Privacy Policy.
Protection of Personal Information Act (POPIA) Compliance
Effective Date: 26 February 2026 | Version: 1.0
1. Introduction
Brightwave Capital (Pty) Ltd, trading as Brightwave Commercial Property (“Brightwave”, “we”, “us”, or “our”), is committed to protecting the privacy and personal information of all individuals who interact with our business. This Privacy Policy explains how we collect, use, store, share, and protect your personal information in accordance with the Protection of Personal Information Act, 2013 (Act 4 of 2013) (“POPIA”).
Brightwave is the “Responsible Party” as defined under POPIA, meaning we determine the purpose and means of processing your personal information.
Company Details
| Registered Name | Brightwave Capital (Pty) Ltd |
| Trading As | Brightwave Commercial Property |
| Location | Cape Town, Western Cape, South Africa |
| marnitz@brightwaveproperty.co.za | |
| Phone | +27 60 928 6049 |
| Website | brightwaveproperty.co.za |
2. Information Officer
In accordance with Section 55 of POPIA, Brightwave has designated the following Information Officer who is responsible for ensuring our compliance with POPIA and for handling all privacy-related queries and requests:
| Information Officer | Marnitz"; Managing Director |
| marnitz@brightwaveproperty.co.za | |
| Phone | +27 60 928 6049 |
3. Scope and Applicability
This Privacy Policy applies to all personal information collected from:
- Visitors to our website at brightwaveproperty.co.za
- Prospective and current tenants, landlords, property owners, and investors
- Individuals who submit enquiries via our contact forms, email, phone, or WhatsApp
- Individuals who request property brochures or vacancy schedules
- Subscribers to our newsletter or marketing communications
- Users of our online lease and application processes
4. Key Definitions
In this Privacy Policy, the following terms have the meanings defined under POPIA:
- Personal Information — Any information relating to an identifiable, living, natural person or an existing juristic person, including but not limited to name, email address, phone number, ID number, financial information, and location data.
- Processing — Any operation performed on personal information, including collection, storage, use, modification, distribution, and destruction.
- Data Subject — The person whose personal information is being processed (i.e., you).
- Responsible Party — The entity that determines the purpose and means of processing personal information (i.e., Brightwave).
- Operator — A third party that processes personal information on behalf of the Responsible Party.
- Special Personal Information — Information concerning race, religion, health, sexual orientation, biometrics, criminal behaviour, trade union membership, or political persuasion.
5. Personal Information We Collect
We collect the following categories of personal information depending on how you interact with us:
5.1 Contact and Enquiry Information
- Full name
- Email address
- Phone number
- Company or organisation name
- Message or enquiry content
5.2 Property Enquiry Information
- Property type and area preferences
- Budget or rental range
- Specific unit or building of interest
- Space requirements
5.3 Tenant and Lease-Related Information
- Identity number or company registration number
- Proof of income or financial statements
- Employment details
- Banking details (for deposit processing)
- Credit references
- FICA documentation (as required by law)
5.4 Landlord and Property Owner Information
- Identity number or company registration number
- Banking details (for rental collection and disbursement)
- Property ownership and title deed details
- Lease terms and financial arrangements
5.5 Website Technical Data
- IP address
- Browser type and version
- Operating system
- Pages visited and time spent on site
- Referring URL
- Device identifiers
6. How We Collect Personal Information
We collect personal information through the following means:
- Directly from you — when you complete contact forms, send emails, make phone calls, attend property viewings, or submit lease applications
- Automatically — through cookies, web analytics (Google Analytics), and server logs when you visit our website
- From third parties — referrals from other brokers or agents, property portals such as Property24, and publicly available sources such as the Deeds Office or CIPC records
7. Legal Basis for Processing
Under Section 11 of POPIA, we process your personal information based on one or more of the following lawful grounds:
| Lawful Ground | Examples |
|---|---|
| Consent | Marketing emails, newsletter subscriptions, cookie consent for analytics |
| Contractual Necessity | Processing lease applications, managing tenant/landlord relationships, property mandates |
| Legal Obligation | FICA compliance, PPRA regulatory requirements, tax records (SARS), anti-money laundering |
| Legitimate Interest | Responding to property enquiries, fraud prevention, improving our services |
8. Purposes of Processing
As required by Section 13 of POPIA, we process your personal information for the following specific purposes:
- Responding to property enquiries and matching clients to available units
- Conducting property viewings and sending brochures or vacancy schedules
- Negotiating and administering lease agreements
- Processing tenant applications, including credit and reference checks
- Invoicing and financial administration for landlords and tenants
- Compliance with FICA, PPRA, and SARS obligations
- Sending property listings, market updates, and area reports (with your consent)
- Website analytics and performance improvement
- Internal record-keeping and CRM management
- Data breach response and security monitoring
9. Data Retention
In accordance with Section 14 of POPIA, we retain personal information only for as long as is necessary to fulfil the purpose for which it was collected, unless a longer retention period is required by law.
| Data Category | Retention Period |
|---|---|
| Property enquiries and leads | 2 years after last contact |
| Lease-related records | 5 years after lease expiry |
| FICA records | 5 years minimum (Financial Intelligence Centre Act) |
| Invoices and financial records | 5 years (Income Tax Act) |
| Marketing consent records | Duration of consent plus 1 year |
| Website analytics data | 14 months (Google Analytics default) |
At the end of the applicable retention period, personal information is securely deleted or anonymised. You may request earlier deletion of your data, subject to any legal retention obligations we must comply with.
10. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to improve your browsing experience and to understand how you interact with our site.
10.1 Types of Cookies We Use
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Session management, security tokens | No (exempt) |
| Analytics / Performance | Google Analytics — traffic analysis, user behaviour, page performance | Yes |
| Functional | Theme preference, currency selection, display settings | Yes |
10.2 Google Analytics
We use Google Analytics (GA4) to understand website traffic and user behaviour. Google Analytics sets cookies including _ga and _gid to distinguish unique users and throttle request rates.
- Data processor: Google Ireland Limited / Google LLC (USA)
- Data collected: IP address (anonymised), pages visited, session duration, device information
- Cross-border transfer: Data may be transferred to the USA under Google’s Data Processing Agreement
- Retention: 14 months
- Opt-out: You may opt out by installing the Google Analytics Opt-out Browser Add-on
10.3 Google Maps
We embed Google Maps on property listing pages to display property locations. Google may collect your IP address and location interaction data. Google’s privacy policy applies to data collected through these embeds.
10.4 Managing Cookies
You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website. Instructions for managing cookies are available in your browser’s help documentation.
11. Third-Party Sharing and Operators
We may share your personal information with the following categories of third parties, each of whom is contractually bound to process data only in accordance with our instructions and to maintain adequate security measures, as required by Section 21 of POPIA:
| Third Party | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and data storage | South Africa (af-south-1) / USA |
| Google Analytics | Website analytics | USA |
| Google Maps | Property location display | USA |
| Cloudflare | Website hosting and security | Global (edge network) |
| Property24 | Property listing distribution | South Africa |
| Credit bureaus | Tenant credit checks (with your consent) | South Africa |
| PPRA | Regulatory compliance and audits | South Africa |
| SARS | Tax obligations | South Africa |
| Professional advisors | Legal, accounting, and audit services | South Africa |
We do not sell your personal information to any third party.
12. Cross-Border Data Transfers
In accordance with Section 72 of POPIA, some of your personal information may be transferred to and processed in countries outside South Africa, including the United States (for cloud infrastructure, analytics, and mapping services).
Where such transfers occur, we ensure that the recipient is subject to a law or binding agreement that provides an adequate level of protection substantially similar to that provided under POPIA. All cross-border operators are bound by Data Processing Agreements that require equivalent security and privacy standards.
13. Security Safeguards
In compliance with Section 19 of POPIA, we implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or unlawful processing. These measures include:
- Encryption of data in transit (HTTPS/TLS) and at rest
- Access controls and role-based permissions
- Regular security assessments and monitoring
- Staff training and confidentiality obligations
- Secure deletion procedures for data past retention periods
While we take all reasonable steps to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the highest reasonable standard.
14. Data Breach Notification
In the event of a security compromise involving your personal information, we will, in compliance with Section 22 of POPIA:
- Notify the Information Regulator as soon as reasonably possible (within 72 hours of becoming aware of the breach)
- Notify affected data subjects as soon as reasonably possible, providing:
- A description of the nature of the compromise
- The categories of personal information affected
- Recommended steps you can take to protect yourself
- Contact details of our Information Officer
15. Your Rights as a Data Subject
Under POPIA, you have the following rights regarding your personal information:
Right to Access
You may request confirmation of whether we hold your personal information and request a copy of it (Section 23).
Right to Correction or Deletion
You may request that inaccurate, incomplete, misleading, or out-of-date information be corrected or deleted (Section 24).
Right to Object
You may object to the processing of your personal information on reasonable grounds (Section 11(3)).
Right to Opt Out of Marketing
You may opt out of receiving direct marketing communications at any time (Section 69).
Right to Withdraw Consent
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to Lodge a Complaint
You may lodge a complaint with the Information Regulator if you believe your rights have been violated.
To exercise any of these rights, please contact our Information Officer at marnitz@brightwaveproperty.co.za. We will respond to your request within 30 days. We may require verification of your identity before processing your request.
16. Direct Marketing
In accordance with Section 69 of POPIA, we will only send you electronic marketing communications (email, SMS, or WhatsApp) if:
- You have given us your prior opt-in consent; or
- You are an existing client and the marketing relates to similar products or services to those you have previously engaged with
Every marketing communication we send will clearly identify Brightwave as the sender and include a functional unsubscribe or opt-out mechanism. We honour all opt-out requests promptly and maintain a suppression list of individuals who have opted out.
17. Children’s Personal Information
Our website and services are not directed at persons under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected personal information from a child, we will take immediate steps to delete such information. Parents or guardians who believe we may hold a minor’s information should contact us at marnitz@brightwaveproperty.co.za.
18. Special Personal Information
Brightwave does not generally collect or process special personal information (such as information relating to race, religion, health, sexual orientation, political persuasion, trade union membership, or criminal behaviour) unless specifically required by law.
Where FICA obligations require us to collect identity documents or financial records, we rely on the legal obligation ground under POPIA. Where tenant credit checks are conducted, we obtain your specific prior consent.
19. Automated Decision-Making
Brightwave may use AI-assisted tools to match property enquiries to available listings and to generate property marketing content. These tools assist our brokers but do not make final decisions that materially affect you without human oversight. You may request human review of any automated process that affects you by contacting our Information Officer.
20. Links to Third-Party Websites
Our website may contain links to third-party websites, including property portals, mapping services, and social media platforms. We are not responsible for the privacy practices or content of these external sites. We encourage you to read the privacy policies of any third-party websites you visit.
21. Complaints Procedure
If you believe that your personal information has been processed in violation of POPIA, you may:
- Contact our Information Officer directly at marnitz@brightwaveproperty.co.za or +27 60 928 6049. We will investigate and respond within 30 days.
- Escalate to the Information Regulator if your complaint is not resolved to your satisfaction:
Information Regulator (South Africa)
| Address | JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 |
| Postal | P.O. Box 31533, Braamfontein, Johannesburg, 2017 |
| POPIAComplaints@inforegulator.org.za | |
| Phone | 010 023 5207 |
| Website | www.inforegulator.org.za |
Lodging a complaint with the Information Regulator does not affect your right to pursue civil remedies. Complaints must be submitted to the Regulator within 3 years of becoming aware of the alleged breach.
22. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our business practices, legal requirements, or data processing activities. Material changes will be communicated via a prominent notice on our website. The effective date at the top of this policy indicates when it was last revised.
Contact Us About Your Privacy
If you have any questions about this Privacy Policy or wish to exercise your rights under POPIA, please contact:
Information Officer: Marnitz
Email: marnitz@brightwaveproperty.co.za
Phone: +27 60 928 6049