Privacy Policy
Effective date: {{PLACEHOLDER_EFFECTIVE_DATE}}
How RealTours collects, uses, stores, and protects personal information under South Africa's Protection of Personal Information Act (POPIA), with additional notes for visitors in GDPR jurisdictions.
{{PLACEHOLDER_LEGAL_NAME}} ("RealTours", "we", "us", "our") operates the RealTours platform at www.realtoursai.com. This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it under the Protection of Personal Information Act 4 of 2013 ("POPIA"). If you are located in the European Union, the United Kingdom or another GDPR jurisdiction, the section titled "Visitors from outside South Africa" applies in addition to the rest of this policy.
1Who we are
- Responsible party (data controller): {{PLACEHOLDER_LEGAL_NAME}}, registration number {{PLACEHOLDER_REGISTRATION_NUMBER}} (VAT: {{PLACEHOLDER_VAT_NUMBER}}).
- Registered address: {{PLACEHOLDER_PHYSICAL_ADDRESS}}.
- Information Officer (POPIA § 55): {{PLACEHOLDER_INFO_OFFICER_NAME}}, registered with the Information Regulator of South Africa under reference {{PLACEHOLDER_INFO_OFFICER_REGISTRATION_REF}}.
- Privacy contact: {{PLACEHOLDER_PRIVACY_EMAIL}}.
- General support: {{PLACEHOLDER_SUPPORT_EMAIL}}.
2What personal information we collect
When you register an account and submit an order on RealTours, we collect:
From you, the estate agent:
- Identity and contact details — full name, work email address, phone number (optional), and the agency you work for.
- Account credentials — your password is stored as a one-way salted hash; we never see the plaintext.
- Order content — listing address (city, suburb), property attributes (bedrooms, bathrooms, floor area, garages, listing price), property description, special features, and your preference selections (narrator voice, design style, intro card variant, video length, video format).
- Property photographs you upload (or that we mirror from a public listing URL you supply).
- Billing information — handled directly by Paystack; we receive only the transaction reference, the amount, the currency (ZAR), the status, and the last four digits of the card. We never see, store or process the full card number, CVV, or expiry.
- Support correspondence — anything you send to us by email.
Automatically, from your device:
- Authentication session tokens (stored as cookies; see our Cookie Policy at
/cookies). - Security-related metadata — IP address, user-agent string, request timestamps — kept for fraud prevention, rate-limit enforcement and audit logging.
We do not collect special personal information (race, health, sexual orientation, biometric data) and we do not knowingly collect personal information from children under 18 — see section 10.
3How we use your information
We process your personal information to:
- Provide the service you ordered (generate cinematic video tours and staged property images).
- Process payments through Paystack and reconcile invoices.
- Send you operational emails (order receipts, deliverables, service updates).
- Provide customer support when you contact us.
- Prevent fraud, abuse, and unauthorised use of the platform.
- Improve the platform — measuring aggregate, de-identified usage patterns.
- Comply with our legal obligations (tax records, statutory retention).
4Legal basis for processing (POPIA § 11)
| Purpose | Lawful basis |
|---|---|
| Delivering the service you ordered | Performance of a contract (POPIA § 11(1)(b)) |
| Sending marketing emails about new features | Consent (POPIA § 11(1)(a)); withdrawable at any time |
| Security monitoring, rate limiting, fraud prevention | Legitimate interest (POPIA § 11(1)(f)) |
| Keeping invoices and tax records | Compliance with legal obligation (POPIA § 11(1)(c)) — SA tax law requires 5 years; we retain for 7 |
| Sending order receipts and deliverables | Performance of a contract (POPIA § 11(1)(b)) |
5Who we share your information with
RealTours relies on a small number of carefully selected operators (sub-processors) to deliver the service. We share only the minimum information necessary for each operator to perform its function.
| Operator | What we share | What they do | Where |
|---|---|---|---|
| Supabase | Account credentials, order metadata, listing data, artifact metadata | Database, authentication, file storage, real-time updates | List on request |
| Paystack | Card details (entered directly into Paystack — we never see them), amount, currency | Payment processing (ZAR) | South Africa / United Kingdom |
| OpenAI | Property photos, listing description, planning context | Vision analysis, cinematic planning, image staging | United States |
| ElevenLabs | Narration script text, voice ID | Text-to-speech voice generation | European Union / United States |
| fal.ai | Image URLs, video prompts, voice/duration config | Cinematic video clip generation | United States (global CDN) |
| Inngest Cloud | Order IDs, event metadata, job status callbacks | Background job orchestration | United States |
| Cloudflare | Inbound HTTP request metadata (IP, user-agent, headers) | CDN, DDoS protection, bot management | Global edge network |
| Lovable | Page render events, session metadata | Frontend hosting | Configurable |
| MinIO | All generated artifacts (videos, images, audio) | Long-term artifact storage | Self-hosted on our infrastructure |
A current, dated sub-processor list is available on request from {{PLACEHOLDER_PRIVACY_EMAIL}}.
6Cross-border transfers (POPIA § 72)
Some of our operators (OpenAI, ElevenLabs, fal.ai, Inngest, Lovable, Cloudflare) process personal information outside South Africa, primarily in the United States and European Union. POPIA § 72 permits cross-border transfers where the recipient is subject to a law providing substantially similar protection, or where you consent to the transfer.
For each US-based operator we rely on Standard Contractual Clauses (or equivalent contractual safeguards published by the operator) and on your acceptance of this policy as your informed consent to the transfer for the purpose of providing the service you ordered. If you withdraw that consent, we will no longer be able to provide the service, and you may request deletion of your account under section 8.
7How long we keep your information
| Category | Retention period |
|---|---|
Generated video deliverables stored at realtours/<orderId>/final/ in MinIO | 30 days from creation, then deleted by lifecycle rule |
| Intro card renders, intermediate clip artifacts, source-image mirrors | 30 days from creation |
Staged image deliverables stored at images/... in MinIO | 30 days from creation |
| Account record (your profile, email, password hash) | While account is active; deleted within 30 days of closure unless legally required |
| Order metadata (listing details, deliverable URLs) | While account is active |
| Invoices, payment records, tax-relevant data | 7 years (South African tax law) |
| Authentication and audit logs | 12 months |
When you delete your account, we permanently delete all of the above other than legally required tax records. You may request earlier deletion of specific orders or all your data — see section 8.
8Your rights (POPIA §§ 23–25)
You have the right to:
- Access the personal information we hold about you.
- Correct any inaccurate or incomplete information.
- Delete your account and all associated personal information, subject to legal retention obligations.
- Object to processing of your information for any purpose other than service delivery.
- Withdraw consent at any time — for marketing, cross-border transfers, or any other consent-based processing.
- Lodge a complaint with the Information Regulator of South Africa. Contact: inforeg@inforegulator.org.za, inforegulator.org.za.
To exercise any of these rights, email {{PLACEHOLDER_PRIVACY_EMAIL}}. We will respond within 30 days. We may ask you to verify your identity before acting on a request.
9Marketing communications (POPIA § 69)
We will only send you marketing emails if you have explicitly opted in. Every marketing email carries a one-click unsubscribe link. If you are an existing customer, we may occasionally email you about similar services we provide, but every such email also carries an unsubscribe link.
We do not send marketing SMS or make marketing phone calls.
10Children
RealTours is a business-to-business service for licensed estate agents and is not intended for anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has registered for the service, please contact {{PLACEHOLDER_PRIVACY_EMAIL}} and we will delete the account.
11Security
We protect personal information with reasonable technical and organisational safeguards, including:
- Encryption in transit — TLS 1.2 or higher on every connection.
- Encryption at rest — managed encryption on Supabase, MinIO bucket-level controls, and operator-managed encryption at every sub-processor.
- Row-level security on our database — you can only read and modify your own records.
- HMAC-signed URLs for private image and video access — links are time-bounded and cannot be guessed.
- SSRF-defended image fetcher — blocks attempts to reach private networks and rejects oversized or wrong-format files.
- Rate limiting — per-user (50 orders/hour) and per-host (60 requests/minute).
- Network isolation — internal services bind only to loopback.
- Kernel-level egress firewall preventing internal services from contacting private networks.
No system is impenetrable. If a breach occurs, we will notify the Information Regulator and affected data subjects as soon as reasonably possible after becoming aware of it, as required by POPIA § 22.
12Breach notification
If we become aware of a security compromise affecting your personal information, we will notify you and the Information Regulator as soon as reasonably possible. The notice will describe the nature of the compromise, the information affected, the measures we are taking, and what you can do to protect yourself.
13Access to information (PAIA)
Our manual under the Promotion of Access to Information Act 2 of 2000 is available at {{PLACEHOLDER_PAIA_MANUAL_URL}}. To request records held by us, email {{PLACEHOLDER_LEGAL_EMAIL}}.
14Visitors from outside South Africa (GDPR / UK GDPR)
If you are a data subject in the European Union, the United Kingdom, or another GDPR jurisdiction, the controller of your personal information is {{PLACEHOLDER_LEGAL_NAME}}. Our lawful bases for processing are (a) performance of the contract you enter into with us when you place an order (GDPR Art. 6(1)(b)), (b) your consent for marketing and cross-border transfers (Art. 6(1)(a)), and (c) our legitimate interests in operating, securing and improving the platform (Art. 6(1)(f)). You have the same rights of access, rectification, erasure, restriction, portability, and objection described in section 8 above, and you may also lodge a complaint with your local supervisory authority. For details of our cross-border transfer safeguards and to obtain a copy of the Standard Contractual Clauses we rely on, email {{PLACEHOLDER_PRIVACY_EMAIL}}.
15Changes to this policy
If we make material changes to this policy we will notify you by email and post a notice on the platform at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the changed policy.
16Contact us
- Information Officer: {{PLACEHOLDER_INFO_OFFICER_NAME}} — {{PLACEHOLDER_PRIVACY_EMAIL}}.
- Postal: {{PLACEHOLDER_LEGAL_NAME}}, {{PLACEHOLDER_PHYSICAL_ADDRESS}}.
- General support: {{PLACEHOLDER_SUPPORT_EMAIL}}.
Last updated: {{PLACEHOLDER_EFFECTIVE_DATE}} · Questions? {{PLACEHOLDER_PRIVACY_EMAIL}}