Privacy, clearly stated.
This notice explains what TrustSavi collects, why it is used, who may receive it, how long it is kept, and what rights apply.
Responsibility follows the role.
TrustSavi (Pty) Ltd is the responsible party or controller for website, account, enquiry, proposal, and business-administration information where it determines why and how that information is processed. For client portfolio data, TrustSavi may act as a responsible party, operator, controller, processor, or joint participant depending on the signed engagement and the client's lawful role in the portfolio.
The applicable engagement must identify the client, TrustSavi's role, the permitted users, the lawful purpose, the data categories, the retention/deletion rules, and any approved operators or processors before live portfolio data is transferred.
Accountability must be operational.
TrustSavi must register and publish an Information Officer contact route before production processing of live portfolio personal information. That route must be able to handle POPIA and PAIA requests.
TrustSavi must maintain and publish access to a PAIA manual describing records held, request procedures, fees where applicable, forms, and the Information Officer contact route.
Before live portfolio processing, TrustSavi should complete a personal information impact assessment covering data categories, purposes, lawful bases, recipients, safeguards, retention, cross-border processing, and residual risk.
TrustSavi must maintain an incident process for suspected loss, unauthorised access, or unlawful processing of personal information, including assessment and notification to affected parties and the Information Regulator where required by law.
TrustSavi's PAIA and Information Officer readiness position is summarised at /paia/. That page must be replaced with verified particulars before the site is used for production live-data processing.
What may be processed.
Name, organisation, job role, work email, mobile number, country, selected user type, account credentials, account status, and communication preferences.
Information you provide when asking about a valuation, data readiness review, buyer pack, seller pack, governance review, pricing, or support request.
Where a written engagement permits it, account-level portfolio fields, balances, dates, status, segmentation fields, recovery history, collection costs, assumptions, run manifests, review notes, and valuation outputs.
Device and browser information, IP address, access dates and times, pages viewed, account activity, diagnostic logs, security events, and records needed to operate and protect the service.
Where it comes from.
- You or your organisation when you create an account, use a workflow, submit an enquiry, or provide portfolio information.
- Authorised users, advisers, agents, or representatives acting for the client or prospective client.
- Service providers that support hosting, account administration, communication, diagnostics, security, document handling, or professional services.
- Public, regulatory, company, market, or transaction information where it is lawful and relevant to the agreed valuation purpose.
Why it is used.
Operate the website, manage account access, authenticate users, route support requests, maintain logs, prevent misuse, and keep records of accepted terms.
Respond to enquiries, assess whether TrustSavi can accept a project, prepare proposals, manage scope, administer contracts, invoice clients, and keep engagement records.
Assess data readiness, perform agreed portfolio analysis, document assumptions, produce valuation outputs, prepare review materials, and respond to permitted review questions.
Comply with applicable law, protect rights, respond to lawful requests, manage complaints, investigate security events, enforce terms, and maintain audit and governance records.
Every use needs a basis.
- Consent, where TrustSavi asks for consent and the law requires it.
- Contract, where processing is necessary to create, administer, perform, or close an engagement or account relationship.
- Legal obligation, where TrustSavi must keep records, respond to lawful requests, or comply with applicable law.
- Legitimate interests, where TrustSavi or a client has a lawful and balanced interest in service operation, security, fraud prevention, portfolio analysis, dispute handling, or business administration.
- Client instructions, where TrustSavi acts as an operator or processor for a client that determines the purpose and means of processing.
No silent marketing.
TrustSavi should not send unsolicited electronic direct marketing unless it has a lawful basis, keeps the required consent or customer relationship records, identifies the sender, and provides a practical opt-out route. Service, security, legal, and engagement messages are treated separately from optional marketing.
Do not send what is not needed.
TrustSavi does not ask for identity documents, passwords, payment-card numbers, biometric information, health information, criminal records, children's information, or special personal information through the public website. If any such information is necessary for a specific engagement, the engagement must state the lawful basis, safeguards, access limits, and whether any prior authorisation, consent, or additional assessment is required.
No silent onward use.
Client users, named reviewers, professional advisers, and other recipients authorised in the engagement may receive outputs or relevant extracts.
Hosting, account, communication, diagnostics, document, security, and professional-service providers may process information only for authorised purposes and under appropriate written terms.
TrustSavi may disclose information where required by law, court order, regulator, tax authority, law-enforcement authority, or to protect rights, safety, security, or legitimate legal interests.
If TrustSavi undergoes a merger, acquisition, financing, restructuring, or sale of business assets, relevant information may be shared under confidentiality and continuity controls.
Transfers need a lawful route.
TrustSavi may use service providers, infrastructure, reviewers, or professional advisers located outside South Africa. Cross-border processing may occur only where the transfer is lawful, appropriate safeguards are in place, the recipient is subject to suitable contractual obligations, or another lawful transfer mechanism applies. A client engagement should identify material cross-border processing where portfolio personal information is involved.
Keep only what is defensible.
- Website diagnostic and security logs: normally up to 12 months unless needed for security, legal, or operational reasons.
- Enquiry and proposal records: normally up to 36 months after the last meaningful contact, unless a longer period is needed for legal or business records.
- Account records: for the life of the account and normally up to 5 years after closure where needed for legal, fraud-prevention, or dispute records.
- Engagement records and valuation outputs: for the period in the signed engagement, or otherwise normally up to 5 years after completion where needed for reliance, tax, audit, governance, or dispute records.
- Portfolio source files: only for the period required by the engagement, review cycle, legal hold, or agreed hand-back/deletion process.
- Backups: retained on controlled backup cycles and overwritten or deleted according to the applicable technical retention process.
Reasonable measures. No empty promises.
TrustSavi must maintain reasonable technical and organisational measures appropriate to the information, the processing purpose, and the agreed service. Measures may include access limitation, role-based permissions, confidentiality obligations, logging, supplier controls, incident review, and deletion or return processes. No website or processing environment can be guaranteed to be risk-free.
Users and clients must not send passwords, keys, tokens, live portfolio files, identity documents, or special personal information through informal channels. Live portfolio transfer should occur only through the approved channel and controls stated in the engagement.
People can challenge the record.
You may ask whether TrustSavi holds personal information about you and request access to that information, subject to identity verification and lawful grounds for refusal.
You may ask TrustSavi to correct, update, delete, or destroy personal information where the law permits or requires it.
You may object to processing or ask for restriction where the law gives you that right, including objection to direct marketing.
Where GDPR applies, you may also have rights to portability, restriction, withdrawal of consent, objection to certain legitimate-interest processing, and complaint to an EU or UK supervisory authority.
South African data subjects may complain to the Information Regulator if they believe their personal information has been processed unlawfully. The Information Regulator publishes POPIA and PAIA forms, guidance, and complaint routes at inforegulator.org.za.
Keep the notice accurate.
Privacy requests should be sent through the TrustSavi account, support, or engagement contact channel available to you. Before production launch, TrustSavi must publish a dedicated privacy contact, Information Officer contact details, PAIA manual access route, and registered entity particulars on this website.
TrustSavi may update this notice when the website, account workflow, service providers, legal requirements, or valuation services change. Material changes should be dated and, where appropriate, notified to affected users or clients.