Legal

Privacy Policy

Last updated: 15 June 2026

This policy explains what personal information Sardine Spotter collects, why we collect it, how long we keep it, and what choices you have. It is written to comply with the Protection of Personal Information Act, 2013 (POPIA) of the Republic of South Africa.

1. Who we are

Sardine Spotter is operated by William Addison (sole proprietor)(“we”, “us”, “our”), a sole proprietor in the Republic of South Africa. We are the “responsible party” under POPIA in respect of the personal information we process about you.

Postal address: [YOUR_PHYSICAL_ADDRESS], South Africa

2. Information Officer

Our Information Officer (the person responsible for our POPIA compliance and the point of contact for any privacy-related request) can be contacted at support@sardinewatch.co.za.

3. Personal information we collect

We collect the following categories of personal information:

3.1 Information you give us

  • Account details: email address, chosen nickname, password (stored only as a one-way bcrypt hash — never in plaintext).
  • Profile: optional profile picture you upload.
  • Sighting reports: GPS coordinates of the sighting, the description text you write, and any photo you upload.
  • Comments & likes: the text of any comment you post and a record of which sightings you have liked.

3.2 Information we generate automatically

  • Technical & device data: your browser user-agent string, IP address (used only to deliver responses and detect abuse — not stored long-term), and the timestamps of requests.
  • Push notification subscription: if you opt in to push notifications, your browser's push endpoint and the per-device cryptographic keys needed to deliver them.
  • Activity: the time you last logged in, sightings you reported and notifications you received.

3.3 Information we DO NOT collect

  • We do not use Google Analytics, Facebook Pixel, advertising trackers, or any third-party analytics tool.
  • We do not sell, rent or trade your personal information. Ever.
  • We do not track you across other websites.

4. Why we collect it (purpose)

We process your personal information for these specific, explicitly defined purposes:

  • Operate the service: create your account, authenticate logins, let you report sightings and view those of others.
  • Communicate with you: deliver in-app and push notifications about sightings, comments and likes — only if you have opted in.
  • Keep the service safe: detect abuse, prevent fraud, and enforce our Terms of Service.
  • Improve the service: understand which features are being used (in aggregate; we do not look at individual user behaviour).
  • Comply with law: respond to lawful requests from the South African Information Regulator, courts, or other competent authorities.

Supplying your information is voluntary. If you choose not to provide it you will not be able to create an account or use features that require sign-in.

5. Lawful basis for processing

POPIA requires a lawful basis to process personal information. We rely on:

  • Your consent — when you register an account, opt in to push notifications, or upload a sighting / photo.
  • Performance of a contract — to deliver the service you signed up for (s. 11(1)(b)).
  • Our legitimate interests — to keep the service secure, detect abuse, and prevent misuse (s. 11(1)(f)).
  • Legal obligation — where we are required to retain or disclose information by South African law.

6. Who we share information with

We share personal information only with the operators and service providers we genuinely need to run the service:

  • Hosting and database provider — to store your data (operator-controlled, located in South Africa unless stated otherwise on the “cross-border” section below).
  • Google Maps — when you load the map, your approximate location (if you grant permission) is sent to Google to render map tiles. Google's use of this data is governed by Google's Privacy Policy.
  • Browser push services (Mozilla autopush, Apple APNs, Google FCM) — only if you have opted in to push notifications. We send these services an encrypted payload addressed to your browser; they cannot read the message contents.

We do not sell your data to third parties. We will disclose personal information when compelled by a valid legal order from a South African court or the Information Regulator.

7. Cross-border transfers

Some of the technical services we rely on (Google Maps, browser push gateways) are operated from outside South Africa. POPIA section 72 permits these transfers because:

  • those providers are subject to laws / contracts that uphold an adequate level of protection, OR
  • the transfer is necessary for the performance of the contract between you and us.

8. How long we keep your information

  • Account data — for as long as your account exists. When you delete your account, your profile and email are removed within 30 days.
  • Sightings & comments you posted — anonymised (your name replaced with “[deleted user]”) and retained as part of the community record, unless you specifically request their removal.
  • Push subscriptions — removed immediately when you toggle off notifications on that device or delete your account.
  • Server access logs — kept for up to 90 days for security and abuse detection, then permanently deleted.

9. Security safeguards

We implement appropriate, reasonable technical and organisational measures, including:

  • Passwords stored only as bcrypt one-way hashes — we cannot recover your password and neither can anyone else.
  • HTTPS / TLS encryption for all data in transit between your device and our servers.
  • Push notification payloads encrypted with Web Push's end-to-end VAPID scheme.
  • Authentication via signed, expiring JSON Web Tokens.
  • Database access restricted to the application server with rotated credentials.
  • Server-side input validation on all user-supplied data.

If we become aware of a security compromise that creates a real risk to your rights, we will notify you and the Information Regulator as required by POPIA section 22 — and explain what happened, what we are doing about it, and what you can do to protect yourself.

10. Your rights as a data subject

Under POPIA you have the right to:

  • Be notified of what we collect (this policy).
  • Access the personal information we hold about you — available in-app via Settings → Account → “Download my data”.
  • Correct inaccurate information — edit your nickname, email and avatar in Settings → Account.
  • Delete your account and the personal information attached to it — Settings → Account → “Delete my account”.
  • Object to processing under section 11(3) of POPIA.
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint with the Information Regulator (see section 14).

11. Children

Sardine Spotter is not directed at children under the age of 18. If we become aware that we have collected personal information from a child without the consent of a competent person, we will delete it. If you believe this has happened, please contact us at support@sardinewatch.co.za.

12. Cookies and similar storage

See our separate Cookie Policy for a full breakdown of what we store on your device, why, and how to clear it.

13. Changes to this policy

We may update this policy from time to time — for example, when we add new features or when the law changes. The date at the top of this page always shows when it was last updated. Material changes will be announced in-app before they take effect.

14. Contact & complaints

For any privacy question or to exercise a right above, contact our Information Officer at support@sardinewatch.co.za. We aim to respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the South African Information Regulator:

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: enquiries@inforegulator.org.za
Complaints: POPIAComplaints@inforegulator.org.za
Web: inforegulator.org.za