Document 1 — Website Terms of Use
1. Scope and binding nature
1.1These Terms of Use govern only your browsing and use of the website. They are not a rental application, are not a lease, do not authorise the processing of personal information beyond cookies and analytics, and do not entitle you to be considered as a tenant.
1.2The Company does not negotiate the terms of website use. If any provision is unacceptable to you, your only remedy is to discontinue use of the website.
1.3Where any provision is found by a competent court or regulator to be invalid, unlawful or unenforceable, that provision shall be read down to the maximum extent permitted by law and, if it cannot be so read down, severed; the remainder shall continue in full force.
2. Governing law and statutory framework
These Terms of Use are governed by the laws of the Republic of South Africa, including (without limitation):
- the Constitution of the Republic of South Africa, 1996;
- the Electronic Communications and Transactions Act 25 of 2002 ("ECTA");
- the Protection of Personal Information Act 4 of 2013 ("POPIA");
- the Consumer Protection Act 68 of 2008 ("CPA");
- the Cybercrimes Act 19 of 2020;
- the Promotion of Access to Information Act 2 of 2000 ("PAIA");
- the Copyright Act 98 of 1978 and the Trade Marks Act 194 of 1993.
3. Acceptable use
3.1You may use the website only for lawful purposes connected with assessing properties, making enquiries, or submitting a rental application.
3.2You may not, and you may not permit any person or system acting on your behalf to:
- scrape, crawl, harvest or extract data from the website by automated means;
- reverse-engineer, decompile or attempt to derive the source code or architecture of the website;
- frame, mirror, cache or republish any portion of the website;
- introduce any virus, trojan, worm, ransomware, logic bomb or other malicious code;
- interfere with, disrupt or impair the operation of the website or any associated infrastructure; or
- gain unauthorised access to any account, data store or back-end system.
3.3Each of the acts in clause 3.2(d)–(f) constitutes an offence under sections 2 to 8 of the Cybercrimes Act 19 of 2020. The Company reserves the right, without further notice, to (i) lay criminal charges; (ii) apply for urgent interdictory relief and Anton Piller-type orders; and (iii) recover damages on the attorney-and-own-client scale.
3.4For breach of clause 3.2(a) (scraping), the Company shall be entitled to liquidated damages of R250 per record scraped, as a reasonable pre-estimate of loss.
4. Intellectual property
4.1All content on the website — including the design, layout, copy, photographs, renderings, plans, logos, trade marks and source code — is the exclusive property of the Company or its licensors and is protected by South African and international intellectual-property law.
4.2No licence is granted to you save for the limited right to view the website on a personal device, and to download or print a single copy of any page solely for the purpose of preparing a rental enquiry or application.
5. Cookies and analytics
The website uses cookies and similar technologies for functional, analytics and (where you opt in) marketing purposes. See Document 2 (Privacy Policy) for details. You may decline non-essential cookies through the consent banner.
6. Disclaimer of warranties
The website is provided on an "as is" and "as available" basis. Property listings are invitations to do business and are not offers. No contract of lease is concluded by your interaction with the website.
To the maximum extent permitted by section 49 of the CPA, the Company makes no warranty that any property listing is current, that rental prices or photographs reflect the current state of a property, that the website will be uninterrupted or error-free, or that third-party links are safe.
7. Limitation of liability
CPA Section 49 Notice — please read carefully. This clause limits the Company's liability for matters connected with your use of the website.
7.1To the maximum extent permitted by law, and excluding only loss caused by the Company's gross negligence, wilful misconduct, fraud, or by death or personal injury caused by the Company, the Company is not liable for any direct, indirect, consequential, special or punitive loss arising from your use of, or inability to use, the website.
7.2The Company's aggregate liability to you under or in connection with the website is capped at R5 000.00.
7.3Nothing in this clause limits any non-derogable right you have under POPIA, the CPA, the NCA or the Constitution.
8. Changes to these Terms
The Company may amend these Terms of Use by publishing an amended version on the website. Amendments take effect on publication. Continued use constitutes acceptance.
9. Governing law and jurisdiction
These Terms are governed by South African law. You consent to the non-exclusive jurisdiction of the High Court of South Africa, Western Cape Division, Cape Town. Nothing limits your right to refer a dispute to the Information Regulator, the National Consumer Commission, the National Consumer Tribunal, the Rental Housing Tribunal or the National Credit Regulator.
10. Contact
Information Officer: [to be inserted]
Email: info@napolifunds.co.za
Address: 1 Sceptre Crescent, Table View, 7441, Cape Town
Document 2 — Privacy Policy & POPIA Section 18 Notice
1. Identity of the Responsible Party
Napolitani Investments (Pty) Ltd, 2019/343067/07 [to be inserted], registered office 1 Sceptre Crescent, Table View, 7441, Cape Town, is the Responsible Party.
2. Information Officer (POPIA s55)
- Information Officer: [to be inserted]
- Deputy Information Officer: [to be inserted — recommended: Operational Manager]
- Information Regulator registration reference: [to be inserted]
- Email: info@napolifunds.co.za
- Postal address: 1 Sceptre Crescent, Table View, 7441, Cape Town
3. Categories of personal information we process
- Identity data: full names, identity number or passport and visa details, date of birth, marital status, dependants.
- Contact data: physical address, postal address, email, mobile and landline numbers, emergency contact details.
- Financial data: bank statements, credit profile and score, judgments, defaults, adverse listings, source of funds, salary and other income data, employer details, affordability metrics.
- Employment and rental history data: current and previous employers, current and previous landlords, references.
- FICA / KYC data: verified ID, verified proof of residence, verified source-of-funds documentation, biometric facial image where used for identity verification, sanctions / PEP screening results.
- Application data: the contents of any application form, supporting documents, and correspondence.
- Lease data: the lease and all amendments, inspection records, deposit ledger, account statements, arrears records, correspondence.
- Technical data: IP address, device and browser data, cookie identifiers, log data.
4. Sources of personal information
We collect personal information directly from you and, with your consent, from:
- registered credit bureaus (including TransUnion, Experian, XDS, TPN);
- TPN, the Southern African Fraud Prevention Service (SAFPS) and other industry registers;
- consented bank-statement aggregators (e.g. TruID, Stitch, or equivalent);
- your current and previous employers (income and employment-status verification only);
- your current and previous landlords (rental-conduct verification only);
- the South African Revenue Service (where you have submitted a tax compliance status PIN);
- the Companies and Intellectual Property Commission (CIPC) where you are an entity or director;
- sanctions, PEP and adverse-media screening providers; court rolls and judgment registries;
- publicly available information you have deliberately made public in a professional context (e.g. LinkedIn profile).
5. Purpose for processing
We process your personal information only to:
- assess your suitability as a tenant (credit-worthiness, rental conduct, affordability, identity, source of funds);
- comply with our statutory obligations under FICA, the NCA, the RHA, the Companies Act and the Tax Administration Act;
- manage any resulting lease, including invoicing, receipting, inspection, maintenance and enforcement;
- defend, prosecute or settle legal claims and disputes;
- where you have opted in, to send you direct marketing about properties; and
- operate, secure and improve the website.
6. Lawful justification (POPIA s11)
- Consent (s11(1)(a)) for direct marketing and further processing.
- Conclusion or performance of a contract (s11(1)(b)) for processing necessary to consider an application or perform a lease.
- Compliance with an obligation imposed by law (s11(1)(c)) for FICA, NCA, RHA and tax-related processing.
- Protection of a legitimate interest (s11(1)(f)) for fraud prevention, security and the defence of claims.
7. Recipients of personal information
We share personal information with: registered credit bureaus; TPN and SAFPS; consented bank-statement aggregators; our attorneys, auditors and tax advisers; our managing agent (if any); our IT and cloud-storage providers; the Financial Intelligence Centre, SARS, SAPS (where required by law); the Information Regulator, courts and tribunals (in response to lawful demand); and any successor in title to the Company's property holdings, subject to equivalent protection.
8. Cross-border transfer (POPIA s72)
We do not transfer personal information outside South Africa save where the recipient is subject to a law, binding corporate rules or binding agreement providing an adequate level of protection equivalent to POPIA, or where you have specifically consented.
9. Retention (POPIA s14)
| Category | Retention Period | Authority |
|---|---|---|
| FICA / KYC records | 5 years from end of business relationship | FICA s23 |
| NCA / credit records | 3 years | NCA Reg 55(2)(b) |
| Tax-related records | 5 years from submission | Tax Administration Act s29 |
| Successful applications (lease concluded) | 5 years from lease termination | FICA s23 + Tax Administration Act s29 |
| Rejected applications (no relationship) | 12 months from rejection | POPIA s14 |
| Fraud-register listings | 5 years | NCR Credit Bureau Conduct Rules |
| Web-server and cookie logs | 12 months | POPIA s14 |
10. Security (POPIA s19)
We maintain appropriate technical and organisational measures, including encryption at rest and in transit, role-based access controls, monitored audit logs, multi-factor authentication for privileged access, and back-to-back POPIA s21 contracts with all Operators.
11. Security compromise notification (POPIA s22)
If we have reasonable grounds to believe your personal information has been accessed by an unauthorised person, we will notify the Information Regulator and you as soon as reasonably possible after discovery of the compromise.
12. Your rights
- To be notified of the matters set out in this Policy (POPIA s18);
- To access the personal information we hold about you (POPIA s23; PAIA s50);
- To request correction or deletion (POPIA s24);
- To object to processing on reasonable grounds (POPIA s11(3));
- To withdraw consent at any time (POPIA s11(2)(b));
- To opt out of direct marketing at any time, without charge (POPIA s69);
- To lodge a complaint with the Information Regulator (POPIA s74); and
- To institute civil proceedings under POPIA s99.
Information Regulator: PO Box 31533, Braamfontein, 2017 · complaints.IR@justice.gov.za · inforeg@justice.gov.za · inforegulator.org.za
13. Direct marketing (POPIA s69; CPA s11)
We will send you direct marketing only if you have opted in. You may opt out at any time by clicking the unsubscribe link in any marketing message, or by emailing the Information Officer. You may also register on the National Opt-Out Register (CPA s11).
14. PAIA
The Company's PAIA Manual is available on request from the Information Officer at info@napolifunds.co.za. The Manual sets out the formal process for requesting access to records held by the Company.
15. Changes to this Policy
Material changes will be brought to your attention by a prominent notice on the website and, where we hold your contact details, by direct notification.
Document 3 — Rental Application Terms & Conditions
THIS IS A LEGALLY BINDING AGREEMENT. READ IT CAREFULLY BEFORE SIGNING.
Your attention is specifically drawn to Sections 4, 5, 6, 7 and 8 in accordance with section 49 of the Consumer Protection Act 68 of 2008, and to the separate authorisations at Schedule A (NCA Section 68 Authority), Schedule B (FICA Acknowledgement) and Schedule C (CPA Section 49 Acknowledgement). You will be asked to initial each Schedule separately. Without initialised Schedules A, B and C your application cannot be processed.
1. Nature and binding effect
1.1By submitting a rental application, the Applicant offers to be considered for tenancy on these Terms and Conditions. Submission does not, on its own, conclude any lease.
1.2These Terms and Conditions, the application form, Schedules A–C, and any data captured through the application process constitute the entire agreement governing the application process. No verbal or informal representation by any employee, agent or third party varies these Terms and Conditions.
1.3A binding lease is concluded only by a written lease agreement signed by both the Applicant and a duly authorised representative of the Company. An email indicating "successful application", an SMS, a WhatsApp message or any other informal communication does not conclude a lease.
2. Governing law
This Agreement is governed by South African law, including (without limitation): the Constitution; POPIA; CPA; RHA and the Rental Housing Amendment Act 35 of 2014; the Western Cape Unfair Practices Regulations; NCA; ECTA; FICA; PEPUDA; the Cybercrimes Act; the Companies Act; PAIA; the Tax Administration Act; and the Protection from Harassment Act.
3. Vetting process
3.1Submission of an application grants the Company the right to investigate the Applicant in accordance with this Agreement and Document 2.
3.2Truthfulness warranty. The Applicant warrants that every piece of information, document and statement provided is accurate, current and truthful. The Applicant accepts that:
- any forged, altered, manipulated or materially omitted information will result in immediate, final rejection of the application;
- the Company is entitled to refer any fraudulent document to the South African Police Service for criminal investigation;
- the Company is entitled to list the Applicant on credit-bureau and SAFPS fraud registers, strictly in accordance with section 72 of the NCA; and
- the Company is entitled to recover, on the attorney-and-own-client scale, all costs incurred in investigating and acting on any fraud.
3.3Right to decline. The Company reserves the right, at its sole discretion, to approve, decline, defer or withdraw any application. The Company will not decline an application on any ground prohibited by section 8 of PEPUDA or section 4(1) of the RHA.
3.4Application fee. Where the Company charges an application or vetting fee: (a) the amount will be disclosed to the Applicant before payment; (b) the fee is non-refundable to the extent of third-party costs actually incurred and the Company's reasonable administrative time; (c) any portion not so expended will be refunded on written request within 30 days of refusal or withdrawal.
4. POPIA consent, NCA authority and FICA acknowledgement
The Applicant gives the consents and authorities set out in Schedule A (NCA s68), Schedule B (FICA) and Schedule C (CPA s49). These Schedules are integral to the Agreement and must each be separately initialled.
The Applicant may withdraw consent at any time by written notice to the Information Officer, subject to the qualifications set out in clause 4.3 (withdrawal does not affect processing already completed, or processing required by law or necessary to perform any signed lease).
5. Anti-money laundering and FICA
5.1The Company is an Accountable Institution under Schedule 1 of FICA. The Applicant is required by law to produce certified copies of: (a) South African ID or valid passport with current visa; (b) verified proof of residence (not older than 3 months); (c) verified proof of income; and (d) verified proof of source of any deposit and prospective rental payments.
Important — tipping-off prohibition. The Company is prohibited by section 29(3)–(4) of FICA from disclosing to the Applicant that any suspicious-transaction report has been or will be made to the Financial Intelligence Centre. No claim may be made against the Company for compliance with this statutory obligation.
6. Electronic communications
6.1Authorised channels. The only communications binding on the Company are those sent or received via the Company's email domain (@napolifunds.co.za), WhatsApp Business number, website forms, or recorded telephone lines. Communications on any other channel do not bind the Company.
6.2–6.7All communications on authorised channels may be recorded, retained and used as evidence. Any data message sent from the Applicant's nominated address is presumed to have originated from the Applicant. No informal communication concludes a lease (see clause 1.3).
7. Limitation of liability, indemnity and allocation of risk
CPA Section 49 Notice. This Section 7 limits the Company's liability, requires the Applicant to assume risk, and requires the Applicant to indemnify the Company. The Applicant must initial Schedule C to confirm understanding and acceptance.
To the maximum extent permitted by law, and excluding only loss caused by the Company's Gross Negligence, Wilful Misconduct, fraud, or death or personal injury caused by the Company, the Indemnified Parties are not liable for any Loss arising out of the application process. The Company's aggregate liability is capped at the higher of (i) the application fee actually paid in the preceding 12 months, and (ii) R5 000.00.
The Applicant indemnifies and holds the Company harmless against any Loss arising directly from the Applicant's fraud, dishonesty, Wilful Misconduct or material breach of this Agreement, including recovery costs on the attorney-and-own-client scale.
8. Dispute resolution
Disputes shall be referred in the first instance to the competent statutory body (Rental Housing Tribunal; Information Regulator; National Consumer Tribunal; NCR; FIC). For all other disputes, the parties consent to the non-exclusive jurisdiction of the High Court of South Africa, Western Cape Division, Cape Town.
Schedule A — NCA Section 68 Authority
I, the Applicant, specifically authorise Napolitani Investments (Pty) Ltd, in terms of section 68 of the National Credit Act 34 of 2005, to request, receive and use information about me from any registered credit bureau and the National Credit Register for the purpose of: (a) credit scoring and affordability assessment; (b) verifying my financial standing in connection with my rental application; and (c) re-checking my credit profile periodically during any resulting tenancy for purposes of arrears and risk monitoring (subject to my right to withdraw this authority on 30 days' written notice).
I understand that this authority does not constitute a credit application but an authority to obtain a credit report.
Schedule B — FICA Acknowledgement
I, the Applicant, acknowledge that: (a) Napolitani Investments (Pty) Ltd is an Accountable Institution under Schedule 1 of FICA; (b) I am required by law to produce certified, original-equivalent KYC documentation; (c) the Company is statutorily obliged to report suspicious or unusual transactions to the Financial Intelligence Centre under sections 28, 28A and 29 of FICA; (d) the Company is prohibited by section 29(3)–(4) of FICA from notifying me of any such report; and (e) I will not bring any claim against the Company in respect of its compliance with these statutory obligations.
Schedule C — CPA Section 49 Acknowledgement
I, the Applicant, acknowledge that: (a) my attention has been specifically drawn to the limiting, indemnifying and risk-allocating clauses of this Agreement (Sections 4, 5, 6 and 7); (b) I have been given adequate opportunity to read and consider those clauses; (c) those clauses are drafted in plain and understandable language; (d) I understand that those clauses limit the Company's liability, require me to assume risk, require me to indemnify the Company, and provide a tiered dispute-resolution and jurisdiction regime; (e) I have not been compelled to accept them and I do so freely and voluntarily; and (f) I have been advised of my right to seek independent legal advice before signing and have either obtained such advice or elected not to do so.
Applicant
Full names:
ID / Passport:
Signature:
Date / Place:
Document 4 — Data Processing Agreement (POPIA Section 21 Operator Template)
Parties:
(1) Napolitani Investments (Pty) Ltd, 2019/343067/07 [●] ("the Responsible Party"); and
(2) M.A. Amouhadi, registration number [●] ("the Operator").
1. Definitions
Terms used bear the meanings given in POPIA. "Personal Information" means personal information processed by the Operator on behalf of the Responsible Party under any underlying agreement between the parties ("the Principal Agreement").
2. Status and scope
In processing Personal Information under the Principal Agreement, the Operator is an Operator within the meaning of POPIA. This DPA forms part of the Principal Agreement and prevails over any conflicting term.
3. Operator obligations (POPIA s20 and s21)
The Operator shall:
- process Personal Information only on the documented instructions of the Responsible Party, and for no other purpose;
- treat all Personal Information as confidential;
- implement appropriate technical and organisational measures (at minimum: encryption in transit and at rest; role-based access control; multi-factor authentication; vulnerability management; backup and restore testing; documented incident-response procedures);
- ensure every employee or sub-Operator with access to Personal Information is subject to a written confidentiality obligation;
- not engage any sub-Operator without prior written consent, remaining fully liable for sub-Operator acts and omissions;
- provide reasonable assistance to the Responsible Party in responding to data-subject requests and Information Regulator enquiries;
- not transfer Personal Information outside South Africa except in compliance with POPIA s72; and
- on termination or on written request, securely destroy or return all Personal Information and certify destruction in writing.
4. Security compromise (POPIA s22)
The Operator shall notify the Responsible Party in writing, without undue delay and in any event within 24 hours, of any actual or reasonably suspected security compromise affecting Personal Information, including: the nature of the compromise; categories and approximate volume of records affected; likely consequences; and measures taken or proposed.
5. Audit
The Operator shall make available all information reasonably necessary to demonstrate compliance with POPIA and this DPA, and shall allow for audits (including on-premises inspections) by the Responsible Party or a third-party auditor on reasonable prior notice.
6. Liability and indemnity
Each party is liable for its own breach of POPIA and of this DPA. The Operator indemnifies the Responsible Party against any administrative fine, civil damages, legal costs (attorney-and-own-client scale) and other Loss arising directly from the Operator's breach. Any liability cap in the Principal Agreement does not apply to liability arising from a Security Compromise caused by the Operator's gross negligence or wilful misconduct.
7. Governing law
South African law governs this DPA. The parties consent to the non-exclusive jurisdiction of the High Court of South Africa, Western Cape Division, Cape Town.
Appendices
Appendix A — Fields to Complete
The following placeholders must be completed before deployment. Each is marked [●] in the relevant document.
| # | Field | Where |
|---|---|---|
| 1 | Company registration number | All four documents |
| 2 | Registered office address | Documents 2, 3 |
| 3 | Information Officer full name | Documents 1, 2, 3 |
| 4 | Information Officer email | Documents 1, 2 |
| 5 | Information Officer postal address | Documents 1, 2 |
| 6 | Deputy Information Officer name | Document 2 |
| 7 | Information Regulator registration reference | Document 2 |
| 8 | PAIA Manual URL | Document 2 |
| 9 | FICA Schedule 1 item number | Document 3, s5.1 |
| 10 | FIC registration reference | Document 3, s5.1 |
| 11 | Company WhatsApp Business number | Document 3, s6.1 |
| 12 | Company recorded landline | Document 3, s6.1 |
| 13 | Company physical address for service | Document 3, s12.2 |
| 14 | Effective date of Terms of Use | Document 1, header |
| 15 | Operator details (per DPA) | Document 4 |
Appendix B — Deployment Checklist
- PAIA Manual drafted and lodged with the Information Regulator; URL inserted at Document 2 §15.
- Information Officer registered with the Information Regulator (online portal).
- Deputy Information Officer appointed in writing.
- POPIA s21 Operator Agreements signed with every third-party processor using Document 4 as the template.
- FICA Risk Management and Compliance Programme (s42) adopted and filed.
- PEPUDA-compliant tenant-selection scoring matrix adopted, documented, version-controlled.
- Cookie consent banner installed on the website (POPIA s11 + s69; ECTA).
- Plain-language audit (CPA s22) completed on Document 3; revisions retained on file.
- Clickwrap acceptance implemented on the rental application form (tick-box + typed-name signature + initialling of Schedules A, B, C). ✓ Implemented on pre-apply.html
- Email retention configured in line with Document 2 §9.
- Cyber-incident response plan adopted.
- Directors' resolution approving adoption of this document set, recorded in the minute book.
Appendix C — Cross-Reference
This document set is the counterpart to the standalone legal review at napolitani_legal_review.md. The review explains the legal reasoning for each clause. The two files are intended to be read together.