Beta - testing in progress
Skip to main content
AssetCoreAssetCore

AssetCore Legal

Privacy Policy

Effective date: 1 May 2026

This Privacy Policy explains what personal information we collect when you use AssetCore, why we collect it, how we use and protect it, and the choices you have. We are committed to compliance with the Protection of Personal Information Act (POPIA) of South Africa and, where applicable, the EU General Data Protection Regulation (GDPR).

1.Who we are

The data controller for personal information processed by AssetCore is Pro-IT (Pty) Ltd (“Pro-IT”, “we”, “us”).

You can reach our Information Officer at privacy@pro-it.biz.

2.Information we collect

Account information. Name, work email address, encrypted password, role within your organisation, profile image (optional), and multi-factor authentication settings.

Organisation information. Organisation name, slug, logo, currency, subscription tier, and payment metadata.

Customer Data. Asset records, vendor records, departments, locations, handover signatures, maintenance records, and audit logs that you and your team add to AssetCore.

Usage and technical data. Server logs, IP address, browser type, pages accessed, and timestamps. We use this for security, debugging, and abuse prevention.

Billing data. Last four digits of payment cards, card brand, billing history, and invoice records. Full card numbers are processed by PayFast and never stored on our servers.

3.How we use your information

We use personal information to:

  • provide, maintain, and improve the Service;
  • authenticate you, enforce role-based permissions, and operate multi-factor authentication;
  • send transactional emails such as verification, password reset, asset handover, and billing notifications;
  • detect, investigate, and prevent fraud, abuse, and security incidents;
  • comply with legal obligations, including tax and audit requirements;
  • communicate with you about service changes when necessary.

4.Lawful basis for processing

We process personal information on the following bases under POPIA and GDPR:

  • Contract. Processing necessary to deliver the Service you have signed up for.
  • Legitimate interest. Securing the Service, preventing abuse, and improving the product.
  • Legal obligation. Retaining tax and accounting records.
  • Consent. Optional product updates and marketing communications, where you have opted in.

5.Sub-processors

We use a limited set of trusted sub-processors to deliver the Service. As of the effective date these include:

  • PayFast (DPO Capital (Pty) Ltd): payment processing for ZAR transactions.
  • Microsoft (Azure / Microsoft 365): transactional email delivery via the Graph API.
  • Cloud hosting provider: infrastructure for the production environment.

We will keep an up-to-date sub-processor list available on request and notify you of material changes in line with the Data Processing Agreement.

6.Data retention

We retain personal information for as long as your account is active. When you delete your account, your data enters a 30-day grace period during which it can be restored. After 30 days the data is permanently deleted, except for records we are required to keep by law (such as tax invoices, retained for at least 5 years).

Backups are retained on a rolling 35-day cycle and will overwrite themselves through normal operation.

7.Your rights

POPIA and GDPR give you specific rights over your personal information:

  • access your personal information held by us;
  • request correction of inaccurate information;
  • request deletion of your account and personal information;
  • export your personal information in a machine-readable format;
  • object to or restrict certain processing, where the law allows;
  • withdraw consent at any time where processing is based on consent.

You can exercise most of these rights directly from your settings page. To make a formal request, email privacy@pro-it.biz. We will respond within 30 days.

8.Security

We protect personal information using industry-standard technical and organisational measures, including encryption in transit (TLS), encrypted password hashing, optional multi-factor authentication, access logging, role-based access control, and tenant data isolation.

No system is perfectly secure. If we become aware of a personal information breach affecting you, we will notify you and the South African Information Regulator as required by POPIA.

9.Cross-border transfer

Some of our sub-processors may store or process personal information outside South Africa. Where this happens we ensure that the destination provides an adequate level of protection, or we enter into Standard Contractual Clauses or equivalent safeguards.

10.Children

AssetCore is a business product and is not intended for use by children under 18. We do not knowingly collect personal information from children.

11.Complaints

If you believe we have not handled your personal information in accordance with POPIA or GDPR, please contact us first at privacy@pro-it.biz. You also have the right to lodge a complaint with:

  • the South African Information Regulator (inforegulator.org.za);
  • your local supervisory authority in the EU.

12.Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice. The latest version is always available at /legal/privacy.