Privacy Policy

1. Who We Are

CRCLX (Pty) Ltd(“CRCLX”, “we”, “us”, or “our”) operates the platform at crclx.co.za. We are the responsible party for the personal information we process, as defined in the Protection of Personal Information Act 4 of 2013 (“POPIA”).

Registration No.: 2026/321418/07
Registered address: 493 Reier Road, Roodeplaat, Pretoria, Gauteng, 0039, South Africa
Information Officer: contact@crclx.co.za

2. Information We Collect

Information you provide at signup:

• Full name
• Email address
• Password (stored as a secure, one-way hash — we never see your plaintext password)
• Account role (Fan or Creator)

Information you provide during use:

• Profile photo and display name
• Social media handles (optional)
• Watch progress and content consumption history
• Follower and following relationships between accounts
• Messages and community interactions within Circles

For Creators, additionally:

• Bank confirmation letter or bank account details — required for payout verification and settlement. Stored securely and used solely for disbursement.
• South African ID number or tax reference number, where required by SARS reporting obligations.

Information collected automatically:

• IP address and approximate geographic location
• Browser type and operating system
• Device identifiers
• Pages visited, session duration, and click patterns
• Referral source

3. Payment Data

When you make a payment, you interact directly with our payment gateway provider’s secure checkout. CRCLX receives only a transaction reference, amount, and status confirmation. Our payment gateway provider’s own privacy policy governs the collection and use of your payment information.

4. How We Use Your Information

We use your personal information for the following purposes:

• Account management — creating and maintaining your account, verifying your identity, and enabling login.
• Platform delivery — streaming content, tracking watch progress, managing Circle access and Membership entitlements.
• Settlement and financial administration — calculating Creator revenue shares, processing Creator payouts, issuing settlement statements, and handling refunds.
• Customer support — responding to enquiries, resolving disputes, and investigating reported issues.
• Security — enforcing our one-session policy, detecting fraud and unauthorised access, and protecting the Platform and its users.
• Anonymised analytics — understanding how the Platform is used in aggregate to improve features and performance. We do not sell individual-level analytics data.
• Marketing communications — sending you updates, newsletters, and promotional content, only where you have given consent or we have a legitimate interest, and always with a clear unsubscribe option.

5. Lawful Basis Under POPIA

The Protection of Personal Information Act 4 of 2013 requires us to identify a lawful basis for processing personal information. We rely on the following bases under POPIA Section 11:

• Contract performance (s.11(1)(a)) — processing necessary to provide the Platform services you have signed up for, including account creation, content access, and Creator settlement.
• Legitimate interests (s.11(1)(f)) — processing necessary for our legitimate interests in operating a secure, functioning platform, detecting fraud, and improving our services, where those interests are not overridden by your rights.
• Consent (s.11(1)(a)) — for optional marketing communications and any processing beyond what is required for the contract. You may withdraw consent at any time.
• Legal obligation (s.11(1)(c)) — processing required by law, including SARS financial record-keeping obligations and compliance with the Financial Intelligence Centre Act (FICA) where applicable.

6. Third-Party Service Providers

We share your personal information only with service providers who are essential to operating the Platform, and only to the extent necessary for their specific function. We enter into data processing agreements with all third parties who handle personal information on our behalf.

We do not sell your personal data to any third party, ever.

We do not share your personal information with advertisers, data brokers, or any party for their own marketing purposes.

7. International Transfers

Some of our service providers (including Vercel and Resend) may process data outside the Republic of South Africa. POPIA Section 72 requires that international transfers only occur where the recipient country provides an adequate level of protection, or where appropriate safeguards are in place.

Where we transfer data internationally, we ensure appropriate contractual safeguards are in place, including standard contractual clauses or equivalent mechanisms. We will not transfer data to a jurisdiction that does not provide adequate protection without your consent or without implementing appropriate safeguards.

8. Data Retention

We retain your personal information for as long as your account is active. If you close your account, we will delete or anonymise your personal data within a reasonable period, subject to the following exceptions:

• Financial and transaction records are retained for a minimum of 5 years after the relevant transaction, as required by the South African Revenue Service (SARS) and applicable financial record-keeping regulations.
• Legal hold — where records are subject to an active dispute, legal proceedings, or regulatory inquiry, we retain the relevant data until the matter is resolved.
• Security logs — access and security event logs are retained for 90 days for fraud prevention and incident response purposes.

9. Your Rights Under POPIA

Under POPIA, you have the following rights regarding your personal information:

• Right of access — you may request a copy of the personal information we hold about you.
• Right to correction — you may request that we correct inaccurate or incomplete information.
• Right to deletion — you may request that we delete your personal information, subject to our retention obligations.
• Right to object — you may object to the processing of your personal information on grounds of legitimate interest, including direct marketing.
• Right to data portability — you may request a machine-readable copy of the data you have provided to us.
• Right to lodge a complaint — if you believe we have processed your personal information in violation of POPIA, you may lodge a complaint with the Information Regulator of South Africa at inforeg@justice.gov.za.

To exercise any of these rights, contact us at contact@crclx.co.za. We will respond within 30 days. Identity verification may be required before we can act on your request.

10. Cookies and Tracking

We use session cookies and local storage to maintain your login state, remember your preferences, and secure your account. These are strictly necessary for the Platform to function and cannot be disabled without affecting core functionality.

We use anonymised analytics to understand platform usage patterns. This data does not identify you individually. We do not use third-party advertising cookies or tracking pixels from advertising networks.

You may configure your browser to refuse cookies, but this may prevent you from using certain features of the Platform.

11. Children’s Privacy

The Platform is not intended for children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected information from a child under 13 without verifiable parental consent, we will delete that information promptly.

Users between 13 and 17 years of age may access the Platform only with verifiable parental or guardian consent. Parents or guardians who believe their child has provided personal information without consent should contact us at contact@crclx.co.za.

12. Security

We implement reasonable and appropriate technical and organisational measures to protect your personal information against loss, misuse, and unauthorised access. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Row-level security (RLS) on our database, enforcing access controls at the data layer
• One-active-session enforcement per account to prevent unauthorised concurrent access
• Regular security reviews and access audits
• Passwords stored as one-way cryptographic hashes (we never store plaintext passwords)

No security system is impenetrable. We cannot guarantee absolute security, but we continuously work to improve our protections and respond promptly to identified vulnerabilities.

13. Data Breach Notification

In the event of a personal information breach that is reasonably likely to result in serious harm to you, CRCLX will:

• Notify the South African Information Regulator within 72 hours of becoming aware of the breach.
• Notify affected individuals as soon as reasonably practicable, describing the nature of the breach, the information involved, and the steps you can take to protect yourself.
• Take immediate steps to contain the breach and prevent further harm.

If you believe your account has been compromised or you suspect a security incident, contact us immediately at contact@crclx.co.za.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify registered users by email before material changes take effect and will update the “Last Updated” date at the top of this page.

Your continued use of the Platform after the effective date of any updated Privacy Policy constitutes your acceptance of the changes.

15. Contact and Information Officer

For any privacy or data-related questions, requests, or complaints, contact us at the address above. We respond to all privacy requests within 30 days.