Data Protection Notice

Version: 3.1.0 | Last Updated: 2026-03-11 | Applies to: www.myprotektor.co.za and the MyProtektor Mobile App

1. Introduction

This Data Protection Notice describes how MyProtektor collects, uses, stores, shares, and protects personal information obtained through the MyProtektor website, mobile application, and related services (collectively referred to as the "Platform"). This notice applies to all users of the Platform, including security company administrators, security guards, LiteClient subscribers, and visitors.

We process personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA), and we are committed to ensuring that all processing activities meet the requirements of the eight conditions for lawful processing set out in POPIA.

2. Responsible Party

The responsible party for the processing of your personal information is:

• Name: MyProtektor, operated by Mike Roth, Founder, Michael-Gaismayr-Strasse 52b, 6900 Bregenz, Austria, European Union
• Email: info@myprotektor.co.za
• Website: www.myprotektor.co.za

For the purposes of POPIA, the responsible party determines the purpose of and means for processing personal information. Where a security company uses MyProtektor to manage its own operations and personnel, that security company may act as a separate responsible party for the personal information of its employees and clients, with MyProtektor acting as an operator processing data on its behalf.

3. Categories of Personal Data Collected

Depending on your role and use of the Platform, we may collect the following categories of personal information:

3.1 Account and Identity Information

• Full name, email address, and phone number
• Profile photograph (optional)
• Organisation name and role within the organisation
• Account credentials (password hashes - we never store plaintext passwords)
• Authentication provider identifiers (Google, Apple Sign-In)

3.2 Location and GPS Data

• Real-time GPS coordinates of security guards during active shifts
• Location data transmitted during panic alert activations
• Geolocation information associated with incident reports
• QR patrol checkpoint scan locations and timestamps

3.3 Incident and Operational Data

• Incident reports including descriptions, severity classifications, and status updates
• Photographic evidence attached to incident reports
• Panic alert records including activation time, location, and response details
• Patrol checkpoint scan records and verification data
• Shift schedules and attendance records

3.4 Payment and Billing Information

• Subscription plan details and billing history
• Payment method type (we do not store full card numbers; payment processing is handled by Stripe)
• Invoice records and transaction identifiers
• Affiliate commission records (where applicable)

3.5 Technical and Device Information

• Device type, operating system, and app version
• Push notification tokens
• IP addresses and browser information (for web access)
• Crash reports and diagnostic data
• Usage analytics and feature interaction data

4. Lawful Basis for Processing Under POPIA

POPIA sets out eight conditions for the lawful processing of personal information. We process your data in compliance with these conditions as follows:

• Condition 1 - Accountability: MyProtektor takes responsibility for ensuring that all processing complies with POPIA. We have implemented appropriate technical and organisational measures to protect your data.
• Condition 2 - Processing Limitation: We collect personal information only for specified, explicitly defined, and lawful purposes, and we do not process information in a manner incompatible with those purposes.
• Condition 3 - Purpose Specification: We collect personal information for the specific purposes described in Section 5 of this notice. Data is retained only for as long as necessary to fulfil those purposes.
• Condition 4 - Further Processing Limitation: We do not process personal information for purposes beyond those for which it was originally collected, unless the further processing is compatible with the original purpose or you have provided consent.
• Condition 5 - Information Quality: We take reasonable steps to ensure that personal information is complete, accurate, and not misleading. Users can update their information through their account settings at any time.
• Condition 6 - Openness: This Data Protection Notice serves as our notification to you about how we process personal information. We are transparent about our data practices.
• Condition 7 - Security Safeguards: We implement appropriate technical and organisational security measures to protect personal information against loss, damage, unauthorised access, and unlawful processing, as described in Section 7 of this notice.
• Condition 8 - Data Subject Participation: You have the right to access, correct, and delete your personal information as described in Section 9 of this notice.

5. Purposes of Processing

We process your personal information for the following purposes:

• Service delivery: To provide the core functionality of the Platform, including incident management, GPS tracking, panic alerts, QR patrol verification, shift management, and client dashboard access.
• Account management: To create and manage your user account, authenticate your identity, and maintain your subscription.
• Communication: To send you service-related notifications, including push notifications for incident alerts, panic alerts, and patrol reminders.
• Billing and payments: To process subscription payments, manage invoices, and administer the affiliate commission programme.
• Safety and security: To facilitate emergency response coordination, enable location sharing during active shifts, and support incident reporting workflows.
• Platform improvement: To analyse usage patterns, identify technical issues, and improve the features and performance of the Platform.
• Legal compliance: To comply with applicable legal obligations, respond to lawful requests from authorities, and establish, exercise, or defend legal claims.

6. Data Sharing

We may share your personal information in the following circumstances:

6.1 Within Your Organisation

If you are a member of a security company on MyProtektor, certain information (such as your name, role, location during shifts, and incident reports) will be visible to other members of your organisation in accordance with their role-based permissions. Administrators can view more data than guards or clients.

6.2 Service Providers

We use trusted third-party service providers to operate the Platform. These providers process data on our behalf and are contractually obligated to protect your information:

• Cloud infrastructure providers: Compute infrastructure, data hosting, and storage services
• Authentication and identity providers: User sign-in, session handling, and account security
• Mapping and geolocation providers: Mapping, geolocation, and routing services
• Payment service providers: Payment processing and subscription management
• Mobile messaging providers: Push notification delivery
• Affiliate tracking providers: Affiliate programme tracking and commission management
• Web hosting and delivery providers: Website hosting, content delivery, and web analytics
• Monitoring providers: Application error monitoring and crash reporting
• Communication providers: SMS delivery and transactional email delivery
• Abuse prevention providers: Rate limiting and anti-abuse controls (including hashed identifiers)
• Analytics and marketing providers: Usage analytics, tag management, and conversion tracking
• Device integrity providers: Device attestation and platform integrity verification

6.3 Legal Requirements

We may disclose personal information if required to do so by law, court order, or lawful request from a government authority, or where disclosure is reasonably necessary to protect the rights, property, or safety of MyProtektor, our users, or the public.

7. Security Measures

We implement a range of technical and organisational measures to protect your personal information:

• All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
• Passwords are hashed and salted using industry-standard algorithms; we never store plaintext passwords.
• QR patrol codes are signed using Ed25519 cryptographic signatures to prevent forgery.
• Access to personal data is restricted through role-based access controls enforced at the application and database levels.
• Database-level security rules enforce data isolation between organisations, ensuring that users can only access data belonging to their own organisation.
• Multi-factor authentication is available for all user accounts.
• We conduct regular security reviews and apply updates to address known vulnerabilities.
• Push notification tokens are validated and expired tokens are automatically cleaned up to prevent data leakage.

While we take every reasonable precaution, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your information.

8. Retention Periods

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods are as follows:

• Account data: Retained for the duration of your active account and for 90 days following account deletion to allow for recovery.
• Incident reports and operational data: Retained for a minimum of 7 years to satisfy legal, insurance, and regulatory requirements in the security industry.
• GPS and location data: Real-time location data is retained for 30 days. Historical patrol records are retained for up to 3 years for operational review, compliance reporting, and trend analysis.
• Payment and billing records: Retained for 7 years in accordance with South African tax and financial record-keeping laws.
• Technical logs and analytics: Retained for up to 12 months.
• Push notification tokens: Retained while active and automatically deleted when a device is unregistered or a token becomes invalid.
• Inactive accounts: Accounts with no login activity for 24 consecutive months may be flagged for deletion. We will notify you before any deletion occurs.

When the retention period expires, personal information is securely deleted or anonymised so that it can no longer be associated with an identifiable individual.

9. Your Rights as a Data Subject

Under POPIA, you have the following rights in relation to your personal information:

• Right of access: You have the right to request confirmation of whether we hold personal information about you and to request a copy of that information.
• Right to correction: You have the right to request that we correct or update personal information that is inaccurate, incomplete, or misleading.
• Right to deletion: You have the right to request the deletion of your personal information where it is no longer necessary for the purpose for which it was collected, subject to any legal retention requirements.
• Right to restriction: You have the right to request that we restrict the processing of your personal information in certain circumstances, such as where the accuracy of the information is contested.
• Right to data portability: You have the right to request a copy of your personal information in a structured, commonly used, and machine-readable format for transfer to another service provider.
• Right to object: You have the right to object to the processing of your personal information on reasonable grounds relating to your particular situation, unless the processing is required by law or in the legitimate interests of MyProtektor.
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

10. How to Exercise Your Rights

To exercise any of the rights described above, please submit a written request to us using the contact details provided in Section 13 of this notice. Your request should include:

• Your full name and email address associated with your MyProtektor account.
• A clear description of the right you wish to exercise.
• Any additional information necessary to verify your identity and locate your records.

We will acknowledge receipt of your request within 5 business days and respond substantively within 30 days. If your request is complex or we receive a high volume of requests, we may extend the response period by an additional 30 days, in which case we will inform you of the extension.

There is no fee for exercising your rights. However, if a request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee to cover administrative costs.

11. Complaints

If you are dissatisfied with how we have handled your personal information or responded to a request, you have the right to lodge a complaint with the South African Information Regulator:

• Email: POPIAComplaints@inforegulator.org.za
• Phone: 012 406 4818
• Website: https://inforegulator.org.za

We encourage you to contact us first so that we have the opportunity to address your concerns directly.

12. International Data Transfers

Your personal information may be processed outside of South Africa by our third-party service providers. These providers may process data in data centres located in the European Union, United States, or other jurisdictions.

In accordance with Section 72 of POPIA, we ensure that any cross-border transfer of personal information is subject to appropriate safeguards, including:

• Contractual obligations requiring the recipient to maintain data protection standards consistent with POPIA.
• Transfer to jurisdictions with adequate data protection legislation.
• Supplementary technical measures, including encryption in transit and at rest.

13. Updates to This Notice

We may update this Data Protection Notice from time to time to reflect changes in our processing activities, legal requirements, or business practices. When we make material changes, we will notify you by publishing the updated notice on the Platform and, where appropriate, sending you a notification via email or push notification.

We encourage you to review this notice periodically. The "Last Updated" date at the top of this notice indicates when the most recent revision was made. Your continued use of the Platform after a change has been published constitutes acceptance of the updated notice.

14. Contact Us

If you have any questions, concerns, or requests relating to this Data Protection Notice or the processing of your personal information, please contact us: