Privacy Policy
How we protect and manage your data
Effective Date: March 2026 Last Updated: March 2026
1. Introduction
Welcome to Tracepoint. This Privacy Policy explains how Tracepoint (Pty) Ltd. (“Tracepoint”, “we”, “us” or “our”) collects, uses, stores, shares and protects your personal information when you access or use our RFID Inventory & Asset Tracking platform, including our web-based administration portal, Android and iOS mobile applications and our website at https://www.tracepoint.co.za (collectively, the “Platform”).
We are committed to protecting your privacy and ensuring that your personal information is processed in accordance with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) (“POPIA”) and all other applicable South African legislation.
By accessing or using the Platform, you acknowledge that you have read, understood and agree to the collection and processing of your personal information as described in this Privacy Policy. If you do not agree with this Policy, please refrain from using the Platform.
2. Definitions
For the purposes of this Privacy Policy, the following terms shall have the meanings set out below:
| Term | Definition |
|---|---|
| “Consent” | Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information, as defined in POPIA. |
| “End-User” | A natural or juristic person who has entered into an agreement with Tracepoint to use the Platform and who may process personal information of their own data subjects through the Platform. |
| “Data Subject” | The natural or juristic person to whom personal information relates - this includes you, the user of our Platform. |
| “Information Officer” | The person designated by Tracepoint to be responsible for ensuring compliance with POPIA. Contact details are provided in Section 18. |
| “Operator” | A person or entity who processes personal information on behalf of a Responsible Party under a contract or mandate, as defined in POPIA. |
| “Personal Information” | Information relating to an identifiable, living, natural person or an identifiable, existing juristic person, as defined in Section 1 of POPIA. This includes but is not limited to names, email addresses, phone numbers, identity numbers, location data and online identifiers. |
| “Platform” | The Tracepoint RFID Inventory & Asset Tracking SaaS platform, comprising the web administration portal, Android and iOS mobile applications, associated APIs and the website at https://www.tracepoint.co.za. |
| “POPIA” | The Protection of Personal Information Act, 2013 (Act No. 4 of 2013) of South Africa. |
| “Processing” | Any operation or activity, whether automated or not, concerning personal information, including collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use, dissemination, distribution, merging, linking, restriction, degradation, erasure or destruction of information. |
| “Responsible Party” | The entity that determines the purpose of and means for processing personal information, as defined in POPIA. For data processed through the Platform, the End-User is the Responsible Party. Tracepoint is the Responsible Party only for limited administrative data as described in Section 3.2. |
| “RFID Data” | Data generated by or associated with radio-frequency identification (RFID) tags, readers and related hardware used in connection with the Platform. |
| “Special Personal Information” | Personal information concerning a data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal behaviour, as defined in Section 26 of POPIA. |
3. Role of Tracepoint
Tracepoint is a Software-as-a-Service (SaaS) provider. The core function of the Platform is to process data on behalf of End-Users. The End-User retains full ownership and control of all data processed through the Platform at all times.
3.1 Tracepoint as Operator (Primary Role)
Tracepoint’s primary role is that of an Operator (also referred to as a “data processor”) as defined in Section 1 of POPIA.
In this capacity:
The End-User is the Responsible Party and determines the purpose of and means for processing all data within the Platform.
Tracepoint processes End-User Data solely on the End-User’s instructions and in accordance with the applicable service agreement and data processing agreement.
Tracepoint does not determine what data is collected, how it is used or to whom it relates. These decisions rest entirely with the End-User.
Tracepoint does not access, use, analyse, sell or disclose End-User Data except as strictly necessary to provide the Platform services, as instructed by the End-User or as required by law.
This applies to all data inputted, uploaded, generated or processed by the End-User through the Platform, including but not limited to:
RFID asset and inventory data - tag identifiers, asset metadata, location data, movement records and related tracking information.
End-User-uploaded data - any data, documents, images or records that an End-User processes through the Platform for its own business purposes.
Reports and outputs - any reports, exports, analytics or data outputs generated by the Platform from End-User Data.
Tracepoint has no independent rights to End-User Data. Upon termination of the service agreement, all End-User Data shall be made available for export and subsequently deleted in accordance with the applicable agreement.
3.2 Tracepoint as Responsible Party (Limited Scope)
Tracepoint acts as a Responsible Party (as defined in POPIA) only in a limited and narrowly defined capacity, specifically in relation to:
Website visitor data: Information collected when individuals visit https://www.tracepoint.co.za, such as cookie data, IP addresses and contact form submissions.
Account credentials: Basic account registration details (name, email address, password) necessary to authenticate and manage access to the Platform.
Billing data: Information necessary for subscription management and payment processing via Paystack (limited to billing contact details, transaction references and invoicing information).
Tracepoint’s processing of personal information as a Responsible Party is strictly limited to these administrative purposes and does not extend to any data that End-Users process through the Platform.
3.3 End-User Obligations
The End-User, as the Responsible Party for all data processed through the Platform, bears full responsibility for:
Determining the lawful basis for processing and ensuring compliance with POPIA and any other applicable data protection legislation.
Obtaining all necessary consents or establishing another lawful basis for processing before inputting personal information into the Platform.
Informing data subjects about the processing of their personal information in accordance with Section 18 of POPIA.
Responding to and fulfilling all data subject access, correction, objection and deletion requests relating to personal information processed through the Platform.
Ensuring that the use of RFID and other tracking or identification technologies complies with applicable privacy, employment and surveillance laws.
Notifying Tracepoint of any specific processing requirements, restrictions or data subject requests that require Tracepoint’s cooperation.
Tracepoint shall provide reasonable assistance to End-Users in fulfilling their obligations under POPIA, including responding to data subject requests and cooperating with the Information Regulator, subject to the terms of the applicable service agreement.
4. Information We Collect
We collect and process the following categories of information:
4.1 Personal Information You Provide
When you register for an account, subscribe to our services or communicate with us, we may collect:
Identity Information: Full name, surname, job title and company or organisation name.
Contact Information: Email address, telephone number and physical or postal address.
Account Credentials: Username, password (stored in encrypted form) and account preferences.
Communication Records: The content of emails, support tickets or other communications you send to us.
Billing Information: Company name, billing address, VAT number and invoicing details.
4.2 Payment Data
We use Paystack as our third-party payment processor. When you make a payment through the Platform:
What Tracepoint receives: Transaction reference numbers, payment confirmation status, subscription tier and billing amounts. We may also receive a truncated version of your payment card details (e.g., the last four digits) for transaction identification purposes.
What Tracepoint does NOT store: Full credit or debit card numbers, CVV codes or complete banking credentials. These are collected and processed directly by Paystack in accordance with the Payment Card Industry Data Security Standard (PCI DSS).
Please refer to Paystack’s Privacy Policy for details on how they handle your payment information.
4.3 Usage Data
When you interact with the Platform, we automatically collect:
Log Data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of access and session duration.
Device Information: Device type, unique device identifiers, mobile operating system version and mobile network information (for Android and iOS mobile application users).
Feature Usage: Information about how you interact with Platform features, including search queries, settings configurations and navigation patterns.
4.4 RFID & Device Data (End-User-Controlled)
As a core function of the Platform, the following categories of data are processed on behalf of the End-User in Tracepoint’s capacity as Operator. The End-User determines what data is collected, how it is used and retains full ownership and control at all times. Tracepoint processes this data solely to provide the Platform services:
RFID Tag Data: Tag identifiers (UIDs), encoded data values, tag read/write timestamps, signal strength and associated asset metadata (e.g., asset name, description, category, location).
RFID Reader Data: Reader identifiers, connection status, firmware version and configuration settings.
Asset Information: Asset descriptions, serial numbers, categories, assigned locations, custodian details, photographs and other inventory data that you input or scan into the Platform.
Location Data: If enabled, GPS coordinates or facility zone information associated with RFID scan events (collected via the Android and iOS mobile applications with your permission).
4.5 Cookies and Similar Technologies
We collect certain information through cookies and similar tracking technologies when you use the web portal. Full details are set out in Section 8 - Cookies & Tracking Technologies.
5. Device and System Data
The Platform processes data generated by external devices and systems, including RFID readers and identification/tracking technologies. Tracepoint does not control how such data is collected, what data is collected or how devices are configured. The End-User is solely responsible for ensuring that all data collection is lawful and compliant with applicable laws.
Where device or system data contains personal information (for example, where RFID tags are associated with identifiable individuals), the End-User, as the Responsible Party for such data, must ensure that appropriate legal grounds for processing exist and that data subjects are informed in accordance with POPIA.
Tracepoint processes device and system data solely for the purpose of providing the Platform services and in accordance with the End-User’s instructions.
6. How We Use Your Information
6.1 Administrative Data (Tracepoint as Responsible Party)
Tracepoint processes the limited administrative data described in Section 3.2 for the following purposes:
| Purpose | Description |
|---|---|
| Account Management | To create and manage your account, authenticate access and administer Platform credentials. |
| Payment Processing | To process subscription payments, generate invoices and manage billing through Paystack. |
| Communication | To send service-related notifications, respond to enquiries and support requests and provide important updates. |
| Security & Fraud Prevention | To detect, prevent and respond to security incidents, fraud or other malicious activity. |
| Legal Compliance | To comply with applicable laws, regulations and legal processes, including POPIA and tax legislation. |
| Marketing (with consent) | To send promotional communications where you have provided prior opt-in consent. You may withdraw this consent at any time. |
6.2 End-User Data (Tracepoint as Operator)
End-User Data - including all RFID data, asset data, inventory data and any other data processed through the Platform - is processed by Tracepoint solely for the purpose of providing the Platform services to the End-User. Tracepoint:
Processes End-User Data only on the End-User’s instructions;
Does not use End-User Data for Tracepoint’s own commercial purposes;
Does not sell, share or disclose End-User Data to third parties except as necessary to deliver the Platform services or as required by law;
Does not mine, analyse or profile End-User Data for advertising, marketing or any purpose unrelated to service delivery; and
May generate aggregated, anonymised or de-identified statistical data that cannot identify any individual End-User or data subject, solely for the purposes of Platform performance monitoring and improvement.
The purposes of processing End-User Data are determined by the End-User as the Responsible Party, not by Tracepoint.
7. Legal Basis for Processing (POPIA)
Under POPIA, we must have a lawful basis for processing your personal information. We rely on the following justifications:
7.1 Consent (Section 11(1)(a))
Where you have provided your voluntary, specific and informed consent for the processing of your personal information - for example, when opting in to receive marketing communications or enabling location services on the mobile application.
7.2 Contract (Section 11(1)(b))
Where processing is necessary to perform a contract to which you are a party or to take steps at your request prior to entering into a contract - for example, to provide the Platform services under your subscription agreement.
7.3 Legal Obligation (Section 11(1)(c))
Where processing is necessary for compliance with a legal obligation to which Tracepoint is subject - for example, retaining financial records as required by the Tax Administration Act or Companies Act.
7.4 Legitimate Interest (Section 11(1)(f))
Where processing is necessary for the pursuit of the legitimate interests of Tracepoint or a third party to whom the information is supplied, provided that such interests are not overridden by your rights - for example, for fraud prevention, network security and internal analytics.
7.5 Conditions for Lawful Processing
In accordance with Chapter 3 of POPIA, we ensure that all processing of personal information adheres to the following conditions:
Accountability - Tracepoint takes responsibility for compliance with POPIA.
Processing Limitation - Personal information is collected for a specific, defined purpose and is not processed further in a manner incompatible with that purpose.
Purpose Specification - Personal information is collected for specific, explicitly defined and lawful purposes.
Further Processing Limitation - Further processing is compatible with the original purpose of collection.
Information Quality - We take reasonable steps to ensure that personal information is complete, accurate and not misleading.
Openness - We are transparent about the processing of personal information through this Privacy Policy and other notices.
Security Safeguards - We implement appropriate technical and organisational measures to protect personal information.
Data Subject Participation - You have the right to access and, where necessary, correct your personal information.
8. Cookies & Tracking Technologies
Cookie Policy
This section constitutes the Cookie Policy for Tracepoint’s web-based administration portal and website. It explains what cookies and similar technologies we use, why we use them and your choices regarding their use.
8.1 What Are Cookies?
Cookies are small text files placed on your device (computer, tablet or smartphone) when you visit a website. They are widely used to make websites function correctly, improve user experience and provide information to site operators. Similar technologies include web beacons, pixels and local storage.
8.2 Types of Cookies We Use
a) Strictly Necessary Cookies
These cookies are essential for the operation of the web portal. They enable core functions such as user authentication, session management and security features. Without these cookies, the Platform cannot function properly.
| Cookie | Purpose | Duration |
|---|---|---|
| Session ID | Maintains your authenticated session | Session (expires on logout or browser close) |
| CSRF Token | Protects against cross-site request forgery attacks | Session |
| Cookie Consent | Records your cookie consent preferences | 12 months |
Legal Basis: These cookies are strictly necessary and do not require consent under POPIA.
b) Functional Cookies
These cookies enable enhanced functionality and personalisation, such as remembering your language preferences, display settings and dashboard configurations.
| Cookie | Purpose | Duration |
|---|---|---|
| User Preferences | Stores display settings and dashboard layout preferences | 12 months |
| Language | Remembers your preferred language | 12 months |
Legal Basis: Legitimate interest in providing a personalised user experience.
c) Analytics Cookies
These cookies collect information about how visitors use the web portal, such as which pages are visited most often and whether users encounter error messages. The information is aggregated and anonymised. We use Cloudflare Web Analytics and/or Google Analytics for this purpose.
| Cookie | Purpose | Duration |
|---|---|---|
| Analytics ID | Identifies unique visitors for aggregate usage statistics | 24 months |
| Page View Tracking | Records page views and navigation paths | Session |
Legal Basis: Legitimate interest in improving the Platform; consent where required.
d) Third-Party Cookies
Certain third-party services integrated into the Platform may place their own cookies. These include:
Paystack: May set cookies during the payment process to facilitate secure transactions.
Cloudflare Web Analytics: May use cookies or similar tracking mechanisms to collect anonymised usage and performance data. Cloudflare Web Analytics is designed to be privacy-first and does not use client-side state for tracking.
Google Analytics: May set cookies to collect pseudonymised usage data, including page views, session duration and traffic sources.
We do not control third-party cookies. Please refer to the respective third party’s cookie and privacy policies for further information.
8.3 Cookies on the Mobile Applications
The Android and iOS mobile applications do not use browser cookies. However, the applications may use similar local storage mechanisms (such as shared preferences, local databases and keychain storage) to store session tokens, user preferences and cached data necessary for the applications’ operation.
8.4 Managing Your Cookie Preferences
You have the following options to manage cookies:
Cookie Consent Banner: When you first visit our web portal, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies.
Browser Settings: You can configure your web browser to block or delete cookies. Please note that blocking strictly necessary cookies may impair the functionality of the Platform. Instructions for common browsers:
Chrome: Settings → Privacy and Security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Cookies and site permissions
Opt-Out Links: Where applicable, you may opt out of analytics tracking by using the opt-out mechanisms provided by the relevant analytics provider (e.g., Google Analytics opt-out browser add-on).
8.5 Do Not Track (DNT)
Some browsers offer a “Do Not Track” (DNT) setting. There is currently no universally accepted standard for how companies should respond to DNT signals. We will update this Policy if a standard is established.
9. Data Sharing & Third Parties
We do not sell, rent, trade or otherwise commercially exploit any personal information, including End-User Data.
With respect to End-User Data (processed in our capacity as Operator): Tracepoint shares End-User Data with third parties only to the extent strictly necessary to provide the Platform services (e.g., hosting infrastructure) and only under appropriate contractual safeguards. Tracepoint does not share End-User Data with third parties for any purpose other than service delivery unless instructed by the End-User or required by law.
With respect to administrative data (processed in our limited capacity as Responsible Party): we may share personal information with the following categories of recipients and only to the extent necessary for the purposes described in this Policy:
9.1 Payment Processor - Paystack
We use Paystack (Pty) Ltd. to process subscription payments. When you make a payment, your payment details (such as card number and billing information) are transmitted directly to Paystack’s secure servers. Paystack acts as an independent responsible party for payment data it collects. Paystack is PCI DSS compliant.
Paystack Privacy Policy: https://paystack.com/privacy
9.2 Cloud Hosting & Infrastructure
The Platform is hosted on private cloud infrastructure hosted at Teraco Isando Data Centre, Johannesburg, South Africa. This ensures that primary data storage and processing remains within South Africa. Our hosting provider acts as an operator on our behalf and processes data solely in accordance with our instructions and under appropriate contractual safeguards, including data processing agreements.
9.3 Analytics Providers
We use Cloudflare Web Analytics and/or Google Analytics to help us understand how the Platform is used. Cloudflare Web Analytics is a privacy-first analytics service that does not track individual users. Google Analytics receives pseudonymised data. These providers are contractually prohibited from using your personal information for their own purposes unrelated to the analytics service.
9.4 Professional Advisors
We may share personal information with our legal, accounting or other professional advisors where necessary for us to obtain their advice or services.
9.5 Legal & Regulatory Disclosures
We may disclose personal information where required:
To comply with a legal obligation, court order, subpoena or regulatory request.
To enforce our contractual rights.
To protect the rights, property or safety of Tracepoint, our users or the public.
In connection with a merger, acquisition or sale of all or a portion of our assets (in which case you will be notified).
9.6 With Your Consent
We may share your personal information with other third parties where you have provided your prior, specific consent to such sharing.
9.7 Operators and Data Processing Agreements
Where we engage operators (third-party service providers who process personal information on our behalf), we ensure that:
A written data processing agreement is in place, as required by Section 21 of POPIA.
The operator processes personal information only on our instructions.
The operator implements appropriate security measures.
The operator notifies us of any security compromises.
9.8 Subprocessors
Tracepoint may appoint third-party subprocessors to support delivery of the Platform. All subprocessors are subject to appropriate contractual and security obligations consistent with this Privacy Policy and applicable law. A list of current subprocessors is available upon request by contacting our Information Officer at the details provided in Section 18.
10. Data Retention
10.1 Administrative Data (Tracepoint as Responsible Party)
Tracepoint retains the limited administrative data for which it is Responsible Party only for as long as is necessary to fulfil the purposes for which it was collected or as required by applicable law:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account Credentials | Duration of active account, plus 12 months after closure | Service delivery and reactivation enquiries |
| Payment & Transaction Records | 5 years from date of transaction | Tax Administration Act and Companies Act compliance |
| Usage & Log Data | 12 months from date of collection | Security monitoring and Platform improvement |
| Communication Records | 3 years from last communication | Dispute resolution and service improvement |
| Cookie Data | As specified in Section 8.2 | Functional and analytics purposes |
| Marketing Consent Records | Duration of consent, plus 12 months after withdrawal | Proof of consent compliance |
10.2 End-User Data (Tracepoint as Operator)
End-User Data - including all RFID data, asset data, inventory records and other data processed through the Platform - is retained only for the duration of the End-User’s active subscription and is controlled entirely by the End-User.
End-Users may export or delete their data at any time during the active subscription.
Upon termination or expiry of the service agreement, End-User Data shall be available for export for a period of 30 (thirty) days, after which it shall be permanently and securely deleted.
Tracepoint does not retain End-User Data beyond the 30-day post-termination period except where required by law.
The End-User, as Responsible Party, determines the retention period for personal information within its own data while the subscription is active.
10.3 Deletion
Upon expiry of the applicable retention period, personal information will be de-identified, aggregated or securely destroyed in accordance with POPIA and our internal data retention procedures. You may request the deletion of your personal information at any time, subject to our legal obligations to retain certain records.
11. Data Security
We are committed to protecting your personal information and have implemented the following technical and organisational measures in accordance with Section 19 of POPIA:
11.1 Technical Measures
Encryption in Transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS/SSL).
Encryption at Rest: Personal information stored on our servers is encrypted using industry-standard encryption algorithms.
Access Controls: Role-based access controls (RBAC) ensure that only authorised personnel can access personal information, on a need-to-know basis.
Authentication: Multi-factor authentication (MFA) is available and encouraged for all user accounts. Passwords are stored using strong, salted cryptographic hashing.
Network Security: Firewalls, intrusion detection systems and regular vulnerability assessments are employed to protect our infrastructure.
Secure Payment Processing: Payment data is processed through Paystack’s PCI DSS-compliant infrastructure and is never stored on Tracepoint’s servers.
11.2 Organisational Measures
Staff Training: Personnel who handle personal information receive regular training on data protection and POPIA compliance.
Confidentiality Agreements: All employees and contractors are bound by confidentiality agreements.
Incident Response: We maintain a documented security incident response plan to address any personal information breaches promptly.
Regular Audits: We conduct periodic reviews and audits of our data processing activities and security measures.
11.3 Security Breach Notification
For administrative data (Tracepoint as Responsible Party):
In the event of a security compromise involving personal information for which Tracepoint is the Responsible Party, Tracepoint will:
Notify the Information Regulator as soon as reasonably possible, in accordance with Section 22 of POPIA.
Notify affected data subjects as soon as reasonably possible, providing details of the breach, the potential consequences and the measures taken or proposed to address the breach.
For End-User Data (Tracepoint as Operator):
In the event of a security compromise involving End-User Data, Tracepoint will notify the affected End-User without undue delay so that the End-User, as the Responsible Party, may fulfil its notification obligations under Section 22 of POPIA. Tracepoint shall provide the End-User with all reasonably available information about the breach and shall cooperate with the End-User in investigating and remediating the incident. The End-User retains responsibility for any required notifications to the Information Regulator and to data subjects unless otherwise agreed in writing.
While we take all reasonable steps to protect personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
12. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights in relation to your personal information:
12.1 Right of Access (Section 23)
You have the right to request confirmation of whether we hold personal information about you and to request access to that information. We will respond to your request within a reasonable time and in any event within 30 days of receiving a valid request.
12.2 Right to Correction (Section 24)
You have the right to request the correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
12.3 Right to Object (Section 11(3))
You have the right to object, on reasonable grounds relating to your particular situation, to the processing of your personal information. You also have the right to object to the processing of your personal information for purposes of direct marketing (Section 69).
12.4 Right to Deletion (Section 24)
You have the right to request the deletion or destruction of personal information that we are no longer authorised to retain.
12.5 Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.
12.6 Right to Lodge a Complaint
You have the right to lodge a complaint with the Information Regulator (South Africa) if you believe that your personal information has been processed in violation of POPIA.
Information Regulator Contact Details: - Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 - Email: [email protected] - Phone: 010 023 5207 - Website: https://inforegulator.org.za
12.7 How to Exercise Your Rights
To exercise any of the above rights, please submit a written request to our Information Officer using the contact details provided in Section 18. We may request proof of identity before processing your request to protect your privacy and security.
We will not charge a fee for responding to a valid access request, unless the request is manifestly unfounded, repetitive or excessive, in which case we may charge a reasonable fee or decline the request.
13. Special Personal Information
Tracepoint does not intentionally collect or process special personal information (as defined in Section 26 of POPIA) unless explicitly required and lawfully authorised. Special personal information includes information relating to a data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal behaviour.
End-Users who use the Platform are responsible for ensuring that any special personal information processed through the Platform is handled in accordance with applicable law, including obtaining the necessary authorisation or consent as required by POPIA. Where an End-User processes special personal information through the Platform, the End-User acts as the Responsible Party for that data and bears full responsibility for POPIA compliance in respect of such processing.
14. Children’s Privacy
The Platform is not intended for use by children under the age of 18 years. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without verification of parental or guardian consent, we will take steps to delete that information from our servers promptly.
If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at [email protected] so that we can take appropriate action.
In accordance with Section 35 of POPIA, the processing of personal information of a child (a natural person under the age of 18) is prohibited unless it is carried out with the prior consent of a competent person (parent or guardian) or is necessary for compliance with a legal obligation or is for historical, statistical or research purposes.
15. International Data Transfers
15.1 Data Location
Our primary data storage and processing infrastructure is located within the Republic of South Africa, hosted at the Teraco Isando Data Centre in Johannesburg. This means that the majority of your personal information is stored and processed within South Africa’s borders. However, some of our third-party service providers may process certain data in jurisdictions outside of South Africa as set out below.
15.2 Safeguards for International Transfers
Where personal information is transferred to a jurisdiction outside of South Africa, we ensure compliance with Section 72 of POPIA by verifying that one or more of the following conditions are met:
The recipient country has adequate data protection legislation that provides a comparable level of protection to POPIA.
The recipient is subject to binding corporate rules or a binding agreement that provides adequate protection.
The data subject has consented to the transfer after being informed of the possible risks.
The transfer is necessary for the performance of a contract between the data subject and Tracepoint.
The transfer is necessary for the conclusion or performance of a contract in the interest of the data subject.
15.3 Third-Party Locations
Our key service providers and their data processing locations:
| Provider | Service | Data Location |
|---|---|---|
| Teraco | Platform infrastructure (private cloud) | South Africa (Isando, Johannesburg) |
| Paystack | Payment processing | South Africa / as per Paystack’s privacy policy |
| Cloudflare | Web security & analytics | Global CDN (edge nodes) |
| Analytics | International |
Note: Primary data storage is in South Africa. Where third-party providers process data internationally (such as Cloudflare edge nodes or Google Analytics servers), only limited, pseudonymised or aggregated data is transferred and appropriate safeguards as described in Section 15.2 are in place.
We will update this section as our infrastructure evolves.
16. Automated Decision-Making
Tracepoint does not make automated decisions that produce legal or similarly significant effects on individuals. The Platform provides data outputs only. Any decisions made on the basis of data processed through the Platform are made by the relevant End-User or authorised user and not by Tracepoint or the Platform itself.
17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, technology, legal requirements or business operations.
When we make material changes to this Policy:
We will update the “Last Updated” date at the top of this document.
We will notify you via email (to the address associated with your account) or by a prominent notice on the Platform prior to the changes taking effect.
Where required by POPIA, we will obtain your consent to any material changes that affect the processing of your personal information.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy, except where consent is specifically required.
18. Contact Information
If you have any questions, concerns or requests regarding this Privacy Policy or the processing of your personal information, please contact us:
Tracepoint (Pty) Ltd. Registration Number: 2025/199716/07
Information Officer: Berdina Schurink - Email: [email protected] - Phone: 012 942 4000
Physical Address: 4th Floor Menlyn Corner 87 Frikkie de Beer Street Menlyn, 0181 South Africa
Website: https://www.tracepoint.co.za
General Enquiries: - Email: [email protected]
This Privacy Policy is governed by the laws of the Republic of South Africa. Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the South African courts.
© 2026 Tracepoint (Pty) Ltd. All rights reserved.