Privacy Policy
This privacy policy explains how Rhystic collects, uses, and protects your personal information when you use our service—including collection and trading features, the community hub, and (where you choose to pay) event registration payments processed by our payment service provider. We process personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable South African data protection laws.
Last updated: 29 May 2026
1. Responsible Party and Information Officer
Rhystic is the responsible party for the processing of your personal information under POPIA. We have appointed an Information Officer who is registered with the Information Regulator. For any enquiries regarding this policy or to exercise your data subject rights, contact us at: info@rhystic.co.za.
2. Personal Information We Collect
We collect personal information that you provide when registering, managing your collection, participating in trades, and (where applicable) registering for community events published on our hub. This may include:
- Name and email address
- Profile information and preferences
- Location data (where you choose to provide it for location-based features)
- Card collection data and trade history
- Community event registrations (including optional deck references you choose to attach) and registration status
- Payment-related records for paid community events: transaction reference, amount and currency, payment status, timestamps, and limited metadata needed to reconcile your registration (we do not receive or store your full card number or card security codes)
- Notification preferences
- Technical data such as IP address and browser type (automatically collected)
3. Purpose and Legal Basis for Processing
We process your personal information to:
- Operate the platform and provide our services
- Facilitate trades and borrowing arrangements between users
- Display community events and articles, and process registrations (including initiating payment where an event has a fee)
- Communicate with you about your account, trades, and service updates
- Send optional notifications (with your consent) about trade activity
- Improve our services and user experience
- Comply with legal obligations
Processing is based on consent, contractual necessity, and our legitimate interests in providing and improving the service.
4. Retention of Personal Information
We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting, or reporting requirements. When your account is deleted, we will delete or anonymise your personal information within a reasonable period, except where we are required to retain it by law.
5. Sharing of Personal Information
We may share your personal information with:
- Other users: As necessary to facilitate trades (e.g. displaying your profile and trade list to potential trade partners). When you take part in an active trade (including a shared trade zone), your trade partner may see contact details you added to your profile—such as your phone number—together with your verified general location where you chose to provide it, so you can arrange and complete the trade. See your profile settings for what you share.
- Event organisers (partners): Where you register for a community event they publish, they receive information needed to run the event (e.g. your registration status and, if they require it, deck information you submit)
- Paystack: When you pay a fee for a community event registration, we share the information required to process that payment with Paystack (PAYSTACK PAYMENTS LIMITED and its affiliates), our payment service provider. That typically includes your email address, the payment amount and currency, a transaction reference, and related technical data. Paystack processes payment credentials; you should read Paystack's privacy policy at paystack.com/privacy for how they handle personal data. Paystack may process data in South Africa and other jurisdictions where they operate.
- Service providers: Third parties who assist in hosting, analytics, or delivering emails, subject to appropriate safeguards
- Authorities: Where required by law or to protect our rights
We do not sell your personal information to third parties.
6. Direct Marketing and Electronic Communications
We will only send you direct marketing communications (such as promotional emails) with your consent. You may withdraw consent at any time by updating your notification preferences in your profile or by contacting us. Transactional and service-related emails (e.g. trade notifications you have opted into) are not considered direct marketing under POPIA.
7. Security and Data Breaches
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, or alteration. In the event of a data breach that poses a real risk of harm to you, we will notify you and the Information Regulator as required by POPIA.
8. Your Rights Under POPIA
You have the following rights in relation to your personal information:
- Right of access: To establish whether we hold your personal information and to request a copy
- Right to correction and deletion: To request correction or deletion of inaccurate or outdated information
- Right to object: To object, on reasonable grounds, to the processing of your personal information
- Right to object to direct marketing: To object at any time to processing for direct marketing purposes
- Right to lodge a complaint: To lodge a complaint with the Information Regulator if you believe your rights have been infringed
To exercise any of these rights, contact us at info@rhystic.co.za. You may also lodge a complaint with the Information Regulator at www.inforegulator.org.za or POPIAComplaints@inforegulator.org.za.
9. Children
Our services are not directed at persons under 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us so we can take steps to delete it.
10. Payment processing and webhooks
When a payment is completed, Paystack may send our servers automated notifications ("webhooks") containing limited transaction data so we can mark your event registration as paid. We verify these notifications where technically possible. Webhook payloads may be stored only as long as needed for reconciliation, fraud prevention, and legal record-keeping.
If you have questions specifically about how your card or bank data is handled during checkout, those questions are primarily for Paystack; we only receive the outcome of the transaction and the identifiers above.
11. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.