Privacy Policy

1. Introduction

DomainsWatch is operated by Moducraft (Pty) Ltd (Registration number: 2026/138609/07) ("we", "us", "our", "DomainsWatch"). This privacy policy explains how we collect, use, store, disclose, and protect your personal information when you access or use the DomainsWatch service at domainswatch.co.za (the "Service").

We are committed to protecting your privacy and complying with the Protection of Personal Information Act, 2013 (Act 4 of 2013) ("POPIA"). This policy is intended to satisfy all disclosure requirements under POPIA and to inform you of your rights as a data subject.

DomainsWatch is available to users aged 18 and older.

By creating an account or using the Service, you acknowledge that you have read and understood this privacy policy and consent to the processing of your personal information as described herein.

2. Information Officer

In compliance with Section 55(1) of POPIA, our designated Information Officer is:

• Name: Johan Pretorius (Director, Moducraft (Pty) Ltd)
• Email: [email protected]
• Postal address: 92 Rosmead Avenue, Kenilworth, Cape Town, 7708, South Africa

All privacy-related enquiries, access requests, and complaints should be directed to the Information Officer at the email address above.

3. Personal Information We Collect

We collect and process the following categories of personal information:

3.1 Account Information (collected at registration)

• Full name - required for account identification and correspondence
• Email address - required for authentication, notifications, and transactional communications
• Password (hashed) - required for account security
• Company name - optional, for business users

3.2 Social Login Information (if you sign in with Google)

• Google account identifier
• Name and email address as provided by Google
• Profile photograph URL (not stored locally)

3.3 KYC Information (collected for domain catching service)

• Phone number - encrypted at rest
• Physical address - encrypted at rest
• South African ID number (individuals) - encrypted at rest with special protection
• CIPC registration number (companies) - encrypted at rest

3.4 Payment Information

Payment processing is handled entirely by PayFast (Pty) Ltd. We never receive, process, or store your credit card numbers, bank account details, or other payment instrument data. We retain only:

• PayFast transaction identifiers
• Payment amounts and status
• Payment timestamps

3.5 Service Usage Information

• Domain watchlist selections and history
• Alert preferences and delivery history
• Search queries submitted to the Service
• Catch order details and attestations

3.6 Technical Information

• IP address (for session management and security)
• Browser type and version
• Session identifiers
• Application error logs (may contain request metadata)

4. Lawful Basis for Processing (POPIA Conditions)

POPIA requires that personal information be processed lawfully and in accordance with eight conditions. We comply with each as follows:

4.1 Accountability (Condition 1)

Moducraft (Pty) Ltd, as the responsible party, ensures compliance with all POPIA conditions. Our Information Officer oversees data processing activities and responds to data subject requests.

4.2 Processing Limitation (Condition 2)

We process personal information only where we have a lawful basis to do so:

• Consent: You provide consent at registration for account creation and email notifications.
• Contract: Processing is necessary for the performance of our service agreement with you (monitoring, alerting, catching).
• Legitimate interest: We process WHOIS query logs and aggregated usage data to improve the Service, provided this does not prejudice your rights.
• Legal obligation: We retain financial records and audit trails as required by South African tax law.

4.3 Purpose Specification (Condition 3)

We collect personal information for the following specific purposes:

• Providing the domain monitoring, alerting, and catching service
• Processing payments via PayFast
• Sending transactional notifications (status change alerts, payment confirmations, receipts)
• Creating domain registration accounts at Domains.co.za on your behalf (catching service only)
• Complying with legal and regulatory requirements
• Diagnosing technical issues and improving service reliability
• Communicating material changes to our terms or service

We will not process your personal information for any purpose incompatible with those listed above without obtaining your further consent.

4.4 Further Processing Limitation (Condition 4)

We do not use your personal information for secondary purposes such as marketing by third parties, profiling for advertising, or any purpose unrelated to the Service. We do not sell, rent, or trade your personal information.

4.5 Information Quality (Condition 5)

We take reasonable steps to ensure that personal information is complete, accurate, and up to date. You may update your account information at any time via the dashboard, or by contacting the Information Officer.

4.6 Openness (Condition 6)

This privacy policy is publicly available and describes all material aspects of our data processing. We will notify registered users by email of any material changes to this policy.

4.7 Security Safeguards (Condition 7)

We implement appropriate technical and organisational measures to protect personal information against loss, unauthorised access, alteration, or destruction. See Section 7 (Data Security) for details.

4.8 Data Subject Participation (Condition 8)

You have the right to access, correct, and delete your personal information. See Section 9 (Your Rights Under POPIA) for how to exercise these rights.

5. How We Use Your Information

• To create and manage your DomainsWatch account
• To provide domain monitoring and status change detection
• To send email alerts when watched domains change status
• To process payments for watch fees, catch service fees, and registration costs via PayFast
• To create and manage your customer account at Domains.co.za (if you use the catching service)
• To submit domain registration requests on your behalf via the Domains.co.za reseller API
• To maintain audit trails of catch orders and payments for compliance and dispute resolution
• To send transactional emails (payment confirmations, receipts, service notices)
• To diagnose technical issues and improve the Service
• To comply with legal obligations including tax and financial record-keeping

6. Third-Party Processors

We share your personal information with the following third-party service providers, solely for the purposes of delivering the Service:

6.1 PayFast (Pty) Ltd

Purpose: Payment processing. PayFast receives your name and email address for transaction identification. PayFast is PCI DSS compliant and handles all payment card data directly. We never receive or store your card details.

Privacy policy: payfast.co.za/privacy-policy

6.2 Google (Google Identity Services)

Purpose: Optional social login. If you choose to sign in with Google, we receive your name, email, and account identifier from Google. You are not required to use Google sign-in.

6.3 Resend (email delivery)

Purpose: Transactional email delivery. Resend processes your email address and name to deliver status alerts, payment confirmations, and service communications on our behalf.

6.4 Domains.co.za (registrar partner)

Purpose: Domain catching and registration. If you use the catching service, your KYC details (name, email, phone, address, and identification number) are transmitted to Domains.co.za to create a customer account and register domains in your name. This is necessary processing for service delivery.

Important: Domains.co.za has its own privacy policy and POPIA obligations. Once your details are provided to Domains.co.za, their processing of that data is governed by their own policies.

6.5 Yoco Technologies (Pty) Ltd

Purpose: Payment processing (when activated). Yoco may receive your name and email address for transaction identification. Yoco is PCI DSS compliant and handles all payment card data directly. We never receive or store your card details via Yoco.

Privacy policy: yoco.com/za/legal/privacy-policy

Data Processing Agreements are in place with all third-party processors in compliance with POPIA Section 13.

We do not sell, rent, or share your personal information with any third party for marketing purposes. We may disclose personal information to law enforcement or regulatory authorities only where required by a lawful court order or other legal process.

7. Data Security

7.1 Encryption at Rest

Sensitive personal information fields - including phone numbers, physical addresses, ID numbers, and CIPC numbers - are encrypted at rest using CipherSweet (AES-256-based field-level encryption). Encryption keys are stored in environment variables and rotated periodically.

7.2 Encryption in Transit

All data transmitted between your browser and the Service is encrypted using TLS 1.2 or higher (HTTPS). HTTP Strict Transport Security (HSTS) is enabled. Internal service communications use encrypted channels.

7.3 Access Controls

Access to production systems and user data is restricted to authorised Moducraft (Pty) Ltd personnel. The administrative panel requires authentication with two-factor authentication enabled. All access to user personal information is recorded in an audit log, which is reviewed quarterly by the Information Officer.

7.4 Password Security

User passwords are hashed using bcrypt with a minimum of 12 rounds. We never store passwords in plain text. We never have access to your password.

8. Data Retention

• Active accounts: Personal information is retained for as long as your account remains active.
• Closed accounts: Upon account deletion, personal information is redacted within 30 days. A 30-day soft-delete period allows you to recover your account if the deletion was accidental.
• Catch order audit trails: Retained for 5 years after order completion (tax and compliance requirement), but personal information within audit records is redacted after account closure.
• WHOIS snapshots: Retained indefinitely. WHOIS data is publicly available registry data and does not constitute user personal information.
• Payment records: Retained for 5 years in compliance with South African tax law (Income Tax Act and VAT Act).
• Application logs: Retained for 90 days, then automatically purged.

9. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

• Right of access (Section 23): You may request confirmation of whether we hold personal information about you, and request a copy of that information.
• Right to correction (Section 24): You may request correction or deletion of personal information that is inaccurate, incomplete, misleading, or obtained unlawfully.
• Right to deletion (Section 24): You may request deletion of your personal information. You can initiate this via the "Delete my account" function in the dashboard, or by contacting the Information Officer.
• Right to object (Section 11(3)): You may object to the processing of your personal information on reasonable grounds relating to your particular situation, unless legislation provides for such processing.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right not to be subject to automated decision-making (Section 71): You have the right not to be subject to a decision based solely on automated processing. DomainsWatch does not make automated decisions with legal or significant effects on users.
• Right to complain to the Information Regulator: If you believe your rights have been infringed, you may lodge a complaint with the Information Regulator of South Africa.

How to Submit a POPIA Request

To exercise any of the above rights, send an email to [email protected] with the subject line "POPIA Request". Please include:

• Your full name and email address associated with your DomainsWatch account
• A description of the right you wish to exercise
• Any supporting details relevant to your request

We will acknowledge your request within 5 business days and respond substantively within 30 days, as required by POPIA. We may request proof of identity before processing access or deletion requests to protect against unauthorised access.

Information Regulator Contact Details

• Name: The Information Regulator (South Africa)
• Email: [email protected]
• Website: inforegulator.org.za
• Phone: 012 406 4818

10. Cookies and Session Management

DomainsWatch uses the following cookies:

• Session cookie: Essential for authentication and maintaining your logged-in state. This cookie is deleted when you close your browser or when your session expires (configurable, default 120 minutes of inactivity).
• CSRF token cookie: Essential for protecting against cross-site request forgery attacks.
• Remember-me cookie: Optional, set only if you choose "Remember me" at login. Allows persistent authentication across browser sessions.

We use the following analytics services to understand how our site is used and to improve the experience:

• Google Analytics: Collects anonymised usage data (pages visited, session duration, referral source). No personally identifiable information is sent to Google. You can opt out via the Google Analytics opt-out browser add-on.
• Microsoft Clarity: Records anonymised session replays and heatmaps to help us improve usability. Clarity does not collect passwords or payment details.

We do not use third-party advertising cookies, tracking pixels, or behavioural profiling. We do not sell or share analytics data with third parties.

11. Cross-Border Data Transfers

DomainsWatch primarily processes and stores personal information within infrastructure located in South Africa. However, certain third-party processors may store or process data outside of South Africa:

• Resend (email delivery): Infrastructure may be located outside South Africa.
• Google (social login): Google processes authentication data globally.

In compliance with Section 72 of POPIA, where personal information is transferred outside South Africa, we ensure that the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection substantially similar to POPIA. We enter into data processing agreements with all third-party processors.

12. Children's Data

DomainsWatch is not directed at children under the age of 18. We do not knowingly collect personal information from children. Account registration requires the user to be at least 18 years of age. If we become aware that we have inadvertently collected personal information from a child under 18, we will promptly delete that information and terminate the associated account.

13. Data Breach Notification

In the event of a data breach that compromises the confidentiality or integrity of your personal information, we will:

• Notify the Information Regulator within 72 hours of becoming aware of the breach, as required by Section 22 of POPIA.
• Notify affected data subjects as soon as reasonably possible after the breach is confirmed.
• Provide a description of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken to address the breach.

We maintain a documented data breach response plan that is reviewed annually.

14. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or the Service. Material changes will be communicated to registered users via email at least 14 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

Continued use of the Service after the effective date of any changes constitutes your acceptance of the updated privacy policy.

15. Contact

For any privacy-related enquiries, requests, or complaints, contact our Information Officer:

• Email: [email protected]
• General enquiries: [email protected]

Responsible party: Moducraft (Pty) Ltd, South Africa