Privacy Policy

Last updated: 7 May 2026

ScamStop ("we", "us") operates a community-driven scam-warning platform. This policy explains what personal information we collect, why, and the rights you have under South Africa's Protection of Personal Information Act, 2013 (POPIA) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Responsible party

The responsible party (data controller) is ScamStop. You can reach our Information Officer at privacy@scamstop.co.za.

2. Information we collect

• Account data - email address, display name, and authentication identifiers when you sign up or log in.
• User-generated content - reports, comments, validations, disputes, deal-checks, photos and any other text or media you submit.
• Reported third-party identifiers - names, phone numbers, bank account numbers, social-media URLs and similar identifiers submitted by other users in scam reports. This is processed under the public-interest and legitimate-interest grounds in section 11 of POPIA.
• Technical data - IP address, device fingerprint, browser type, and approximate location, used for fraud prevention, rate-limiting and security.
• Payment data - handled by our payment processor (PayFast). We never store card numbers.

3. Why we process it (lawful basis)

• To provide the service you signed up for (contract).
• To prevent fraud and protect the public from scams (legitimate interest / public interest).
• To comply with legal obligations.
• With your consent, where required (e.g. marketing emails).

4. Sharing

Reports and validations are public by design - that is the point of the warning system. We share data with:

• Hosting, database and edge-network providers (located in the EU and US).
• Payment processor (PayFast).
• Law-enforcement or regulators when legally compelled, or where we believe in good faith it is necessary to prevent harm.

5. Cross-border transfers

Some processors may store data outside South Africa. Where they do, we rely on adequacy decisions or standard contractual clauses, as permitted by section 72 of POPIA.

6. Retention

Account data is kept while your account is active. Public reports may be kept indefinitely as part of the historical scam record, subject to the dispute / removal process described below. Audit logs of moderator actions are kept for at least 24 months for accountability.

7. Your rights

Under POPIA (and GDPR where it applies) you have the right to:

• Access the personal information we hold about you.
• Request correction or deletion of inaccurate information.
• Object to processing, including being listed in a public scam report, via our data-subject request form.
• Withdraw consent at any time (where consent is the basis).
• Lodge a complaint with the Information Regulator of South Africa.

8. Security

We use row-level security, encrypted transport (HTTPS), audited moderator actions and least-privilege service roles. No system is perfect - please report any vulnerability to security@scamstop.co.za.

9. Children

ScamStop is not directed at children under 18. We do not knowingly collect personal information from children. If you believe a child has signed up, contact us and we will delete the account.

10. Changes

We will post material changes on this page and update the "last updated" date.

See also: Terms of Service · Data subject requests