Privacy Policy
1. Introduction
TermsCon ("we", "us", "our"), operated by SkyL4rk Digital (PTY) LTD and SkyL4rk UK LTD, is committed to protecting your personal information and processing it lawfully, transparently, and securely.
This Policy describes how we collect, use, retain, share, and protect personal data in connection with the TermsCon platform. It applies to all users of our website (termscon.com), client portal (vault.termscon.com), and APIs.
Our designated Information Officer is responsible for ensuring our compliance with POPIA.
Contact: privacy@termscon.com
Alternatively, you may write to us at: SkyL4rk Digital (PTY) LTD, KwaZulu-Natal, South Africa.
2. Scope of This Policy
This Policy applies to:
- Account holders and their authorised users;
- Visitors to our website;
- Signatories and other individuals whose personal data is included in Documents created, uploaded, sent, or processed via TermsCon.
Where you submit personal data about third parties (e.g., Signatories), you are responsible for ensuring you have a valid lawful basis to do so and for providing those individuals with appropriate privacy notices.
3. Information We Collect
Account and registration data
Full name, email address, phone number, company name, VAT number, billing address, and payment information (processed securely through PayFast — we do not store card numbers).
Usage and platform data
Documents created or uploaded, metadata (timestamps, IP addresses, device/browser type), signing events, audit log entries, token balances, and subscription history.
Identity verification data (via Verilink)
Where biometric identity verification is used, Verilink processes facial images, liveness checks, and ID document scans. TermsCon receives and retains a verification result and confidence score — not raw biometric templates. Verilink processing is governed by the Verilink Privacy Policy.
Compliance screening data
Where AML, PEP, or sanctions screening is requested, we transmit the relevant data fields to screening APIs and retain the result for compliance record-keeping purposes.
Communications
Content of emails or messages sent to our support or sales team.
Ownership Structure and Cap Table data
Where you use the Ownership Infrastructure Services, we collect and process: Holder identity and KYC records, Cap Table composition and ownership percentages, Structural Event records (issuances, transfers, dilutions, buyouts), wallet addresses (Managed and External), governance approval records, and Structural Event audit logs. Wallet addresses are treated as personal data where they can be linked to an identified individual.
Blockchain and on-chain data
Structural Events confirmed on the Ethereum network generate public, permanent on-chain records. These records contain wallet addresses and cryptographic hashes — not names, identity documents, or directly identifying information, which are stored exclusively in TermsCon's encrypted off-chain infrastructure. By using the Ownership Infrastructure Services you acknowledge that on-chain records are public, permanent, and outside TermsCon's ability to delete or modify once confirmed.
4. Lawful Basis for Processing
We process personal data on the following legal grounds:
| Purpose | Lawful Basis (POPIA) | Lawful Basis (GDPR) |
|---|---|---|
| Providing and operating the Services | Contract performance | Article 6(1)(b) — contract |
| Billing and subscription management | Contract performance / Legal obligation | Article 6(1)(b) & 6(1)(c) |
| AML / FICA compliance screening | Legal obligation | Article 6(1)(c) |
| Platform security and fraud prevention | Legitimate interest | Article 6(1)(f) |
| Service communications and alerts | Contract performance | Article 6(1)(b) |
| Marketing and product updates (opt-in) | Consent | Article 6(1)(a) |
| Analytics and platform improvement | Legitimate interest | Article 6(1)(f) |
| Ownership Unit issuance and Cap Table management | Contract performance | Article 6(1)(b) |
| KYC verification of Holders on behalf of Operator | Legal obligation / Contract | Article 6(1)(b) & 6(1)(c) |
| Smart contract execution and blockchain record-keeping | Legitimate interest / Contract | Article 6(1)(b) & 6(1)(f) |
| Managed Wallet private key custody | Contract performance | Article 6(1)(b) |
| Structural Event audit logs | Legal obligation | Article 6(1)(c) |
5. How We Use Your Information
- To create and manage your Account and provide the Services;
- To process payments and manage your subscription and token balance;
- To enable document creation, sending, signing, and verification workflows;
- To conduct AML, KYC, and sanctions screening as requested or required by law;
- To maintain audit trails for legal enforceability of signed Documents;
- To detect, prevent, and investigate fraud or security incidents;
- To communicate service updates, billing alerts, and support responses;
- To improve platform performance and user experience (aggregated, anonymised analytics);
- To comply with applicable legal and regulatory obligations.
6. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account and registration data | Duration of Account + 7 years after closure | POPIA; tax & commercial record-keeping |
| Signed Documents and audit trails | 10 years from signing date | ECT Act Section 15; commercial law |
| AML / KYC screening records | 5 years from screening date | FICA Section 22 |
| Billing and payment records | 7 years from transaction date | Tax Administration Act; VAT Act |
| Server and access logs | 90 days | Security / operational necessity |
| Marketing consent records | Until consent withdrawn + 3 years | POPIA Section 11; GDPR Article 7 |
| Support communications | 3 years from last interaction | Legitimate interest |
| Biometric verification results (score only) | Duration of Account + 5 years | FICA; contractual evidence |
| Cap Table records and full ownership history | 10 years from Ownership Structure closure | Companies Act 71 of 2008; ECT Act |
| Structural Event audit logs | 10 years from event date | Companies Act; FICA |
| Holder KYC records (Ownership Structures) | 5 years from last Structural Event involving that Holder | FICA Section 22 |
| Managed Wallet private keys | Duration of custody + 90 days post-migration | Contractual obligation |
| On-chain transaction records (Ethereum) | Permanent — public blockchain, not deletable by any party | Blockchain immutability; minimisation by design |
Upon expiry of applicable retention periods, data is securely deleted or anonymised.
7. Data Sharing and Sub-Processors
We do not sell your personal data. We share data only with the following categories of recipients where necessary to deliver the Services:
| Sub-Processor / Recipient | Purpose | Location |
|---|---|---|
| PayFast (DPO PayGate) | Payment processing and subscription billing | South Africa |
| Verilink (SkyL4rk Digital) | Biometric identity verification and AML screening | South Africa |
| Zume Hosting / WHM Server | Platform hosting and email infrastructure | South Africa |
| Compliance screening APIs | AML, PEP, OFAC, and global sanctions checks | EU / USA (SCCs in place) |
| Google Analytics (optional) | Aggregated website analytics (anonymised) | USA (Standard Contractual Clauses) |
| Law enforcement / regulators | Where required by law, court order, or FICA obligation | Varies |
| Business successors | In the event of merger, acquisition, or asset sale (with notice) | Varies |
| Ethereum Network (public blockchain) | On-chain recording of Structural Events via Smart Contract — wallet addresses and hashes only; no PII transmitted on-chain | Global (decentralised — public ledger) |
Where data is transferred outside South Africa, we ensure appropriate safeguards are in place (POPIA Section 72 authorisation or equivalent, Standard Contractual Clauses for GDPR transfers).
8. International Data Transfers
Some of our sub-processors are located or process data outside South Africa. Where this occurs, we rely on:
- POPIA Section 72: We ensure the recipient country provides an adequate level of protection, or we have binding contractual safeguards in place.
- GDPR (UK/EU users): Transfers to third countries rely on Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) — as approved by the European Commission and UK ICO.
9. Data Storage and Security
- Encryption in transit: All data transmitted to and from TermsCon is encrypted using TLS 1.2 or higher.
- Encryption at rest: Sensitive data fields are encrypted at rest using AES-256.
- Document integrity: Signed Documents are protected by multi-server SHA-256 hash cross-verification. Any post-signature modification is immediately detectable.
- Access controls: Role-based access controls and audit logging are applied to all administrative access to production systems.
- Incident response: We maintain a documented incident response procedure. In the event of a data breach affecting your rights and freedoms, we will notify you and, where required, the Information Regulator within the timeframes prescribed by law.
10. Your Rights
Depending on your jurisdiction, you have the following rights in relation to your personal data:
| Right | POPIA | GDPR |
|---|---|---|
| Access your personal data | ✓ Section 23 | ✓ Article 15 |
| Correct inaccurate data | ✓ Section 24 | ✓ Article 16 |
| Request deletion ("right to be forgotten") | ✓ Section 24 | ✓ Article 17 |
| Object to processing | ✓ Section 11(3) | ✓ Article 21 |
| Data portability | Limited | ✓ Article 20 |
| Withdraw consent at any time | ✓ Section 11(1)(a) | ✓ Article 7(3) |
| Lodge a complaint with a regulator | ✓ Information Regulator | ✓ Supervisory authority |
To exercise any of these rights, contact our Information Officer at privacy@termscon.com. We will respond within 30 days (POPIA) or one month (GDPR).
Note that some rights are subject to legal and regulatory retention obligations — we cannot delete AML screening records or signed Document audit trails before their statutory retention period expires.
11. Right to Lodge a Complaint
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the relevant supervisory authority:
Website: inforeg.org.za
Email: inforeg@justice.gov.za
Tel: +27 (0)10 023 5207
United Kingdom — Information Commissioner's Office (ICO):
Website: ico.org.uk
Tel: 0303 123 1113
We would appreciate the opportunity to address your concerns directly before you contact a regulator — please reach out to us first at privacy@termscon.com.
12. Cookies and Tracking Technologies
We use cookies and similar technologies to ensure platform functionality, enhance security, and understand how our platform is used. You can control non-essential cookie preferences through your browser settings.
Cookie categories
| Category | Purpose | Examples | Expiry |
|---|---|---|---|
| Essential | Session management, authentication, CSRF protection, load balancing. Cannot be disabled. | Session ID, CSRF token, auth token | Session / 24h |
| Functional | User preferences (e.g. language, theme). Enables personalisation across visits. | tc-theme, tc-fs (font size) | 1 year |
| Analytics | Anonymised usage statistics to improve platform performance. IP addresses are anonymised. | _ga, _gid (Google Analytics) | 2 years / 24h |
| Security | Fraud detection, bot mitigation, captcha verification (skyCaptchaX). | captcha verification token | Session |
We do not use advertising or cross-site tracking cookies. To opt out of Google Analytics, use the Google Analytics Opt-out Browser Add-on.
13. Children's Privacy
The Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child's data has been submitted to our platform without appropriate authority, please contact privacy@termscon.com and we will take prompt steps to delete it.
14. Access to Information (PAIA)
In terms of the Promotion of Access to Information Act 2 of 2000 (PAIA), you have the right to request access to records held by TermsCon. Our PAIA manual is available on request from our Information Officer at privacy@termscon.com.
15. Changes to This Privacy Policy
We may update this Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify you of material changes via email or a prominent notice on the platform at least 14 days before the changes take effect. We encourage you to review this page periodically.
16. Contact Information
For any questions, requests, or concerns relating to this Privacy Policy or your personal data:
Email: privacy@termscon.com
Support: support@termscon.com
Website: https://termscon.com
Registered address: SkyL4rk (PTY) LTD, KwaZulu-Natal, South Africa