Refraime (Pty) Ltd (“Refraime”, “we”, “us”, “our”) is committed to protecting the privacy and personal information of all individuals who interact with our platforms, products, and services. This Privacy Policy explains how we collect, use, store, share, and protect Personal Information in compliance with the Protection of Personal Information Act 4 of 2013 (“POPIA”) and, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Refraime is a South African company incorporated under registration number 2018/299759/07, with its principal place of business at 325 Main Avenue, Ferndale, Randburg, 2194.
By using our platforms and services, you acknowledge that you have read and understood this Privacy Policy.
Refraime provides an intelligent video analytics platform that enables security companies, residential estates, and homeowners to enhance their security operations through AI-powered alert detection, behavioural analysis, and community camera sharing. We process camera feeds to generate security alerts but we do not store raw video footage.
In most cases, Refraime acts as an Operator (under POPIA) or Processor (under GDPR) on behalf of our clients (security companies, estates, or homeowners), who are the Responsible Parties or Controllers. Our clients determine why and how camera data is collected; Refraime processes that data on their behalf to deliver analytics services.
In terms of POPIA, our designated Information Officer is:
Name: David Keating
Email: privacy@refraime.ai
Postal: P O Box 3912, Cramerview, 2060
Telephone: +27 68 646 0492
Our Information Officer is registered with the South African Information Regulator and is responsible for encouraging compliance with POPIA, dealing with requests from data subjects, and working with the Information Regulator in relation to investigations.
The categories of Personal Information we process depend on how you interact with our platform:
Our platform operates two distinct processing modes:
Intrusion Detection: captures and retains only 1 to 3 still images per alert event. These images may incidentally contain images of identifiable individuals.
Agentic AI (optional, Client-enabled): processes a rolling image buffer in real time for behavioural analysis. When an alert event is detected, the platform retains only the relevant frames at 1 to 2 frames per second for a maximum of 30 seconds, depending on where in the buffer the event is detected. These images may incidentally contain images of identifiable individuals. Where Agentic AI is enabled, alert imagery may be transmitted to hosted third-party AI models (currently Google) for inference, as described in Section 8 below.
Alert metadata: timestamps, camera identifiers, event classification, confidence scores, and GPS coordinates.
Account credentials: username and password (stored in hashed form).
Optional personal details: name and surname (where provided by the user or their organisation).
Contact information: email address (for account communications and alert notifications).
Contact details for security responders, managers, and key holders.
Site locations, maps, and standard operating procedures.
Camera configuration data including locations and zone definitions.
Records of user actions within the platform: who accessed what, when, and for how long.
Live view session logs including initiating user, camera viewed, and session duration.
We collect Personal Information in the following ways:
Directly from platform users when they register, configure sites, or update their account details.
Automatically from camera feeds connected to the platform by our clients, which generate alert events containing incidental imagery of individuals.
Automatically through platform usage, which generates audit logs and access records.
From our clients (security companies, estates), who provide site configuration data including responder contact details.
We do not collect Personal Information from publicly available sources or purchase data from third parties.
We process Personal Information on the following legal bases:
While our Agentic AI performs behavioural analysis to detect security events (e.g., unauthorised entry or suspicious movement), this processing is limited to event-classification and does not involve the extraction of unique physiological or behavioural templates for the purpose of identifying a specific individual. We do not process Special Personal Information as defined in POPIA Section 26. Specifically, we do not perform facial recognition or store biometric data.
We share Personal Information only with the following categories of recipients, and only to the extent necessary to provide our services:
Our clients (Responsible Parties): Security companies, estates, and homeowners who have contracted with us and whose cameras generate the alert data.
Authorised operators: Security personnel authorised by our clients to access alert data within the platform’s role-based access controls.
Sub-processors: Third-party service providers who assist us in delivering the platform. Our current Sub-processors are:
– Data Sciences Corporation (Pty) Ltd (cloud hosting, South Africa)
– Twilio Inc. / SendGrid (email notifications, text and reports only)
– Telegram FZ-LLC (push notifications, including alert imagery where enabled by the client)
– Google LLC / Vertex AI (AI model inference for Agentic AI analysis, alert imagery only, where enabled by the client)
We do not sell, rent, or trade Personal Information to any third party. We do not use Personal Information for marketing purposes. We may disclose Personal Information where required to do so by law, regulation, or court order.
All core platform data is stored in data centres located within the Republic of South Africa. We do not transfer alert imagery or platform data outside South Africa as a standard practice.
The following limited cross-border transfers may occur:
SendGrid (Twilio Inc.): Email addresses and alert summary text (no imagery) may be processed through Twilio’s infrastructure, which includes servers in the United States.
Telegram: Where a client has elected to enable Telegram image notifications, alert imagery containing incidental images of individuals is transmitted to Telegram’s servers (United Arab Emirates / global CDN). This is an optional feature that is not enabled by default and is activated only at the explicit request of the client.
Google (Vertex AI / Gemini API): Where a client has elected to enable Agentic AI features, alert imagery is transmitted to Google’s AI inference infrastructure for real-time analysis. Under Google’s API terms, inference data is not retained beyond the request and is not used for model training. This is an optional feature that is not enabled by default and is activated only at the explicit request of the client. Additional AI model providers may be introduced in the future, subject to appropriate data protection safeguards and disclosure. We may utilise other frontier model providers subject to the same strict non-retention policies.
These transfers are conducted in reliance on the Sub-processors’ own data protection commitments and, where applicable, Standard Contractual Clauses or equivalent safeguards as contemplated by POPIA Section 72 and GDPR Chapter V.
We implement appropriate technical and organisational measures to protect Personal Information, including:
Multi-tenanted architecture with strict role-based access control
Encryption of data in transit and at rest
Full audit trail logging of all platform actions
Time-limited live view sessions triggered only by alert events
Configurable privacy zone masking to exclude sensitive areas
Automated data retention enforcement with hard deletion on expiry
Hashed password storage
Regular security assessments and vulnerability management
Under POPIA and, where applicable, GDPR, you have the following rights in relation to your Personal Information:
Right of access: You may request confirmation of whether we hold Personal Information about you and request a copy of that information.
Right to correction: You may request that we correct or update inaccurate or incomplete Personal Information.
Right to deletion: You may request that we delete your Personal Information where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent.
Right to object: You may object to the processing of your Personal Information where we rely on legitimate interest as the legal basis. Where cameras are part of a community sharing arrangement, Refraime encourages the use of privacy masking. Neighbours who believe their private property is being captured may object to the Responsible Party (Homeowner/Estate/Security Company), and Refraime will facilitate the application of digital privacy zones upon instruction.
Right to data portability: You may request that we provide your data in a structured, commonly used, and machine-readable format.
Right to restriction: You may request that we restrict the processing of your Personal Information in certain circumstances.
To exercise any of these rights, please contact our Information Officer at privacy@refraime.ai. Identity verification will be required before processing a request and we will respond to your request within a reasonable period, not exceeding 30 days.
Important note for individuals captured in alert imagery: If you believe you have been captured in alert imagery processed by our platform, please contact the property owner or security company operating the cameras in the first instance, as they are the Responsible Party for that data. You may also contact us directly and we will redirect your request to the appropriate Responsible Party.
Our platform is not directed at children and we do not knowingly collect Personal Information from children. Where alert imagery incidentally captures images of children, such data is processed on the same legal basis as all alert data (legitimate interest for security purposes) and is subject to the same retention and deletion policies.
Our platform uses artificial intelligence and machine learning to analyse camera feeds and generate security alerts. Where a client has enabled Agentic AI features, alert imagery may be processed by hosted third-party AI models (currently Google’s Gemini models) for enhanced behavioural analysis. This constitutes automated processing but does not constitute automated decision-making that produces legal effects concerning individuals. All alerts generated by the platform are reviewed by human security operators before any action is taken.
Data Subjects have the right to request a human review of any automated alert classification that they believe has unfairly impacted them.
Our website (www.refraime.ai) may use cookies and similar technologies to improve your browsing experience. For details on which cookies we use and how to manage your preferences, please refer to our Cookie Notice on the website.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on our website with the revised “Last updated” date. Material changes will be communicated to our clients via email.
If you are not satisfied with our response to your request or believe we are processing your Personal Information in a manner that is not compliant with POPIA, you have the right to lodge a complaint with the Information Regulator:
The Information Regulator (South Africa)
Email: complaints.BI@inforegulator.org.za
Tel: +27 12 406 4818
Website: www.inforegulator.org.za
For complaints relating to GDPR, you may lodge a complaint with the relevant supervisory authority in your jurisdiction.
For any questions about this Privacy Policy or our data processing practices, please contact us:
Refraime (Pty) Ltd
325 Main Avenue, Ferndale, Randburg, 2194
P O Box 3912, Cramerview, 2060
Email: privacy@refraime.ai
Tel: +27 68 646 0492
Website: www.refraime.ai
Refraime Pty Ltd © 2026. All Rights Reserved.
