OptEva
Back to Home

Privacy Policy

Protection of Personal Information Act (POPIA) Compliant

MPK Development (Pty) Ltd

Registration No: 2014/091288/07

88 Herman Street, Flora Park, Polokwane, 0700, South Africa

www.opteva.co.za · info@opteva.co.za

Effective Date: 27 May 2026

1. Introduction

MPK Development (Pty) Ltd ("we", "us", "our") operates OptEva, an enquiry management and CRM platform for South African real estate agencies, accessible at https://opteva.co.za (the "Platform"). This Privacy Policy explains how we collect, use, store, share, and protect personal information in compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all applicable South African privacy legislation.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. Access to the Platform is by invitation only — there is no public registration.

2. Who We Are

Responsible Party (as defined in POPIA):

  • MPK Development (Pty) Ltd
  • Registration No: 2014/091288/07
  • 88 Herman Street, Flora Park, Polokwane, 0700, South Africa
  • Email: info@opteva.co.za
  • Information Officer: Pieter Klynsmith

3. Scope of This Policy

This Policy applies to:

  • All users of the OptEva Platform (agents, branch managers, company administrators)
  • All data subjects whose personal information is captured within the Platform (property buyers, sellers, and other contacts)
  • All personal information processed through or in connection with the Platform

4. Personal Information We Collect

4.1 User Account Information

When an administrator creates a user account on your behalf, we collect:

  • Full name (first name and surname)
  • Email address
  • Cell phone number and office telephone number
  • South African ID number
  • Title (e.g., Mr, Mrs, Dr)
  • Profile photograph (optional)
  • Password (stored as a bcrypt hash — never in plain text)
  • User role within the platform
  • 6-digit short login code

4.2 Contact / Party Information

Users capture information about property buyers, sellers, and other contacts, including:

  • First name and last name
  • Email address, telephone, and mobile number
  • South African ID number
  • Company name, registration number, and VAT number (for legal entities)
  • Full physical address
  • Status notes and correspondence history

4.3 Property Information

Property records may contain personal or commercially sensitive data including:

  • Property description, type, and full address (erf number, title deed number)
  • Physical dimensions, bedroom/bathroom/garage counts
  • Asking price, selling price, and listing status
  • Notes and associated documents

4.4 Automatically Collected Information

  • A single HttpOnly authentication cookie (opteva_token) — secure, not accessible to JavaScript, used exclusively for session authentication
  • User profile data cached in browser localStorage for display purposes (non-sensitive)
  • IP addresses (processed by Cloudflare and Mailgun for security and delivery purposes)

OptEva uses one essential first-party cookie for authentication. We do not use analytics trackers, advertising cookies, or third-party tracking technology. See our Cookie Policy for details.

5. Lawful Basis for Processing

We process personal information only where we have a lawful basis under POPIA, including:

Lawful BasisApplication
Contractual necessityProcessing user account and platform access data to deliver the service
Legitimate interestSecurity, fraud prevention, and platform integrity
Compliance with legal obligationWhere required by South African law, court order, or regulatory authority
ConsentGoogle Calendar integration (user explicitly connects their Google account)

6. How We Use Personal Information

  • Providing and operating the OptEva platform and its features
  • Authenticating users and maintaining account security
  • Sending transactional emails (password resets, welcome notifications)
  • Synchronising reminders with Google Calendar (only when the user has connected their Google account)
  • Storing and retrieving documents uploaded by users
  • Generating aggregated, anonymised operational statistics for dashboards
  • Complying with legal and regulatory obligations

We do not use personal information for marketing, profiling, automated decision-making, or sell data to third parties.

7. Third-Party Service Providers (Operators)

We share personal information only with the following operators who process data on our behalf and are bound by appropriate data processing agreements:

Service ProviderPurposeData Shared / Location
Google Calendar APICalendar event syncReminder descriptions, contact names, phone numbers, property details, dates. User consent required. USA/global.
RailwayApplication & database hostingAll application data including PostgreSQL database. USA.
Cloudflare R2Document/file storageUploaded documents (PDF, images, Office files). Cloudflare global edge.
MailgunTransactional email deliveryUser email addresses and names (password reset, welcome emails). EU endpoint.

We do not use Google Analytics, Sentry, Hotjar, or any other tracking or analytics service.

8. Cross-Border Transfers of Personal Information

Our service providers (Railway, Cloudflare, Google, Mailgun) are based outside South Africa. By using OptEva, your organisation (as a juristic person who has entered into an agreement with us) acknowledges and agrees to these cross-border transfers as necessary for service delivery. We take reasonable steps to ensure that these providers maintain adequate protections consistent with POPIA Section 72.

9. Data Retention

We retain personal information for as long as necessary to deliver the service and meet legal obligations:

  • User account data: Retained while the account is active and for 12 months after deactivation or termination of the company subscription.
  • Contact and property data: Retained as configured by the company administrator; upon account termination, retained for 12 months then securely deleted.
  • Documents: Retained in Cloudflare R2 until deleted by an authorised user or upon account termination.
  • Transactional email logs: Retained by Mailgun per their data retention policies.
  • Password reset tokens: Expire after 60 minutes and are invalidated on use.
  • Google Calendar OAuth tokens: Retained until the user disconnects their Google account.

10. Data Subject Rights (POPIA Chapter 2)

As a data subject, you have the following rights under POPIA. To exercise any of these rights, contact our Information Officer at info@opteva.co.za:

  • Right of access: Request confirmation of what personal information we hold about you.
  • Right to correction or deletion: Request correction of inaccurate information or deletion of information we are not legally required to retain.
  • Right to object: Object to the processing of your personal information on reasonable grounds.
  • Right to withdraw consent: Where processing is based on consent (e.g., Google Calendar), withdraw consent at any time without affecting prior lawful processing.
  • Right to lodge a complaint: Lodge a complaint with the Information Regulator of South Africa (www.justice.gov.za/inforeg/).

We will respond to verified data subject requests within 30 days. Complex requests may require up to 60 days with notification.

11. Security Measures

We implement industry-standard technical and organisational security measures, including:

  • Passwords stored exclusively as bcrypt hashes (never plain text)
  • JWT tokens transmitted via HTTPS Bearer headers only
  • Password reset tokens hashed using SHA-256 with 60-minute expiry
  • Pre-signed URLs for document downloads with 1-hour expiry
  • Role-based access control — users access only their company and branch data
  • HttpOnly Secure cookie for authentication — not accessible to JavaScript, eliminating XSS token theft
  • Cloudflare infrastructure providing DDoS protection and TLS encryption

While we implement robust security measures, no system is entirely impenetrable. In the event of a security compromise, we will notify affected parties as required by POPIA Section 22.

12. Children's Personal Information

OptEva is a professional B2B platform intended exclusively for use by real estate professionals. We do not knowingly process personal information of persons under 18 years of age as platform users.

13. Automated Decision-Making

OptEva does not use automated decision-making or profiling that produces legal or similarly significant effects on data subjects.

14. Google Calendar Integration

When a user connects their Google Calendar:

  • We request only the calendar.events scope (read/write calendar events)
  • We do not access email, contacts, or other Google services
  • OAuth refresh tokens are stored securely per user in our database
  • Events are titled "OptEva Reminder" and include reminder description, contact details, and property information
  • Users may disconnect their Google Calendar at any time from their profile settings, which revokes our access and deletes stored tokens

15. Changes to This Policy

We may update this Privacy Policy from time to time. Company administrators will be notified of material changes via email. Continued use of the Platform after the effective date of changes constitutes acceptance of the revised Policy.

16. Information Officer and Contact Details

Our designated Information Officer responsible for POPIA compliance is:

  • Pieter Klynsmith
  • Information Officer, MPK Development (Pty) Ltd
  • Email: info@opteva.co.za
  • Postal Address: 88 Herman Street, Flora Park, Polokwane, 0700

Information Regulator of South Africa: