Privacy Policy
This privacy policy explains how Rhystic collects, uses, and protects your personal information when you use our service. We process personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable South African data protection laws.
Last updated: 29 March 2026
1. Responsible Party and Information Officer
Rhystic is the responsible party for the processing of your personal information under POPIA. We have appointed an Information Officer who is registered with the Information Regulator. For any enquiries regarding this policy or to exercise your data subject rights, contact us at: info@rhystic.co.za.
2. Personal Information We Collect
We collect personal information that you provide when registering, managing your collection, and participating in trades. This may include:
- Name and email address
- Profile information and preferences
- Location data (where you choose to provide it for location-based features)
- Card collection data and trade history
- Notification preferences
- Technical data such as IP address and browser type (automatically collected)
3. Purpose and Legal Basis for Processing
We process your personal information to:
- Operate the platform and provide our services
- Facilitate trades and borrowing arrangements between users
- Communicate with you about your account, trades, and service updates
- Send optional notifications (with your consent) about trade activity
- Improve our services and user experience
- Comply with legal obligations
Processing is based on consent, contractual necessity, and our legitimate interests in providing and improving the service.
4. Retention of Personal Information
We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting, or reporting requirements. When your account is deleted, we will delete or anonymise your personal information within a reasonable period, except where we are required to retain it by law.
5. Sharing of Personal Information
We may share your personal information with:
- Other users: As necessary to facilitate trades (e.g. displaying your profile and trade list to potential trade partners)
- Service providers: Third parties who assist in hosting, analytics, or delivering emails, subject to appropriate safeguards
- Authorities: Where required by law or to protect our rights
We do not sell your personal information to third parties.
6. Direct Marketing and Electronic Communications
We will only send you direct marketing communications (such as promotional emails) with your consent. You may withdraw consent at any time by updating your notification preferences in your profile or by contacting us. Transactional and service-related emails (e.g. trade notifications you have opted into) are not considered direct marketing under POPIA.
7. Security and Data Breaches
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, or alteration. In the event of a data breach that poses a real risk of harm to you, we will notify you and the Information Regulator as required by POPIA.
8. Your Rights Under POPIA
You have the following rights in relation to your personal information:
- Right of access: To establish whether we hold your personal information and to request a copy
- Right to correction and deletion: To request correction or deletion of inaccurate or outdated information
- Right to object: To object, on reasonable grounds, to the processing of your personal information
- Right to object to direct marketing: To object at any time to processing for direct marketing purposes
- Right to lodge a complaint: To lodge a complaint with the Information Regulator if you believe your rights have been infringed
To exercise any of these rights, contact us at info@rhystic.co.za. You may also lodge a complaint with the Information Regulator at www.inforegulator.org.za or POPIAComplaints@inforegulator.org.za.
9. Children
Our services are not directed at persons under 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us so we can take steps to delete it.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.