C Herbst Consulting Proprietary Limited trading as aurumfsg (“we“, “our” or “us“) is a South African company who, amongst others, provides crypto tax reporting services to its customers in various countries.
This Policy tells you, as our customer (“you” or “your“), how we collect, use, store and share (“process“) data which tells us who you are, from which someone can determine who you are or otherwise relates to you (collectively, “personal data“).
If you are a prospective or present customer, this policy should be read together with our terms of service (“Ts&Cs“).
Our privacy vision is to provide you with accurate tax efficient crypto tax reports in a manner that respects and protects your privacy. You should know what personal data we process, why we process it and what rights you have in relation to your personal data which we hold.
We process, amongst others, the following types of personal data:
If you request that we contact you through our website or otherwise request that we contact you, we will process data to enable us to do so, including –
You are the source of this data.
If you appoint us to provide services to you, we will need to process your –
You are the source of this data.
If you appoint us to provide services to you, we will need to process information regarding the type of crypto tax report you purchase (a Basic, Standard, Premium, Degen or other report) (a “report”) and what the factors taken into account or which comprise such report, including –
You are the source of this data and some of it is automatically generated by purchasing our services, dependent on the report you purchase.
If you appoint us to provide services to you, we will need to process –
We process credit card payments through our credit card payment services provider, Practice Ignition Limited (“Practice Ignition”) through Stripe. We Use Aurumfsg, a company within our group of companies in the United States of America as an accredited card processing agent (“Aurumfsg USA”).
You, your payment services provider, Stripe and Aurumfsg USA are the sources of this data.
If you appoint us to provide services to you, we will need to process information about your crypto assets including –
You are the source of this data.
If you appoint us to provide services to you, we will need to process your tax information, including –
You are the source of this data.
As we provide crypto tax reporting services, different data sets or points may be aggregated by us to produce your tax report.
We do not make any decisions using this data that have legal consequences for you.
If you appoint us to provide services to you, we will process your communications with us, which includes the meta data of communications. If you call or video call us, we may transcribe or record such call to monitor our services and record your instructions.
You are the source of this data and some of this data is generated by us.
We process your personal data for the following purposes and based on the legal bases:
5.1 Operations
We may process your personal data for the purposes of operating our website; providing our services and products in the form of tax reports to customers; generating invoices, bills and other payment-related documentation; and credit control. The legal bases for this processing are –
● our legitimate interests, namely the proper administration of our website, services and business; and/or
● the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
5.2 Relationships and communications
We may process your personal data for the purposes of managing our relationships and communicating with you (excluding communicating for the purposes of direct marketing) by email, Whatsapp, website chatbot, SMS and/or telephone, providing support services and complaint handling. The legal bases for this processing are –
● our legitimate interests, namely communications with our website visitors, service users, individual customers and the maintenance of relationships, and the proper administration of our website, services and business; and/or
● the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
5.3 Research and analysis
We may process personal data for the purposes of researching and analysing the use of our website and services, as well as researching and analysing other interactions with our business. The legal basis for this processing is our legitimate interests, namely monitoring, supporting, improving and securing our website, services and business generally.
5.4 Record keeping
We may process your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records generally. The legal bases for this processing is –
● our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our business in accordance with this policy; and/or
● the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
5.5 Security
We may process your personal data for the purposes of security and preventing fraud and other criminal activity. The legal basis of this processing is our legitimate interests, namely the protection of our website, services and business and the protection of others.
5.6 Insurance and risk management
We may process your personal data where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.
5.7 Legal claims
We may process your personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
5.8 Legal compliance and legitimate interests
We may also process your personal data where such processing is necessary for compliance with a legal obligation to which we are subject or in order to protect your legitimate interests or the legitimate interest of another person.
We may disclose your personal data to our insurers and/or professional advisors insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice.
We may disclose your personal data to Aurumfsg USA [●], a company within our company group and vice versa, to process your credit card payment to us and any refunds. We ensure that Aurumfsg USA protects your data in a manner that is substantially similar to us.
Financial transactions relating to our services are handled by our payment services provider, Ignition through Stripe. We will share transaction data with our payment services provider only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers’ privacy policies and practices at https://stripe.com/en-gb-us/privacy.
In addition to the specific disclosures of personal data set out in this 6, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, including a subpoena, reporting obligation or request by a regulator or tax authority in any applicable jurisdiction, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
We process your personal data in the Republic of South Africa (“RSA”), which is the country where we are situated and from which our employees work. We also transfer your personal data to Aurumfsg USA to process your payments and other payment services providers. Where we transfer your data to Aurumfsg USA and/or other countries, we ensure that we have a lawful basis to do so, it being necessary to do so to provide our services to you as our customer. We ensure that your personal data is protected in RSA both by contractual and other reasonably practicable measures.
Your personal data will be stored on the services of our hosting services providers: Google Cloud Services, whose servers are located in RSA and abroad and Karbon https://karbonhq.com/en-GB/security/, whose servers are located.in the United States of America.
Your personal data may be kept in paper copy by our employees, but only to the extent necessary.
Only authorised personnel have access to your data.
We use administrative, technological and physical controls to protect your personal data against unauthorised loss, damage, modification, disclosure or access. Such controls includes policies, monitoring, access control, password protection, firewalls, anti-virus and encryption where possible.
Even though we take reasonable measures to protect your personal data, transmitting information over electronic platforms creates certain risks which we cannot prevent. We will not be held responsible for any loss occurred in the transmission of data.
We store information for as long we have a purpose to keep it, being either a business purpose or where the law requires us to keep it, whichever is longer.
We completely delete and destroy personal data two years after the completion of our mandate with you.
The personal data you provide us must be accurate and up to date – you are responsible for doing so. Providing us with inaccurate, false, misleading or incomplete information may affect the services we provide you and the correctness of the crypto tax report we issue you. It is therefore imperative that you provide data to us in time and which is correct.
We have processes in place for you to request that the personal data we hold about you is amended, corrected or deleted. We have the right to refuse any request where it requires disproportionate effort, threatens the privacy of others or would be impractical.
If the data we have about you is out of date or inaccurate, please contact our information officer at the details at 13.
If an unauthorised person has accessed your data, we will notify you to the extent we are required by law to do so. We will also notify the South African Information Regulator to the extent that we are required to.
You have the rights to –
● request access to the personal data we hold;
● request that we correct or delete personal data;
● object to the processing of personal data in certain instances; and/or
● withdraw consent where consent is the basis we rely on for processing.
Should you have a question or query with regards to the processing of personal data, please contact our information officer with the following details:
Name:
Chris Herbst
Physical Address:
5955 Alpha Rd, Suite #102, Unit #5114, Dallas, TX 75240
Given that we process data in RSA and because we are domiciled in RSA, we are required to comply with RSA’s data privacy legislation, POPIA. Should we have a complaint about the way we process your data, you can contact RSA’s Information Regulator at the following details:
Email:
complaints.IR@justice.gov.za
Physical address:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal address:
P.O Box 31533, Braamfontein, Johannesburg, 2017
This policy amounts to a notice of processing as is required by POPIA.
Given that we do not have an establishment in the European Union (“EU”), nor do we directly market our goods and services to EU data subjects, or monitor EU data subjects, we are not required to comply with the GDPR, however, we ensure that fair information processing principles are complied with in relation to your data, as set out in this notice.
This policy is subject to change. We will tell you if it does.
Last updated 22 September 2025.
