This notice describes how Metavaro (Pty) Ltd (“Metavaro”, “we”, “us”) collects and uses personal information when you visit metavaro.com, contact us, or hold a Metavaro account.

It is issued in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), where applicable.

A separate notice issued by your Metavaro customer organisation governs personal information held inside tenant applications you may use through Metavaro. In that context Metavaro is the operator (POPIA) or processor (GDPR), and the customer organisation is the responsible party (POPIA) or controller (GDPR).

Information Officer (POPIA) and Data Protection contact (GDPR): Adrian van Wyk, CEO. Email: privacy@metavaro.com.

When you visit our website

• Technical data: IP address, browser type and version, device type, operating system, time of visit, pages viewed, referring page.
• Strictly necessary cookies set by our infrastructure provider (Cloudflare) to protect the site against attack and abuse. See the Cookie Notice.

When you contact us

• Identification data: name, business name (if applicable).
• Contact data: email address, phone number (if you provide it).
• The content of your message.

When you hold a Metavaro account

• Identification data: name, role.
• Contact data: email address.
• Account data: account identifier, role assignments, last login, multi-factor authentication enrolment status.

We do not knowingly collect special-category personal information (race, religion, health, biometric data, criminal records and similar) through the website. If you choose to share any such information with us in a message, we treat it with extra care.

We share personal information with the following sub-processors who help us deliver the service:

We update this list when sub-processors change. The current list is published on request.

We do not sell personal information. We do not share personal information with third parties for their own marketing purposes.

We may disclose personal information where we are required to do so by law, court order, or a regulator, or where it is necessary to protect the rights, safety, or property of Metavaro, our customers, or others.

Personal information is stored in AWS region eu-west-2 (London, United Kingdom). It may be accessed by Metavaro personnel based in South Africa and the European Union.

For transfers of personal information governed by GDPR into the United Kingdom, we rely on the European Commission’s adequacy decision in respect of the UK. For access from South Africa, we rely on Standard Contractual Clauses recorded in our customer Data Processing Agreements.

For transfers of personal information governed by POPIA outside South Africa, we rely on the safeguards in section 72 of POPIA, which include contractual safeguards comparable to POPIA and recipient-country laws that provide a similar standard of protection.

We keep personal information for as long as we need it for the purpose for which it was collected and for any legal or contractual obligation that applies. Indicative retention periods:

Metavaro operates an Information Security Management System aligned with ISO/IEC 27001:2022. Specific protections include:

• Encryption of personal information at rest (AWS KMS / AES-256) and in transit (TLS 1.2 or higher).
• Access controls based on least privilege, with multi-factor authentication for all administrative access.
• Logging and monitoring of access to personal information.
• Regular review of supplier security posture.
• A documented incident response process and a personal-data breach notification procedure that meets POPIA section 22 and GDPR Articles 33 and 34.

Subject to the conditions of POPIA and GDPR, you have the following rights in relation to your personal information:

• Access: ask whether we hold personal information about you and ask for a copy.
• Correction: ask us to correct personal information that is inaccurate or incomplete.
• Erasure: ask us to delete personal information in defined circumstances.
• Restriction: ask us to limit how we use your personal information while a dispute is resolved.
• Portability: receive personal information you provided to us in a portable format.
• Object: object to processing carried out on the basis of our legitimate interest, including direct marketing.
• Withdraw consent: where we rely on your consent, you can withdraw it at any time.
• Lodge a complaint: see section 13.

To exercise any of these rights, contact privacy@metavaro.com. We respond within 30 days and may extend that period by a further 60 days for complex requests, telling you in advance if we need to do so.

We do not charge a fee for handling routine requests. For requests that are clearly unfounded or excessive we may charge a reasonable administrative fee.

We use a small number of cookies on metavaro.com. Strictly necessary cookies are used to keep the site secure and operational; non-essential cookies, if any, are used only with your consent. The full list and your choices are described in the Cookie Notice.

The website is intended for business users. We do not knowingly collect personal information from children under the age of 18. If you believe we have collected information from a child, please contact us so we can delete it.

We may update this notice from time to time. The “Last updated” date at the top of this page reflects the most recent change. Material changes are highlighted in a banner on the website and, where you hold an account, by direct notification.

For any privacy question, email the Information Officer at privacy@metavaro.com, or write to us at the address in section 2.

You also have the right to lodge a complaint with the Information Regulator (South Africa):

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: complaints.IR@justice.gov.za
Website: https://inforegulator.org.za/

If you are in the European Union, you may lodge a complaint with the supervisory authority in your member state.