Effective date: 7 May 2026 · Version 2026-05-07

Privacy Policy

I am Ballito (Pty) Ltd ("we", "us", "our") operates the I am Ballito platform — a hyperlocal coupon and stamp-card service for the Dolphin Coast. This Privacy Policy explains how we collect, use, store and share your personal information in line with the Protection of Personal Information Act 4 of 2013 (POPIA).

1. Who is responsible

The Responsible Party (controller) is I am Ballito (Pty) Ltd, Ballito, KwaZulu-Natal, South Africa. Our registered Information Officer is Peet Stander, contactable at privacy@iamballito.app. The Information Officer is registered with the Information Regulator of South Africa.

2. Personal information we collect

• Account data: name, email, password (hashed by Firebase Auth), profile photo (if you sign in with Google or Apple).
• Usage data: coupons claimed, stamps collected, businesses visited.
• Device data: browser type, operating system, device identifiers required to deliver push notifications.
• Location data: only if you explicitly opt in. Used locally on your device to surface nearby coupons. Not shared with merchants.

3. Why we process your information (lawful bases)

• Performance of contract (s11(1)(b)) — to operate your account and deliver coupons and stamps.
• Consent (s11(1)(a)) — for push notifications, email marketing, and location use, captured separately at sign-up and changeable at any time.
• Legitimate interests (s11(1)(f)) — fraud prevention, anti-replay on coupon redemption, and aggregate analytics.
• Legal obligation (s11(1)(c)) — financial record retention for 7 years per FICA.

4. Direct marketing

Per POPIA s69, we only send marketing emails or push notifications if you have explicitly opted in. Every marketing message contains a one-tap opt-out. We never sell your contact details.

5. Operators we use

We use the following operators (s21) under signed processing agreements:

• Firebase (Google Cloud) — authentication, database, file storage, push notifications. Hosted in europe-west1 for POPIA s72 cross-border posture; transfers governed by Google's Standard Contractual Clauses.
• Vercel — application hosting and edge delivery.
• Paystack — recurring subscription payments for merchants.
• Resend — transactional email delivery.

6. Cross-border transfers (s72)

Our primary data store is in the European Union (Belgium / europe-west1), under European data protection law and Standard Contractual Clauses with our cloud provider. This satisfies POPIA s72(1)(a). We do not store your personal information in the United States.

7. How long we keep your data

• Account profile: while your account is active, plus 30 days after deletion.
• Redemption ledger: 7 years (FICA s23).
• Consent log: indefinitely (immutable audit record per s17).
• Marketing engagement logs: 12 months.

8. Your rights (POPIA s23 – s25)

You have the right to:

• Access your personal information — see your account.
• Correct or update your information.
• Request deletion ("right to be forgotten").
• Withdraw consent for marketing or location use at any time.
• Object to processing for direct marketing (s69(3)).
• Lodge a complaint with the Information Regulator at inforegulator.org.za.

9. Children

I am Ballito is for adults 18 and older. We do not knowingly collect information from minors. Sign-up requires a date-of-birth check.

10. Security

We use industry-standard safeguards: TLS in transit, encryption at rest, role-based access controls, and Firestore security rules that deny by default. Passwords are hashed by Firebase Auth — we never see them.

11. Breach notification

Per POPIA s22 and the Regulator's breach guidance, we will notify the Information Regulator and affected data subjects via the Regulator's e-portal within the required timeframe of any compromise that creates a real risk of harm.

12. Contact

Information Officer: Peet Stander — privacy@iamballito.app.