LAST UPDATED: 12 May 2026
This Privacy Policy explains how Markus Taljaard trading as Bindyl ("Bindyl", "we", "us", or "our"), a sole proprietor registered in South Africa, collects, uses, shares, and protects personal information that we process about you when you use the Bindyl website at https://www.bindyl.com and the Bindyl web application (collectively, the "Platform" or "Services").
This Privacy Policy is governed by the Protection of Personal Information Act, No. 4 of 2013 ("POPIA") and other applicable South African law, including the Electronic Communications and Transactions Act, No. 25 of 2002 ("ECTA"), the Consumer Protection Act, No. 68 of 2008 ("CPA"), and the Promotion of Access to Information Act, No. 2 of 2000 ("PAIA"). It must be read together with our Terms and Conditions.
Under POPIA, Bindyl is the responsible party for personal information processed through the Platform. Our Information Officer is identified in clause 15 below.
1. SCOPE AND APPLICATION
This Privacy Policy applies to:
- visitors to the Bindyl website (whether or not they create an Account);
- registered Users of the Platform;
- people who join our pre-launch waitlist;
- people who submit identity verification information through our verification partner;
- people whose personal information appears in another User's contacts where the Mutual Contacts (Pro) feature is used; and
- anyone who contacts us at support@bindyl.com.
If you do not agree with this Privacy Policy, you must discontinue use of the Platform. By using the Platform, you confirm that you have read and understood how your personal information will be processed.
2. WHAT WE MEAN BY "PERSONAL INFORMATION"
In line with POPIA section 1, "personal information" means information relating to an identifiable, living natural person, including (where applicable) an identifiable, existing juristic person. This includes information such as your name, contact details, identity number, location, photographs, biometric information, opinions, and online identifiers.
"Special personal information" under POPIA section 26 includes biometric information (such as facial-recognition templates used for identity verification). Special personal information receives additional protection under sections 27–33 of POPIA.
3. CATEGORIES OF PERSONAL INFORMATION WE COLLECT
We only collect personal information that we genuinely need to provide the Platform. The categories below describe what we collect.
3.1 Information you provide directly
- Waitlist sign-up: your email address.
- Account creation: your name, email address, password (stored as a one-way hash by our authentication operator), and optionally your phone number.
- Profile: date of birth (to confirm you are 18+), gender, university or place of work, suburb or area of interest, profile photographs, "about me" text, and any other information you choose to add.
- Lifestyle questionnaire: your responses to compatibility questions about daily routine, cleanliness, social preferences, and other lifestyle indicators.
- Listings: room details, address (which we geocode), price, photographs, and availability.
- Messages: the content of messages you send to other Users through in-platform messaging.
- Support correspondence: anything you send to support@bindyl.com.
3.2 Information about identity verification (Verified / Pro)
Where you opt in to the Verified badge or Pro upgrade, our verification partner Didit processes:
- a copy of a government-issued identity document (e.g. SA ID, passport, or driving licence) that you upload;
- a short selfie or "liveness check" video; and
- biometric facial templates derived from that selfie to confirm a face-match against the document.
Biometric facial templates are special personal information under POPIA section 26. We rely on your explicit, informed consent under POPIA section 27(1)(a) to process them. You will be asked for that consent on a separate consent screen immediately before verification, and you can decline (in which case you will not be able to obtain Verified or Pro status, but your free Account remains available).
3.3 Information about payments
When you purchase Verified or Pro:
- our payment gateway, Paystack, collects and processes your card or electronic payment details directly under its own security controls;
- Bindyl receives only a payment reference, the amount paid, the date, and a status indicator (e.g. "success", "failed", "refunded"); and
- Bindyl never stores your full card number, expiry date, or CVV.
3.4 Information collected automatically
When you use the Platform, we automatically collect a limited amount of technical information necessary to operate, secure, and improve the service:
- IP address (truncated for analytics where possible);
- device type, operating system, and browser;
- pages visited, features used, and time spent;
- approximate location derived from IP or from the suburb you choose;
- referrer URL and basic crash diagnostics; and
- a pseudonymous Session ID used for authentication.
We do not run advertising trackers, ad-retargeting pixels, or third-party advertising scripts on the Platform.
3.5 Information about other people (Mutual Contacts feature)
The optional Mutual Contacts Pro feature processes information about people in your phone's address book. We deliberately minimise this:
- your device computes a one-way cryptographic hash of each phone number and email address before any data leaves the device;
- only the hashes are transmitted to Bindyl;
- we never receive or store plaintext phone numbers or email addresses of people in your contacts; and
- we delete the hashes when you disable the feature or close your Account.
Further detail is set out in clause 11A of the Terms and Conditions.
3.6 Information from third parties
- Authentication: if you sign up using a social-login provider, that provider tells us your email address and (optionally) name and profile photo. We receive no other social-graph information.
- Identity verification: Didit returns to Bindyl a verification result ("verified" / "failed") and a verification reference. The underlying biometric template stays with Didit.
- Payment: Paystack returns to Bindyl the payment reference, amount, and status as described in 3.3.
We do not buy personal information from data brokers.
4. WHY WE PROCESS YOUR PERSONAL INFORMATION
The table below maps each purpose to the lawful basis under POPIA section 11 (general processing) or section 27 (special personal information).
| Purpose | POPIA lawful basis |
|---|---|
| Operating Accounts, authenticating you, and providing core matching, messaging, and listing features | s11(1)(b) — necessary for the performance of our contract with you (the Terms and Conditions) |
| Processing payments for Verified and Pro | s11(1)(b) — performance of contract |
| Verifying your identity for the Verified badge and Pro | s11(1)(b) — performance of contract; and s27(1)(a) — your explicit consent for biometric processing |
| Calculating Compatibility Scores and surfacing matches | s11(1)(b) — performance of contract |
| Operating the optional Mutual Contacts feature | s11(1)(a) — your consent (see clause 11A of the Terms) |
| Sending you transactional emails (e.g. password reset, payment receipt, breach notification) | s11(1)(b) — performance of contract; s11(1)(c) — legal obligation (for breach notifications under POPIA s22) |
| Communicating launch updates to people on the pre-launch waitlist | s11(1)(a) — your consent (given when you join the waitlist) |
| Moderating reported content, investigating breaches of the Terms, and protecting other Users | s11(1)(d) — protecting a legitimate interest of the data subject; s11(1)(f) — pursuing our legitimate interests in platform safety, balanced against your rights |
| Detecting fraud, abuse, automated scraping, and platform-integrity threats | s11(1)(f) — legitimate interests of Bindyl and Users |
| Improving the Platform, debugging, and fixing security issues | s11(1)(f) — legitimate interests; with strict purpose limitation under s15 |
| Improving the matching algorithm using aggregated or anonymised data only | s11(1)(f) — legitimate interests; non-identifying data is not personal information once properly de-identified |
| Direct marketing to you about Bindyl products (e.g. a launch announcement after you join the waitlist) | s69 — opt-in consent, with an unsubscribe link in every message |
| Complying with legal obligations (tax records, court orders, regulator requests) | s11(1)(c) — legal obligation |
We will not use your personal information for any incompatible new purpose without first obtaining your further consent or having another lawful basis under POPIA section 15.
5. SPECIAL PERSONAL INFORMATION AND CHILDREN
5.1 Biometrics
We process biometric facial templates only:
- through Didit, our identity verification operator;
- on the basis of your explicit, informed consent under POPIA section 27(1)(a), captured on a separate consent screen immediately before the verification flow;
- for the limited purpose of confirming your identity, preventing fraud, and maintaining platform integrity; and
- subject to a retention limit of 24 months from the date of verification, after which records are deleted or anonymised, unless a longer period is required by law or by pending legal proceedings.
You may withdraw consent at any time by contacting our Information Officer. Withdrawal of consent does not affect the lawfulness of processing before withdrawal and may mean we revoke your Verified badge.
5.2 Children
Bindyl is intended for adults aged 18 years or older. We do not knowingly process personal information of children under POPIA section 34, save as permitted by section 35. If we become aware that we hold personal information of a person under 18, we will delete that information promptly unless retention is required by law.
If you believe we hold personal information of a child, contact our Information Officer at support@bindyl.com.
6. WHO WE SHARE YOUR PERSONAL INFORMATION WITH
We share personal information only with the parties described below, and only for the purposes listed. Each operator is bound by a written contract that meets the requirements of POPIA sections 20 and 21.
6.1 Operators (processors acting on our behalf)
| Operator | What it does for us | Where it processes information |
|---|---|---|
| Clerk | Authentication and Account management | United States of America |
| Convex | Database and backend hosting (Account, profile, messages, listings, lifestyle questionnaire) | United States of America |
| Didit | Identity verification, including biometric facial check | European Union |
| Paystack | Payment processing (Verified, Pro) | Republic of South Africa |
| Vercel | Web application hosting and content delivery | United States of America |
| Mapbox | Maps, geocoding, and reverse geocoding for listings | United States of America |
We do not sell your personal information. We do not share your personal information with advertising networks or data brokers.
6.2 Other Users
Information you choose to put on your public profile (name, photographs, age, gender, suburb, university or workplace, bio, and lifestyle preferences) is visible to other Users of the Platform. Messages you send are visible to the recipient.
6.3 Law enforcement, regulators, and courts
We may disclose personal information where required by South African law, including:
- in response to a valid court order, subpoena, or directive from the Information Regulator, the South African Revenue Service, or a competent law-enforcement agency;
- to comply with our breach-notification obligations under POPIA section 22; and
- to defend Bindyl against legal claims.
6.4 Business transfers
If Bindyl is sold, merged, or transferred to a successor entity (including a future Bindyl (Pty) Ltd), your personal information may be transferred as part of that transaction, subject to clause 22 of the Terms and Conditions and applicable law.
7. CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION
As shown in the table above, several of our operators process personal information outside the Republic of South Africa, primarily in the United States and the European Union.
Under POPIA section 72, we transfer personal information to a third party in another country only where:
- you have consented to the transfer;
- the transfer is necessary for the performance of the contract between you and Bindyl (or for steps taken at your request before entering into the contract);
- the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection of personal information substantially similar to POPIA; or
- the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent.
We maintain written agreements with our operators that include POPIA-aligned safeguards (confidentiality, security, retention, deletion, audit, and breach-notification obligations).
8. RETENTION OF PERSONAL INFORMATION
We retain personal information only for as long as is necessary for the purposes for which it was collected, in line with POPIA section 14. Indicative retention periods are set out below; actual periods may be shorter where the purpose has been fulfilled, or longer where a specific law requires it.
| Category | Retention period |
|---|---|
| Account data (while Account active) | Duration of Account |
| Account data (after closure) | 30 days for hard deletion; thereafter only as required by law |
| Identity verification records (Didit) | 24 months from verification |
| Payment records | 5 years (tax compliance under the Tax Administration Act, No. 28 of 2011) |
| Moderation records and abuse reports | 24 months or until resolution + reasonable defence period |
| Server logs and security telemetry | 90 days |
| Pre-launch waitlist email | Until 12 months after public launch, unless you unsubscribe earlier |
| Marketing-consent records | Duration of consent, plus 12 months after withdrawal as proof of compliance |
| Mutual Contacts hashes | Only while the feature is enabled; deleted within 7 days of disabling or Account closure |
Where personal information has been irreversibly anonymised, it is no longer "personal information" under POPIA and may be retained for analytical purposes.
9. SECURITY OF PERSONAL INFORMATION
We implement appropriate technical and organisational measures to safeguard personal information against loss, damage, unauthorised destruction, and unauthorised or unlawful access, as required by POPIA section 19. These measures include:
- encryption in transit using HTTPS / TLS for all traffic between you and the Platform;
- encryption at rest where supported by our operators (Convex, Clerk, Didit, Paystack);
- multi-tenant data-segregation controls;
- access controls, role-based permissions, and audit logging for administrative actions;
- rate-limiting and abuse-detection on authentication and messaging endpoints;
- security headers (including Strict-Transport-Security, X-Content-Type-Options, and a strict Content Security Policy);
- regular review of vendor security postures and incident-response planning; and
- written Data Processing Agreements with each operator.
No internet-based service can guarantee absolute security. By using the Platform you acknowledge this and accept that you bear responsibility for keeping your account credentials confidential.
10. SECURITY COMPROMISES (DATA BREACHES)
If a security compromise occurs that affects your personal information and creates a real risk of harm, we will, in line with POPIA section 22:
- notify the Information Regulator as soon as reasonably possible; and
- notify you as soon as reasonably possible, using your registered email address or by prominent notice on the Platform.
Our notice will describe (where known): the nature of the compromise, the personal information affected, the likely consequences, the measures taken or proposed, and recommendations for you to mitigate possible adverse effects.
11. YOUR RIGHTS UNDER POPIA
You have the following rights in respect of personal information that we process about you. To exercise any of them, contact our Information Officer at support@bindyl.com. We will respond within a reasonable time and at no charge (except where the request is unreasonable or excessive, in which case we may charge a reasonable, prescribed fee).
| Right | POPIA reference | What it means |
|---|---|---|
| Right to be notified | s18 | To be told that we are collecting your personal information, what we are collecting, why, and who we may share it with — discharged through this Privacy Policy and notices at the point of collection. |
| Right of access | s23 | To ask whether we hold personal information about you, and to receive a description of that information and a record of the third parties we have shared it with. |
| Right to correction | s24(1)(a) | To ask us to correct or update personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained. |
| Right to deletion | s24(1)(b) | To ask us to delete or destroy personal information that we are no longer authorised to retain. |
| Right to object | s11(3) | To object on reasonable grounds, in the prescribed manner, to processing based on our or another party's legitimate interests; to processing for direct marketing other than under s69; or to processing for purposes of direct marketing by means of unsolicited electronic communications. |
| Right to withdraw consent | s11(2)(b) | Where processing is based on your consent, to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Right not to be subject to a decision based solely on automated processing | s71 | We do not currently take any decision that has legal effect or affects you to a substantial degree based solely on automated processing. Compatibility Scores are guidance only and any moderation decision is reviewed by a human. |
| Right to lodge a complaint | s74 | To complain to the Information Regulator if you believe we have not handled your personal information lawfully — contact details below. |
We may need to verify your identity before responding to a request. If we cannot fulfil a request (for example, because we are required by law to retain certain information), we will explain why.
You also have a right under PAIA to request access to records held by Bindyl. Our PAIA Manual sets out how to make such a request and the prescribed forms.
12. DIRECT MARKETING
We send direct-marketing communications (such as a launch announcement after you have joined the pre-launch waitlist, or product updates) only:
- where you have given opt-in consent for that purpose, as required by POPIA section 69 read with the regulations to POPIA; or
- to an existing customer in respect of our own similar Services, in line with POPIA section 69(3), in which case you may opt out at any time.
Every marketing email contains an unsubscribe link. You may also opt out at any time by emailing the Information Officer.
We do not sell or rent your personal information to third parties for their direct marketing.
13. COOKIES AND SIMILAR TECHNOLOGIES
We use a small number of cookies and similar technologies to operate the Platform. We currently do not use third-party advertising cookies, advertising pixels, or cross-site tracking technologies.
| Cookie type | Purpose | Examples | Duration |
|---|---|---|---|
| Strictly necessary | Authenticate you, keep you signed in, prevent CSRF attacks, remember basic preferences essential to operation | Clerk session cookies; Convex connection cookies; CSRF tokens | Session or up to 30 days |
| Functional | Remember non-essential preferences such as theme or language | Bindyl preference cookies | Up to 12 months |
| Performance / aggregated analytics | Understand which pages are used and how, in aggregated form, to improve the service | Vercel platform analytics (aggregated, no individual user identifiers shared with us) | Up to 13 months |
Because we use only strictly necessary, functional, and aggregated performance cookies, we do not currently display a cookie consent banner. We will revisit this position if we introduce any non-essential tracking technology, in which case we will request your prior consent.
You can clear or block cookies through your browser settings. Disabling strictly necessary cookies will prevent you from using the Platform.
14. AUTOMATED DECISION-MAKING
We do not take any decision that has legal effect on you, or which affects you to a substantial degree, based solely on automated processing. Specifically:
- Compatibility Scores and matches are guidance only. They are not used to make any binding decision about you.
- Moderation actions (content removal, suspension, ban) are made or reviewed by a human, even where automated tools flag content for review. You have a 14-day right of appeal under clause 13 of the Terms and Conditions.
- Verified status is granted automatically only after Didit's identity check succeeds — but you may also appeal a failure to our Information Officer.
If we introduce any new automated decision-making, we will update this Privacy Policy and (where required) obtain your prior consent or implement the safeguards set out in POPIA section 71.
15. INFORMATION OFFICER AND CONTACT DETAILS
The Information Officer for Bindyl, designated under POPIA section 55, is:
- Name: Markus Taljaard
- Email: support@bindyl.com
- Postal address: 4 Louw Street, Stellenbosch, Western Cape 7600, South Africa
- Phone: +27 71 227 7143
Please address all privacy enquiries, access requests, correction requests, deletion requests, objections, and consent-withdrawal notices to the Information Officer at the contact details above.
16. INFORMATION REGULATOR (SOUTH AFRICA)
If you are not satisfied with the way we have handled your personal information or your request, you have a right under POPIA section 74 to lodge a complaint with the Information Regulator:
- Information Regulator (South Africa)
- Postal address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
- Email: complaints.IR@justice.gov.za
- General enquiries: enquiries@inforegulator.org.za
- Website: https://inforegulator.org.za
We encourage you to contact us first so we can try to resolve the issue.
17. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time. When we do, we will:
- update the "Last Updated" date at the top of this page;
- where the change is material, give you reasonable advance notice by email to the address on your Account, or by prominent notice on the Platform, before the change takes effect; and
- where the change requires fresh consent under POPIA (for example, an incompatible new purpose), seek that consent before processing your personal information for the new purpose.
Continued use of the Platform after a non-material change constitutes your acknowledgement of the updated Privacy Policy.
18. ENTIRE PRIVACY POSITION; PRECEDENCE
This Privacy Policy, together with the Terms and Conditions and any specific notices given at the point of collection, sets out the entire arrangement between you and Bindyl regarding the processing of your personal information. In the event of any conflict between this Privacy Policy and the Terms and Conditions in respect of personal information, this Privacy Policy prevails. Nothing in this Privacy Policy limits or excludes any right you have under POPIA or any other South African law.
By using the Platform, you acknowledge that you have read and understood how Bindyl processes your personal information as described above.