Privacy Policy

1. Introduction

Novasys IT (Pty) Ltd (Registration No. 2018/058452/07), operating under the trading name "Novaway", is committed to safeguarding the privacy and personal information of all individuals who interact with our platform. We take our obligations under the Protection of Personal Information Act, 2013 ("POPIA") seriously and are dedicated to responsible data handling practices.

This Privacy Policy ("Policy") describes how we collect, use, store, share, and protect your Personal Information when you use the Novaway platform, including all websites, captive portal interfaces, applications, and services accessible at or through novaway.novasys.co.za (collectively, the "Platform").

By accessing or using the Platform, whether as a Guest WiFi User, Venue Operator (Tenant), administrator, or in any other capacity, you acknowledge that you have read and understood this Policy and consent to the collection and processing of your Personal Information as described herein.

2. Definitions

For the purposes of this Policy, the following terms shall have the meanings set out below:

• "Personal Information" means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, as defined in Section 1 of POPIA. This includes but is not limited to names, email addresses, phone numbers, device identifiers, IP addresses, and browsing behaviour.
• "Processing" means any operation or activity, whether automated or not, concerning Personal Information, including collection, receipt, recording, organisation, storage, updating, retrieval, use, distribution, merging, restriction, degradation, erasure, or destruction.
• "Responsible Party" means the person or entity that determines the purpose of and means for processing Personal Information. Depending on the context, this may be Novasys IT or a Tenant.
• "Operator" means a person or entity that processes Personal Information on behalf of the Responsible Party in terms of a contract or mandate. In most cases, Novasys IT acts as an Operator on behalf of Tenants.
• "Data Subject" means the person to whom Personal Information relates, including Guest Users, Tenant administrators, and any other individuals whose data is processed through the Platform.
• "Guest User" or "End User" means any individual who connects to WiFi through a Novaway-powered captive portal at a participating venue.
• "Tenant" or "Venue Operator" means any business, organisation, or individual that subscribes to the Novaway platform to manage guest WiFi services.
• "Consent" means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of Personal Information, in accordance with POPIA.
• "Special Personal Information" means Personal Information concerning a Data Subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, or criminal behaviour, as defined in Section 26 of POPIA.

3. Roles and Responsibilities

The Novaway platform operates within a multi-party data processing framework. Understanding the roles of each party is important for transparency:

• Novasys IT as Operator: When processing Guest User data on behalf of a Tenant (e.g., capturing authentication details, generating analytics reports, facilitating marketing communications), Novasys IT acts as an Operator under POPIA. In this capacity, we process data strictly in accordance with the Tenant's instructions and applicable law.
• Novasys IT as Responsible Party: When collecting and processing data for our own legitimate business purposes, such as platform analytics, service improvement, security monitoring, and billing, Novasys IT acts as the Responsible Party.
• Tenants as Responsible Parties: Each Tenant is a Responsible Party for the Personal Information collected from Guest Users at their venues through the Novaway captive portal. Tenants are responsible for ensuring that appropriate consent is obtained and that their data processing activities comply with POPIA.

A data processing agreement governs the relationship between Novasys IT and each Tenant, specifying the scope, nature, and purpose of data processing activities.

4. Information We Collect

We collect different categories of information depending on how you interact with the Platform. The categories and specific data points are set out below:

4.1 Information from Guest WiFi Users

When you connect to WiFi through a Novaway captive portal, we may collect:

• Identity Information: Full name, email address, mobile phone number (collected via authentication forms, social login, or voucher redemption).
• Social Media Profile Data: Where you authenticate using social login (e.g., Facebook, Google, Apple), we may receive your public profile information, including your name, email address, profile photograph, and social media identifier, as permitted by the relevant social platform's privacy settings and your consent.
• Device Information: MAC address, device type, operating system, browser type and version, screen resolution, and device manufacturer.
• Network and Session Data: IP address assigned during the session, session start and end times, session duration, data uploaded and downloaded, bandwidth utilisation, and connection quality metrics.
• Location Context: The name and identifier of the venue (Location) where you connected. We do not collect GPS coordinates from your device.
• Voucher or PIN Data: The voucher code or PIN used to authenticate, along with associated usage parameters (data limits, time limits, expiry).

4.2 Information from Tenants and Administrators

When you register for a Tenant account or are added as an administrator, we collect:

• Account Information: Full name, email address, phone number, business name, and role within the organisation.
• Billing Information: Payment details necessary for processing subscription fees, which may be handled by third-party payment processors.
• Configuration Data: Location details, network settings, captive portal customisation preferences, branding assets (logos, colours), and authentication method configurations.

4.3 Automatically Collected Information

When you access the Platform, we automatically collect certain technical information:

• Log Data: Server logs recording your IP address, browser type, referring/exit pages, date and time stamps, and clickstream data.
• Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain session state, remember preferences, and analyse Platform usage. See Section 10 for more details.
• Analytics Data: Aggregated and anonymised data regarding Platform usage patterns, feature adoption, and performance metrics.

5. How We Use Your Information

We process your Personal Information for the following purposes, each supported by a lawful basis under POPIA:

5.1 Service Delivery and WiFi Authentication

• To authenticate your identity and grant you access to WiFi at participating venues.
• To manage your WiFi session, enforce data and time limits, and apply bandwidth policies.
• To process voucher redemptions and manage PIN-based access.
• Legal basis: Performance of a contract; legitimate interest.

5.2 Analytics and Insights

• To generate visitor analytics reports for Tenants, including foot traffic patterns, session metrics, device demographics, and return visitor identification.
• To provide AI-powered insights regarding visitor behaviour and network utilisation.
• To produce aggregated, anonymised analytics for benchmarking and platform improvement.
• Legal basis: Legitimate interest; consent (where applicable).

5.3 Marketing and Communications

• To enable Tenants to send marketing communications to Guest Users who have opted in, via email or SMS.
• To send you service-related notifications, such as session expiry warnings or account updates.
• To inform you of changes to our Terms of Use or this Privacy Policy.
• Legal basis: Consent (for marketing); legitimate interest (for service notifications).

5.4 Platform Operation and Security

• To maintain, improve, and optimise the Platform's performance, reliability, and security.
• To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
• To manage RADIUS authentication and MikroTik integration for network access control.
• Legal basis: Legitimate interest; compliance with legal obligations.

5.5 Compliance and Legal Obligations

• To comply with applicable laws, regulations, and lawful requests from government authorities.
• To enforce our Terms of Use and protect our legal rights and interests.
• To respond to legal proceedings, court orders, or regulatory investigations.
• Legal basis: Compliance with a legal obligation; legitimate interest.

6. Sharing and Disclosure of Information

We do not sell your Personal Information. We may share your information with the following categories of recipients, strictly on a need-to-know basis:

6.1 With Tenants (Venue Operators)

When you connect to WiFi at a venue, the Tenant operating that venue may access the information collected during your authentication, including your name, email, phone number, device details, and session data. The Tenant is the Responsible Party for this data and uses it in accordance with their own privacy practices.

6.2 With Service Providers

We engage trusted third-party service providers to assist with our operations. These providers process data on our behalf and are contractually obligated to maintain confidentiality and implement appropriate security measures. Categories of service providers include:

• Cloud infrastructure and hosting providers.
• Email and SMS delivery services.
• Payment processing providers.
• Analytics and monitoring tools.
• Social login authentication providers (Facebook, Google, Apple, etc.).

6.3 For Legal and Safety Reasons

We may disclose your information if we believe, in good faith, that such disclosure is necessary to:

• Comply with applicable South African law, regulation, legal process, or governmental request.
• Enforce our Terms of Use or investigate potential violations.
• Detect, prevent, or address fraud, security breaches, or technical issues.
• Protect the rights, property, or safety of Novasys IT, our users, or the public.

6.4 In Connection with Business Transfers

In the event of a merger, acquisition, reorganisation, sale of assets, or bankruptcy, your Personal Information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy that result from it.

7. Data Retention

We retain your Personal Information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

• Guest User Authentication Data: Retained for up to 24 months from the date of last connection, unless a shorter period is specified by the Tenant or required by law.
• WiFi Session and Network Data: Retained for up to 12 months for operational and analytical purposes. Aggregated, anonymised data may be retained indefinitely.
• Tenant Account Data: Retained for the duration of the subscription and for a period of up to 36 months following account termination, for billing, audit, and legal compliance purposes.
• Marketing Consent Records: Retained for as long as the consent remains valid, plus an additional 12 months for compliance and audit purposes.
• Log and Security Data: Retained for up to 12 months for security monitoring, incident investigation, and forensic purposes.

When Personal Information is no longer required, it will be securely deleted or irreversibly anonymised. We apply appropriate technical measures, including secure deletion protocols and encryption key destruction, to ensure data cannot be recovered.

8. Data Security

Novasys IT implements robust technical and organisational security measures to protect your Personal Information against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption: Data is encrypted in transit using TLS/SSL protocols and at rest using industry-standard encryption algorithms.
• Access Controls: Role-based access controls ensure that only authorised personnel can access Personal Information, and only to the extent necessary for their duties.
• Infrastructure Security: The Platform is hosted on secure, professionally managed infrastructure with firewalls, intrusion detection systems, and regular security patching.
• Authentication Security: RADIUS authentication protocols provide secure network access control, with shared secrets and encryption protecting authentication exchanges.
• Monitoring and Auditing: Continuous monitoring of access logs and system events to detect and respond to suspicious activity.
• Employee Training: Staff members who handle Personal Information receive training on data protection responsibilities and security best practices.
• Incident Response: A documented incident response plan is in place to address data breaches promptly and effectively, including notification to affected parties and the Information Regulator where required by POPIA.

While we take all reasonable steps to protect your information, no system of electronic storage or data transmission is entirely secure. We cannot guarantee absolute security, and you acknowledge that you provide your information at your own risk.

9. Your Rights Under POPIA

As a Data Subject under POPIA, you have the following rights regarding your Personal Information. You may exercise these rights by contacting us at support@novasys.co.za:

• Right of Access (Section 23): You have the right to request confirmation of whether we hold Personal Information about you and to request access to that information, including details about the categories of data, the purpose of processing, and any third parties to whom the data has been disclosed.
• Right to Correction (Section 24): You have the right to request that we correct or update any inaccurate, incomplete, misleading, or outdated Personal Information we hold about you.
• Right to Deletion (Section 24): You have the right to request the deletion or destruction of your Personal Information where it is no longer necessary for the purpose for which it was collected, where you withdraw your consent, or where the processing is otherwise unlawful.
• Right to Object (Section 11(3)): You have the right to object to the processing of your Personal Information on reasonable grounds relating to your particular situation, unless the processing is required by law or is necessary for the performance of a contract to which you are a party.
• Right to Restrict Processing: In certain circumstances, you may request that we restrict the processing of your Personal Information while we verify its accuracy or assess the validity of your objection.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Regulator of South Africa if you believe that your Personal Information has been processed in violation of POPIA.

We will respond to valid requests within a reasonable time, and in any event within the timeframes prescribed by POPIA. We may request verification of your identity before processing your request to prevent unauthorised access to your information.

10. Cookies and Tracking Technologies

The Platform uses cookies and similar tracking technologies to enhance your experience and collect usage data. The types of cookies we use include:

• Essential Cookies: Required for the Platform to function correctly. These include session cookies for maintaining your authentication state on the captive portal, CSRF protection tokens, and load-balancing cookies. These cannot be disabled.
• Functional Cookies: Used to remember your preferences and settings, such as language selection, portal customisation choices, and previously used authentication methods.
• Analytics Cookies: Used to understand how visitors interact with the Platform, including page views, navigation paths, and feature usage. This data is aggregated and used to improve the Platform.
• Marketing Cookies: Used by Tenants (where configured and consented to) to track visitor engagement with marketing content and measure campaign effectiveness.

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling essential cookies may prevent the captive portal from functioning correctly.

We do not use cookies to collect Special Personal Information, and we do not engage in cross-site tracking for advertising purposes.

11. Children's Privacy

The Novaway platform is not directed at children under the age of 18. We do not knowingly collect Personal Information from children without the consent of a parent or legal guardian.

If a child under 18 accesses WiFi at a venue using the captive portal, we rely on the Tenant (venue operator) to ensure appropriate parental consent has been obtained where required. The Tenant is responsible for implementing age verification or parental consent mechanisms at their venues as appropriate.

If you are a parent or guardian and believe that your child has provided Personal Information through the Platform without your consent, please contact us at support@novasys.co.za. We will promptly investigate and, if confirmed, delete the information.

12. Cross-Border Data Transfers

The Platform is primarily hosted and operated within the Republic of South Africa. However, certain third-party service providers that we engage may process data in jurisdictions outside of South Africa.

Where Personal Information is transferred to a country outside of South Africa, we ensure that such transfers comply with Section 72 of POPIA. Specifically, we take the following precautions:

• The recipient country has adequate data protection legislation in place.
• The recipient is bound by a binding agreement that provides an adequate level of protection for the Personal Information.
• The Data Subject has consented to the transfer.
• The transfer is necessary for the performance of a contract between the Data Subject and the Responsible Party.

Third-party services that may involve cross-border data transfers include cloud hosting providers, email delivery services, and social login providers (Facebook/Meta, Google, Apple). These providers maintain their own privacy policies and data protection commitments.

13. Social Login and Third-Party Authentication

The Platform supports authentication via third-party social login providers, including Facebook, Google, and Apple. When you choose to authenticate using a social login provider, you are subject to that provider's terms of service and privacy policy in addition to this Policy.

The information we receive from social login providers is limited to the data you authorise during the authentication process, typically including:

• Your name and email address.
• Your profile photograph (if publicly available).
• A unique identifier assigned by the social platform.

We do not access your social media posts, friend lists, or other private content unless you explicitly authorise such access. You can manage the permissions granted to Novaway through your social media account settings at any time.

14. Marketing Communications

Where you have provided explicit consent, Tenants may send you marketing communications via email or SMS using the Platform's built-in campaign tools. These communications may include promotional offers, event notifications, loyalty rewards, and venue updates.

You have the right to:

• Opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by replying "STOP" to any SMS.
• Request that a specific Tenant cease all marketing communications to you.
• Contact us at support@novasys.co.za to have your contact details removed from all marketing lists across the Platform.

We honour all opt-out requests promptly. Please note that opting out of marketing communications does not affect service-related notifications (such as session expiry alerts or account security notices), which are sent on the basis of legitimate interest or contractual necessity.

15. Student Residence WiFi

Where the Platform is deployed in student accommodation or educational environments, additional considerations apply:

• Student Personal Information is processed in accordance with POPIA and any applicable institutional data protection policies.
• The educational institution or residence management company acts as the Responsible Party for student data collected through the captive portal.
• Device registration data (MAC addresses) may be collected for network management purposes, including restricting the number of devices per student and ensuring fair bandwidth distribution.
• Session data may be retained for longer periods to support network troubleshooting and compliance with institutional policies.
• We do not monitor the content accessed by students over the WiFi network, except where content filtering has been configured by the institution.

16. AI-Powered Features

The Platform incorporates artificial intelligence and machine learning capabilities to provide Tenants with actionable insights. In relation to AI-powered features:

• AI models process aggregated and anonymised data to identify patterns, trends, and anomalies in visitor behaviour and network usage.
• No automated decisions with legal or similarly significant effects are made about individual Data Subjects based solely on AI processing.
• AI-generated insights are intended as decision-support tools for Tenants and do not constitute personal profiling as defined under POPIA.
• We do not use Personal Information to train AI models for purposes unrelated to the Platform's core functionality.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

• Post the updated Policy on the Platform with a revised effective date.
• Notify registered Tenants via email at least thirty (30) days before the changes take effect.
• Where required by law, seek your renewed consent for any changes that materially affect how we process your Personal Information.

We encourage you to review this Policy periodically. Your continued use of the Platform after any changes constitutes your acceptance of the updated Policy.

18. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of South Africa, including the Protection of Personal Information Act, 2013 (POPIA), the Electronic Communications and Transactions Act, 2002 (ECTA), and the Consumer Protection Act, 2008 (CPA). Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of the Republic of South Africa, specifically the Gauteng Division of the High Court, Pretoria.

19. Information Officer

In accordance with POPIA, Novasys IT has designated an Information Officer who is responsible for ensuring compliance with data protection legislation and for handling all requests and enquiries related to Personal Information.

All requests to exercise your rights under POPIA, complaints regarding data processing, and general privacy enquiries should be directed to the Information Officer:

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your Personal Information, please do not hesitate to contact us: