Effective date: 2026
Last updated: 11 May 2026

1. Introduction

This Privacy Policy explains how Jacana Rewards ("we", "us", "our") collects, uses, stores, and protects your personal information when you participate in the Jacana Rewards rewards programme ("Programme") and use our website ("Platform").

We are committed to protecting your privacy in accordance with the Protection of Personal Information Act, 2013 ("POPIA") and other applicable South African legislation.

2. Responsible Party

In terms of POPIA, the responsible party for the processing of your personal information is:

Jacana Rewards
Email: wordpress@fyre.co.za

3. Personal Information We Collect

We collect and process the following categories of personal information:

Identity information: First name, surname, South African ID number.

Contact information: Email address, mobile telephone number.

Employment information: Staff code (where provided), employing organisation or brokerage.

Account information: Login credentials (password stored in encrypted form), activation code status, account status.

Transaction information: Points balance, points transaction history, order history, payment records.

Technical information: IP address, browser type, pages visited, and timestamps (collected automatically for security and analytics purposes).

4. How We Collect Personal Information

From your employer or broker: Your name, contact details, ID number, and staff code are provided to us by your participating organisation or broker when you are enrolled in the Programme.

Directly from you: Your password is created by you during account activation. Any information you submit through the contact form or other communications is provided directly by you.

Automatically: Technical information such as IP address and browser data is collected automatically when you access the Platform.

5. Purpose of Processing

We process your personal information for the following specific purposes:

Programme operation: To create and manage your account, authenticate your identity, and provide access to the Platform.

Points management: To allocate, track, and manage reward points, including processing uploads, calculating balances, and managing expiry where applicable.

Order fulfilment: To process redemptions, fulfil merchandise and gift voucher orders, and manage payment transactions.

Communication: To send you Programme-related notifications including welcome emails, points allocation notices, redemption confirmations, and expiry warnings.

Reporting: To generate aggregated reports for programme administrators regarding points activity, redemption patterns, and Programme performance.

Security: To protect the Platform and your account from unauthorised access, fraud, and abuse, including rate-limiting login attempts and logging security events.

Legal compliance: To comply with applicable laws, regulations, and lawful requests from authorities.

6. Legal Basis for Processing

We process your personal information on the following legal grounds as provided for in POPIA:

Consent: By activating your account, you consent to the processing of your personal information as described in this policy.

Contractual necessity: Processing is necessary for the performance of the Programme in which you are a participant.

Legitimate interest: Processing for security, fraud prevention, and Programme improvement purposes is in our legitimate interest and does not unreasonably prejudice your interests.

7. Special Personal Information

Your South African ID number is classified as personal information under POPIA. We process this information solely for the purpose of unique identification within the Programme (particularly for CSV-based points allocation matching). Your ID number is encrypted using AES-256-CBC encryption at rest and is only decrypted when required for administrative matching purposes.

8. Sharing of Personal Information

We may share your personal information with the following parties:

Programme administrators: Authorised administrators of your participating organisation or brokerage may access your name, points balance, and transaction history for Programme management purposes.

Payment processors: Where cash payments are made, transaction data is shared with our PCI-DSS compliant payment gateway provider for the sole purpose of processing your payment.

Fulfilment partners: Order details (name, delivery information where applicable) may be shared with merchandise and gift voucher suppliers for the purpose of fulfilling your order.

Hosting and service providers: We use reputable hosting and infrastructure providers who may process your data as operators on our behalf, subject to appropriate data processing agreements.

We do not sell, rent, or trade your personal information to any third party for marketing or any other purpose.

9. Cross-Border Transfers

Your personal information is primarily stored and processed within the Republic of South Africa. Where any personal information is transferred to a jurisdiction outside South Africa (for example, through the use of international hosting or payment services), we ensure that adequate safeguards are in place as required by Section 72 of POPIA.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or damage, including:

Encryption of sensitive data (ID numbers) using AES-256-CBC encryption at rest.

HTTPS/TLS encryption for all data transmitted between your browser and the Platform.

Secure password hashing using industry-standard algorithms.

Rate-limiting and brute-force protection on authentication endpoints.

Access controls restricting data access to authorised personnel only.

Security monitoring and audit logging of all administrative actions.

11. Data Retention

We retain your personal information for the duration of your participation in the Programme and for a period of 5 years thereafter, or as required by applicable law (including the Companies Act, Tax Administration Act, and Financial Intelligence Centre Act), whichever is longer.

Transaction records may be retained for a longer period as required for financial record-keeping and audit purposes.

When personal information is no longer required, it will be securely deleted or anonymised.

12. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

Right of access: You may request confirmation of whether we hold personal information about you and request access to that information.

Right to correction: You may request the correction or updating of personal information that is inaccurate, incomplete, or misleading.

Right to deletion: You may request the deletion of your personal information where it is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations.

Right to object: You may object to the processing of your personal information on reasonable grounds.

Right to restriction: You may request that we restrict the processing of your personal information in certain circumstances.

Right to lodge a complaint: You have the right to lodge a complaint with the Information Regulator (South Africa) if you believe your personal information has been unlawfully processed.

To exercise any of these rights, please contact us at wordpress@fyre.co.za. We will respond to your request within a reasonable time and in any event within 30 days.

13. Information Regulator

If you are not satisfied with our response to your request or complaint, you may contact the Information Regulator:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email: inforeg@justice.gov.za
Website: https://inforegulator.org.za

14. Cookies and Tracking

The Platform uses essential cookies required for its operation, including session cookies for authentication and security. We do not use third-party advertising or tracking cookies.

Where reCAPTCHA is used for bot protection on public forms, Google's reCAPTCHA service may set cookies and collect usage data in accordance with Google's Privacy Policy.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The updated policy will be posted on this page with a revised "Last updated" date. Continued use of the Platform after any changes constitutes acceptance of the revised policy.

16. Contact

For any questions, requests, or complaints regarding this Privacy Policy or our handling of your personal information, please contact:
Email: wordpress@fyre.co.za