FAIS Labs Privacy Policy

1. Information We Collect

To provide a highly personalised and functionally robust learning workspace, we collect several categories of information directly from you and automatically via your interactions with the platform.

A · Personal information you provide directly

• Account credentials: Your name, email address, and a cryptographically scrambled (hashed) representation of your chosen password. We do not store passwords in plaintext format.
• Communications data: Any queries, feedback, or support tickets submitted directly to support@faislabs.co.za.

B · Educational and performance data

• Examination responses: Individual answers selected, hesitation metrics, and completion times across our standardised question dataset.
• Performance metrics: Cumulative scores, passing / failing status relative to the official regulatory threshold, and sub-task diagnostics structured against the FSCA 8-task regulatory framework.
• Usage progress: Mock paper progression history (Papers 1 through 10) and Topic Focus Sprint activities used to gauge exam preparedness.

C · Technical, security, and transactional log data

To monitor system health and protect our architecture, our system records data to a permanent, immutable security_audit_ledger table:

• Network identifiers: Internet Protocol (IP) addresses, browser type, and device characteristics.
• Timestamped security events: Logs of user authentication instances, system sign-ups, password reset requests, payment lifecycle hooks, and mock examination submissions.
• Transaction identifiers: Payment status codes, unique PayFast transaction references (pf_payment_id), and payment amounts.

2. How We Use Your Information

We process your personal data strictly for lawful purposes tied directly to the core functionality of the FAIS Labs application:

• Account verification and security management: Using your identifiers to issue secure account registration links, manage single-use password recovery cycles, and protect accounts from brute-force access attempts.
• Entitlement provisioning: Utilising automated backend API webhooks to unlock premium workspace features upon receipt of a verified payment signature.
• System hardening and operational auditing: Monitoring security logs to verify incoming integration payloads and protect the platform's core relational infrastructure from injection risks.

3. Information Sharing and Third-Party Operators

FAIS Labs does not sell, rent, or lease your personal information to third-party marketers. We share data only with trusted infrastructure providers (Operators under POPIA) necessary to run our application workflows. All third-party providers are strictly bound by confidentiality and security requirements:

4. Data Security & Storage Architecture

We take the security of your data seriously and have built strict security measures into our backend stack to eliminate plaintext vulnerabilities:

• Cryptographic hashing: User account passwords are systemically passed through an industrial-grade hashing function (bcrypt) before hitting permanent storage.
• Zero-trust hook integrations: Critical data fields utilise reactive server-side state confirmation machines to keep form validations protected from client-side manipulation.
• Signature verification: Inbound transactional data lines (such as payment notifications) are intercepted by strict SHA-256 or MD5 signature verification blocks to block unauthorised structural data injections.
• Secure transport layer: All application traffic, API requests, and SMTP mail dispatches use Transport Layer Security (TLS) encryption pathways.

5. Data Retention Boundaries

• Account & performance profiles: We retain your account information, mock exam completion history, and workspace tracking values as long as your profile remains active to maintain your diagnostic dashboards.
• Immutable security logs: Technical entries written to the security_audit_ledger are kept permanently for security compliance, financial reconciliation, and forensic fraud prevention.
• Expired cryptographic tokens: Temporary lifecycle tokens issued for password recovery are permanently invalidated immediately upon consumption or after their issuance window elapses.

6. Your Legal Rights (Data Subject Rights under POPIA)

As a South African data subject using this service, you possess specific statutory rights regarding how your information is handled. You can exercise these at any point by contacting us:

• Right of access: You have the right to request confirmation of whether or not we hold your personal data and to obtain a descriptive record of that information.
• Right to rectification: You may request that we update or correct any inaccurate, outdated, incomplete, or misleading personal information stored on your user workspace profile.
• Right to erasure ("right to be forgotten"): You may request the deletion or destruction of your personal profile record, provided the data is no longer necessary for the execution of your premium access contract or mandatory administrative financial ledgers.
• Right to object: You have the right to object to the processing of your data on reasonable grounds, unless legislation dictates mandatory processing.

7. Contact & Information Officer

For any clarity checks, requests to delete profile contents, or inquiries regarding this Privacy Policy and our internal data safety rules, please contact our team directly at: