Privacy Policy

Last updated: 28 April 2026 · Effective date: 28 April 2026

Applicable law: This policy complies with the South African Protection of Personal Information Act 4 of 2013 (POPIA) and the Zimbabwean Data Protection Act [Chapter 11:22] (2021). Where the two Acts differ, the stricter requirement applies.

1. Identity of Responsible Party

The responsible party (as defined in POPIA Section 1) for the processing of your personal information is:

Field	Detail
Legal name	[Imbazo (Pty) Ltd / Trading name — to be registered]
Registration number	[To be assigned on incorporation]
Registered address	[Physical address — to be confirmed]
Contact email	privacy@imbazoca.com

2. Information Officer

In terms of POPIA Section 55, our designated Information Officer is:

Field	Detail
Name	[Information Officer name — to be appointed]
Email	privacy@imbazoca.com
Phone	[To be confirmed]

For Zimbabwean data subjects, enquiries may also be directed to the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) at www.potraz.gov.zw.

3. Purpose of Collection (POPIA Section 13)

We collect and process personal information for the following specific, explicitly defined purposes:

3.1 Participant Data

Data category	Purpose	Legal basis (POPIA s11)
Name, phone, email	Identity verification, communication	Consent (s11(1)(a))
Date of birth, gender	Study matching (demographic criteria)	Consent (s11(1)(a))
Country, city, province	Geographic study targeting	Consent (s11(1)(a))
Education, employment, income	Socio-economic study matching	Consent (s11(1)(a))
Languages, ethnicity	Linguistic/cultural study matching	Consent (s11(1)(a)); ethnicity is special personal information processed only with explicit consent per s26-s33
Internet access type	Study feasibility assessment	Consent (s11(1)(a))
Payment details	Disbursing study participation payments	Contract performance (s11(1)(b))

3.2 Researcher Data

Data category	Purpose	Legal basis
Name, email, institution	Account creation, communication	Contract performance (s11(1)(b))
Payment information	Billing for study services	Contract performance (s11(1)(b))
Study content/criteria	Service delivery	Contract performance (s11(1)(b))

4. Data Minimisation & Adequacy (POPIA Section 10)

We collect only data that is adequate, relevant, and not excessive for the stated purposes. Participants may decline to provide optional fields (education, income, ethnicity) without affecting core panel membership.

5. Consent (POPIA Section 11)

Participant consent is obtained via our WhatsApp onboarding flow. Consent is:

Voluntary — participants can decline at any step
Specific — we explain each data category and its use
Informed — this policy is linked during onboarding
Recorded — timestamp and evidence stored per participant

Consent can be withdrawn at any time by messaging "STOP" to our WhatsApp number or emailing privacy@imbazoca.com.

6. Information Quality (POPIA Section 16)

We take reasonable steps to ensure personal information is complete, accurate, and not misleading. Participants can review and correct their information at any time via WhatsApp or by contacting us.

7. Data Retention (POPIA Section 14)

Data type	Retention period	Justification
Active participant profiles	While participant is active + 2 years after deactivation	Service delivery + legal compliance
Completed study data	5 years from study completion	Research audit trail, tax records
Consent records	Indefinite (anonymised after 7 years)	Legal compliance proof
Audit logs	7 years	Legal and regulatory compliance
Payment records	7 years	Financial regulatory requirements
Researcher accounts	While active + 2 years after last login	Service delivery

On deletion request, personal data is erased from active systems within 30 days. Anonymised aggregates may be retained for platform analytics.

8. Cross-Border Transfers (POPIA Section 72)

Your personal data may be transferred to, and processed in, countries outside South Africa and Zimbabwe. We ensure adequate safeguards per POPIA s72.

Sub-processor	Location	Purpose	Safeguard
Supabase Inc.	United States	Database hosting (Postgres)	SOC 2 Type II compliant; contractual data processing terms
Meta Platforms Inc.	United States / Ireland	WhatsApp Business API — participant messaging	EU-US Data Privacy Framework; Meta Business DPA
Clerk Inc.	United States	Researcher authentication	SOC 2 compliant; contractual safeguards
Vercel Inc.	United States / Global edge	Web application hosting	SOC 2 Type II; DPA with standard contractual clauses
Stripe Inc. (future)	United States	Payment processing	PCI DSS Level 1; GDPR-compliant DPA

All sub-processors are bound by data processing agreements that require them to process your data only for specified purposes and to implement appropriate security measures.

9. Security Safeguards (POPIA Section 19)

We implement appropriate technical and organisational measures to protect personal information, including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Row-level security policies in our database — researchers cannot access other researchers' data or raw participant PII
Access control via Clerk authentication with session management
Audit logging of all data access events
Principle of least privilege for system components
Regular security reviews and dependency updates

10. Your Rights (POPIA Section 23–25)

As a data subject, you have the right to:

Access — Request a copy of all personal information we hold about you (s23)
Correction — Request correction of inaccurate or incomplete personal information (s24)
Deletion — Request deletion of your personal information where no legal basis for retention exists (s24)
Objection — Object to the processing of your personal information on reasonable grounds (s11(3))
Restriction — Request that we limit processing in certain circumstances
Data portability — Receive your data in a structured, machine-readable format
Withdraw consent — Withdraw consent at any time without affecting prior lawful processing
Lodge a complaint — With the Information Regulator of South Africa or POTRAZ (Zimbabwe)

To exercise any right, contact us at privacy@imbazoca.com or message "PRIVACY" to our WhatsApp number. We will respond within 30 days.

11. POPIA Section 18 Notification

In compliance with POPIA Section 18, we notify you at the time of collection that:

The information is being collected by Imbazo (see Section 1 above)
Collection is for the purposes described in Section 3 above
Provision of information is voluntary; however, failure to provide required fields may prevent panel membership or study participation
We will not use your information for direct marketing unless you opt in
You have the right to lodge a complaint with the Information Regulator at:
The Information Regulator (South Africa)
33 Hoofd Street, Forum III, Braampark, Braamfontein
Email: complaints.IR@justice.gov.za
Tel: 012 406 4818
Your information may be transferred outside South Africa as described in Section 8
We do not engage in automated decision-making or profiling that produces legal effects, except for demographic matching which you consent to during onboarding

12. Children's Data

Imbazo does not knowingly collect personal information from persons under the age of 18. Our onboarding flow includes age verification. If we discover we hold data of a minor, it will be deleted immediately.

13. Cookies & Analytics

Our web application uses only essential cookies for session management (authentication). We do not use advertising or tracking cookies. Vercel Analytics may collect anonymised performance metrics (page load times, country-level geographic data).

14. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email (researchers) or WhatsApp (participants) at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

15. Contact

For any privacy-related enquiries:

Email: privacy@imbazoca.com
WhatsApp: Message "PRIVACY" to [WhatsApp number]
Post: [Physical address — to be confirmed]