Privacy Notice
Estata is a service of Dinopath (Pty) Ltd ("Dinopath", "we", "us"). Last updated: 12 July 2026.
1. Who we are
Dinopath (Pty) Ltd is the data controller for personal information processed through the Estata platform. Contact us at accounts@dinopath.co.za.
2. Personal information we collect
- Account data — name, email, hashed password, role, phone number.
- Property & tenancy data — property details, unit and lease information, tenant / owner / contractor records you enter.
- Uploads — lease agreements, ID documents, inspection photos and other files you upload.
- Payment records — proof of EFT payment, invoice history. Card details are handled by Paddle, not by us.
- Usage data — pages viewed, actions taken, device and browser info, IP address.
- Support — messages you send us via email or in-app forms.
3. How we use it
- To provide the Estata service (contract performance).
- To secure the service and prevent fraud (legitimate interests).
- To send account and service notifications (contract performance).
- To improve the product and troubleshoot issues (legitimate interests).
- To comply with legal obligations, including tax and record-keeping.
- Marketing communications only where you have opted in (consent).
4. Who we share it with
- Paddle.com — our Merchant of Record for all subscription payments. Paddle processes your payment data, handles subscriptions, taxes and invoicing.
- Hosting & infrastructure providers — Supabase, Cloudflare and similar processors that host the application and data.
- Xero — only if you connect your Xero organisation to Estata for accounting sync.
- Professional advisers — our accountants and lawyers where required.
- Authorities — where required by law or court order.
5. International transfers
Some of our processors are located outside South Africa. Where personal information is transferred internationally, we rely on lawful transfer mechanisms and require appropriate contractual safeguards.
6. Retention
We keep personal information for as long as your account is active, and thereafter only as long as required to comply with legal obligations (typically 5 years for financial records) or resolve disputes. When no longer needed, data is deleted or anonymised.
7. Your rights
Under the Protection of Personal Information Act (POPIA), and where applicable the GDPR/UK GDPR, you have the right to access, correct, delete, or restrict processing of your personal information, object to processing, request portability, and withdraw consent. To exercise these rights, email accounts@dinopath.co.za. You may also lodge a complaint with the South African Information Regulator or your local supervisory authority.
8. Security
We apply appropriate technical and organisational measures including encryption in transit, encrypted storage, access controls and audit logging.
9. Cookies
We use strictly necessary cookies to keep you signed in and to remember your preferences. Analytics cookies are only set where allowed by applicable law.
10. Changes
We may update this notice from time to time. Material changes will be notified in-app or by email.
