Skip to main content

Legal

POPIA Notice

Last updated 17 May 2026

This notice satisfies sections 17 and 18 of the Protection of Personal Information Act, 2013 (POPIA). It is the legally-required companion to our Privacy Policy.

1. Responsible Party

  • Name: Starlight Group SA (Pty) Ltd, trading as Flarr.
  • Registration number: 2024/181302/07.
  • Information Officer: can be contacted at support@starlightgroupsa.co.za.

2. The information we collect

For the full list of data categories — and how they are collected — please see the Privacy Policy. In summary we process:

  • Account details (name, email, password hash, user type).
  • Creator profile data (handles, follower data, rate cards).
  • Business profile data (company name, industry).
  • Verification submissions (analytics screenshots, OAuth-sourced metrics).
  • Communications (messages, applications, brief content).
  • Billing metadata (subscription IDs and status — never card data).
  • Device and usage data (IP, browser, page views, analytics events).

3. Purpose of processing

We collect and use personal information to:

  • Provide the Flarr platform and the features you sign up for.
  • Verify Creators' analytics and prevent fraudulent metrics.
  • Process subscriptions and credit balances via our payment processor.
  • Send transactional communications (account, billing, security).
  • Improve and secure the platform.
  • Comply with South African legal obligations (tax records, lawful requests).

4. Lawful basis for processing

We rely on the following grounds in section 11 of POPIA:

  • Consent — when you create an account, link a social platform, or opt in to marketing communications.
  • Performance of a contract — to deliver the paid features in our subscription plans.
  • Compliance with law — to keep invoices, respond to court orders, and meet tax obligations.
  • Legitimate interests — to detect fraud, secure the platform, and improve the service, weighed against your rights and freedoms.

5. Recipients of personal information

Categories of recipients (full list in the Privacy Policy):

  • Other registered users — limited to what is intentionally made public on your profile.
  • Sub-processors — trusted third parties that handle hosting, database and authentication, automated verification analysis, payments, and transactional email on our behalf. Each is bound by a data-processing agreement.
  • South African authorities — only when compelled by a valid lawful request.

6. Transborder flows

Some sub-processors host data in the European Union or the United States. Section 72 of POPIA permits cross-border transfers only where the receiving jurisdiction or the recipient itself provides protection that is substantively similar to POPIA. We rely on contractual safeguards (standard data-processing terms with each sub-processor) to ensure that level of protection.

7. Retention

We keep your personal information only as long as we need it for the purposes it was collected for, or as required by South African law (e.g. invoices kept for 5 years under tax legislation). When you close your account, most data is deleted within 90 days.

8. Voluntary vs. mandatory information

You don't have to give us any personal information — but if you don't provide what's marked as required on the sign-up or verification forms, we won't be able to open or verify your account.

9. Your rights as a data subject

Under sections 5, 23, 24 and 25 of POPIA, you have the right to:

  • Be notified that your personal information is being collected.
  • Access the personal information we hold about you.
  • Request correction or deletion of personal information that is inaccurate, irrelevant, excessive, or outdated.
  • Object to processing — including for direct marketing — on reasonable grounds.
  • Withdraw consent at any time (where consent is the lawful basis).
  • Lodge a complaint with the Information Regulator (see below).
  • Be free from automated decision-making that has legal or significant effects, except as permitted by law.

To exercise any of these rights, contact our Information Officer at support@starlightgroupsa.co.za. We respond within 30 days as required by POPIA.

10. Direct marketing

Section 69 of POPIA requires opt-in consent for unsolicited electronic direct marketing. We will only send marketing emails to you if you opt in, and every marketing email contains an unsubscribe link.

11. Security safeguards

Section 19 requires reasonable technical and organisational measures. Ours include TLS in transit, encryption at rest, row-level security on the database, AES-256-GCM encryption for stored OAuth tokens, strict role-based staff access, and routine security reviews. We will notify you and the Information Regulator without undue delay if a breach affects your data (section 22).

12. Information Regulator

You may complain to South Africa's Information Regulator if you believe we have not complied with POPIA:

We'd appreciate the chance to address any concerns first — please contact support@starlightgroupsa.co.za.