EPC Calculator - Privacy Policy

1. Purpose of This Policy

This Privacy Policy explains how the EPC Calculator collects, uses, stores, shares and protects personal information in line with the Protection of Personal Information Act 4 of 2013 ("POPIA"). The app supports Energy Performance Certificate (EPC) project preparation, calculations, project access control, ownership review workflows and supporting reports.

This policy applies to registered users, building owners, inspectors, administrators and any other person whose personal information is captured in the app.

2. Responsible Party

The responsible party is the organisation or project team that operates this EPC Calculator instance and determines why and how personal information is processed. Where the app is deployed for a particular organisation, that organisation is responsible for ensuring that the system is used in a lawful and POPIA-compliant manner.

Privacy questions, access requests or deletion/correction requests should be sent to the system administrator or appointed Information Officer for this deployment.

3. Personal Information We Process

Depending on how you use the app, we may process the following categories of information:

• Account information: email address, password hash, optional full name, role, capabilities, account status and user ID.
• Authentication and security information: login tokens, refresh tokens, session state and password reset or account recovery records where applicable.
• Project and building information: project name, building name, owner details, physical address, ERF number, portion number, township, municipality, city, province, latitude, longitude and formatted address.
• EPC calculation information: occupancy class, energy zone, energy consumption values, fuel values, floor areas, excluded areas, occupancy data, calculated results and generated report metadata.
• Access management information: project membership, delegated access level, inspector assignment, granted-by user and project access history.
• Ownership review information: conflict checks, ownership review requests, justifications, evidence links, status, review notes and administrator decisions.
• Inspector or administrative workflow information: inspector application details, SANEDI registration numbers where captured, admin user actions and approval/rejection records.
• Technical and usage information: browser requests, timestamps, error logs, IP addresses in server logs and diagnostic information needed to operate and secure the service.

4. Why We Process Personal Information

We process personal information only for specific, lawful and reasonably necessary purposes, including:

• creating and managing user accounts;
• authenticating users and protecting access to projects;
• allowing building owners to create, store and manage EPC projects;
• allowing authorised users and inspectors to access delegated projects;
• calculating indicative EPC results and generating supporting reports;
• checking possible duplicate buildings by normalised ERF or address information;
• managing ownership review requests and administrator decisions;
• supporting auditability, troubleshooting, system security and abuse prevention;
• meeting applicable legal, regulatory or contractual obligations; and
• supporting the formal EPC process outside the app, where the user chooses to share information with a registered professional, SANEDI or the NBEPR.

5. Lawful Basis for Processing

Personal information is processed where one or more lawful grounds under POPIA applies, including:

• Consent: for example, where you register, accept this policy, request building owner access or voluntarily submit project information.
• Contract or service delivery: where processing is necessary to provide the app and manage your account or projects.
• Legal obligation: where records are required for compliance, audit, security or EPC-related regulatory processes.
• Legitimate interests: where processing is needed to secure the app, prevent misuse, maintain project integrity or resolve ownership conflicts.

6. How We Use Cookies, Tokens and Local Storage

The app uses browser storage to keep you signed in and remember certain working preferences. This may include access tokens, refresh tokens, selected project IDs and user interface state. If you choose not to be remembered on the device, authentication tokens may be stored only for the browser session.

Do not use "Remember me" on shared or public computers. You can clear stored tokens by logging out or clearing your browser data.

7. Sharing of Personal Information

We do not sell personal information. Personal information may be shared only where necessary and appropriate, including with:

• users who have been granted access to the same project;
• inspectors or registered professionals assisting with EPC preparation or assessment;
• administrators who manage accounts, project ownership, access and workflow decisions;
• hosting, database, backup or technical service providers who support the system;
• SANEDI, the NBEPR, regulators or legal authorities where the user submits information externally or where disclosure is required by law; and
• professional advisers or auditors where required for governance, compliance or dispute resolution.

Project owners are responsible for granting access only to appropriate users and for ensuring that building, tenant or third-party information is captured and shared lawfully.

8. Cross-Border Transfers

If the app, database, backups or support services are hosted outside South Africa, personal information may be transferred cross-border. In that case, reasonable steps should be taken to ensure that the recipient is subject to appropriate data protection obligations, safeguards or contractual terms consistent with POPIA.

9. Retention of Information

Personal information is retained only for as long as reasonably necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law, contract, audit needs, dispute resolution or EPC project recordkeeping.

• Account records are generally retained while the account remains active.
• Project records are retained while needed by the project owner or authorised organisation.
• Generated reports and calculation records may be retained for audit, evidence and EPC preparation purposes.
• Security and system logs may be retained for a limited period needed to detect errors, misuse or unauthorised access.

When information is no longer required, it should be securely deleted, anonymised or archived in line with the applicable retention rules for the deployment.

10. Security Safeguards

We use reasonable technical and organisational safeguards to protect personal information against unauthorised access, loss, damage, misuse, alteration or disclosure. These safeguards may include:

• hashed passwords rather than storing plain-text passwords;
• token-based authentication and logout controls;
• role and capability-based access control;
• project-level membership permissions;
• administrator-only workflow screens;
• input validation and server-side authorisation checks;
• database backups and controlled access to hosting environments; and
• monitoring, error logs and maintenance processes.

No system can be guaranteed completely secure. Users must protect their passwords, use appropriate devices and networks, and log out when finished, especially on shared computers.

11. Data Quality and User Responsibilities

POPIA requires personal information to be accurate, complete and not misleading where reasonably practicable. Users are responsible for capturing accurate account, project, building and EPC data. Building owners and administrators should correct inaccurate information as soon as they become aware of it.

Users should not upload or enter personal information that is unnecessary for the EPC workflow. Where project information includes third-party details, such as tenant or owner contact information, the user capturing that information must ensure that they have a lawful basis to do so.

12. Your POPIA Rights

Subject to POPIA and any lawful limitations, you may request to:

• confirm whether we hold personal information about you;
• access the personal information we hold about you;
• correct, update or complete inaccurate personal information;
• delete or destroy personal information that we are no longer authorised to retain;
• object to processing in appropriate circumstances;
• withdraw consent where processing is based on consent, without affecting prior lawful processing;
• request reasons for automated decisions, where applicable; and
• complain to the Information Regulator if you believe your rights have been infringed.

We may need to verify your identity before responding to a request. Requests may be refused or limited where POPIA or another law allows or requires refusal, for example where records must be retained for legal, audit, security or dispute purposes.

13. Automated Processing and EPC Results

The app automatically calculates indicative EPC outputs from the values entered by users. These calculations support review and preparation but do not constitute an official EPC, regulatory decision or final professional assessment. Users and registered professionals remain responsible for verifying source data and formal submissions.

14. Security Incidents

If there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, the responsible party should investigate and, where required by POPIA, notify the Information Regulator and affected data subjects as soon as reasonably possible.

15. Children's Personal Information

This app is intended for EPC project and building compliance workflows and is not directed at children. Users should not intentionally capture children's personal information unless there is a lawful basis and it is strictly necessary for a legitimate EPC-related purpose.

16. Changes to This Policy

This policy may be updated when the app, legal requirements, hosting arrangements or EPC workflows change. Material changes should be communicated through the app or by another appropriate notice. Continued use of the app after an update means the updated policy applies from the effective date.

17. Contact and Complaints

To ask questions, exercise POPIA rights, report a privacy concern or request correction/deletion of information, contact the system administrator or appointed Information Officer for this deployment.

You may also lodge a complaint with the Information Regulator (South Africa):

• Website: https://inforegulator.org.za/
• Email: POPIAComplaints@inforegulator.org.za

Last updated: May 2026