Privacy Policy
Effective date: 2025-09-26
Who We Are
RealOnline Authentication Gateway is an authentication relay hub operated by RealOnline for a set of applications under our control (collectively, the "Client Applications"). We provide a single, secure sign-in using Google OAuth 2.0 and then relay that verified identity to the Client Applications you choose to use.
Contact: webmaster@realonline.co.za
Jurisdiction: South Africa. We align with the Protection of Personal Information Act, 2013 ("POPIA"). Where relevant visitors are located in other regions, we apply equivalent safeguards consistent with international best practice.
What We Collect During Sign-in
During Google OAuth sign-in we request only basic profile fields so we can create and manage your account identity:
Your first name
Your last name
Used as your unique account identifier
Optional avatar for the UI (if provided by Google)
A stable ID from Google to help prevent duplicate accounts
Essential logs (timestamps, IP, user agent) to secure the service
We do not request access to your Gmail, Drive, contacts, calendar, or any sensitive Google scopes.
How We Use Your Information
- To create and maintain your RealOnline account and relay your verified identity to our Client Applications.
- To provide secure session management and detect fraud or abuse.
- To comply with legal obligations and enforce our terms of use.
We do not sell personal information. We do not use your details for unsolicited marketing or spam.
Legal Basis and POPIA Alignment
We process the above data on the basis of your request to sign in and use our services and, where applicable, our legitimate interest in providing a secure authentication gateway. We implement safeguards consistent with POPIA principles, including lawfulness, minimality, purpose specification, security safeguards, and data subject participation.
Cookies and Similar Technologies
- Essential Session Cookie: required to keep you signed in and protect against CSRF. It does not track you across other sites.
- No analytics or advertising cookies are set by the Authentication Gateway.
Retention
Account profile data is retained for as long as your account remains active and for a limited period thereafter to meet legal, security, and audit requirements. Session and security logs are kept for a short, defined period consistent with operational security needs.
Sharing and Transfers
- We relay your verified identity to the Client Applications you access. These applications are under our operational control and follow the same privacy commitments described here.
- Service providers (for hosting, security, or email delivery) may process data on our behalf under contracts that enforce confidentiality and security.
- No sale of personal information. No third-party advertising use.
- If data is transferred across borders, we use appropriate safeguards such as contractual protections and encryption in transit.
Security
- Encryption in transit (HTTPS/TLS) and hardened server configurations.
- Least-privilege access, audit logging, and separation of environments.
- Periodic reviews of authentication flows and dependency updates.
Your Choices and Rights
- You can revoke Google access at any time via your Google Account settings and you can discontinue use of our services at any time.
- Under POPIA you may request access, correction, or deletion of your personal information, or object to or restrict processing where applicable.
- To exercise rights, contact privacy@realonline.co.za. We will verify your request and respond in a reasonable time.
Children
Our services are intended for use by adults and not directed to children under 13. If you believe we have collected data from a minor, contact us and we will address it promptly.
Changes to This Policy
We may update this page to reflect changes in law or our services. Material changes will be highlighted here with a new effective date. Continued use of the Authentication Gateway after an update indicates acceptance of the revised policy.