industry-standard security measures: HTTPS-only (TLS 1.3), API keys hashed with SHA-256 before storage, passwords hashed with bcrypt, database access restricted to application services, and automated monitoring for access anomalies.

8. Third-Party Services

We use the following third-party services:

  • PayFast: Payment processing (South Africa)
  • Vercel: Dashboard hosting
  • PostHog: Privacy-friendly product analytics

Each service has its own privacy policy. We share only the minimum data necessary for each service to function.

9. Cookies

We use essential cookies for authentication (JWT tokens stored in localStorage). We use PostHog for anonymous product analytics. We do not use third-party advertising cookies.

10. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and the Information Regulator within 72 hours as required by POPIA Section 22.

11. Contact

For privacy-related inquiries, contact our Information Officer at privacy@crimate.net.