Privacy Policy for Vul Indlela

Last Updated: 24 June 2025

1. Introduction and Who We Are

Welcome to Vul Indlela. This Privacy Policy outlines how MyWio (PTY) Ltd ("we," "us," or "our") collects, uses, processes, and protects your Personal Information when you use the Vul Indlela mobile application (the "App").

We are committed to protecting your privacy and ensuring that your Personal Information is processed in a responsible and lawful manner, in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA"). This policy explains your rights regarding your data and how you can exercise them.

By downloading, accessing, or using the App, you signify that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with this policy, please do not use the App.

2. What Personal Information We Collect

"Personal Information" refers to any information that can identify a living person or an existing juristic person, as defined by POPIA. We collect the following categories of information:

2.1. Information You Provide to Us:

• Account Information:
  • Anonymous Account: When you first use the App, we create a permanent, anonymous user account linked to a unique User ID (UID) using Firebase Authentication. No directly identifiable information is required for this.
  • Optional Account Upgrade: You have the option to upgrade your account by linking it to a more permanent account. When you do so, your email address is stored securely by Firebase Authentication.
• Issue-Specific Information:
  • Issue Details: When you log an issue, you provide the issue type (e.g., pothole, water leak), specific details (e.g., pothole size), and any optional comments you choose to add.

2.2. Information We Collect Automatically:

• Location Data: We collect the precise GPS coordinates (latitude and longitude) at the moment you log an issue. This information pertains to the location of the infrastructure issue you are reporting, not your personal, ongoing location. The App will request your permission before accessing your device's location to capture this information. We also generate an estimated street address from these coordinates using a geocoding service.
• Technical and Usage Data:
  • Timestamps: We automatically record the creation and submission times for each issue logged.
  • Analytics Data (Opt-Out Available): If enabled by you, we collect standard analytics data through Firebase Analytics. This includes device type, operating system version, session duration, and user interaction events (e.g., issue_logged).
  • Crashlytics Data: To diagnose and fix app crashes, we automatically collect crash reports via Firebase Crashlytics, which include device state, OS version, and stack traces.
  • Push Notification Token (FCM Token): A unique, anonymous token for your device is generated and stored to enable push notifications. The App will request your permission before sending notifications.
  • Advertising ID: We use your device's anonymous advertising ID to serve advertisements through Google AdMob.

3. How and Why We Use Your Information (Purpose of Processing)

We are committed to the principle of "Purpose Specification" under POPIA, meaning we only process your data for specific, explicitly defined, and lawful purposes.

• To Provide Core Functionality: We use your Account and Issue Information to allow you to create, manage, and view your submitted infrastructure reports within the App.
• To Report Issues to Municipalities: The primary purpose of collecting Issue and Location Data is to consolidate and forward it to the relevant municipal or government agencies to facilitate repairs and action.
• To Improve the App: We use anonymized Analytics and Crashlytics data to understand usage patterns, identify technical issues, and improve the App's stability, features, and user experience.
• To Communicate With You: We use your FCM Token to send you push notifications related to your submitted issues (e.g., draft reminders).
• To Monetize the App: We use your device's Advertising ID to display advertisements via Google AdMob, which supports the App's operational costs.

4. Legal Basis for Processing Your Information

We rely on the following legal grounds under POPIA to process your Personal Information:

• Consent: We process most of your Personal Information based on your voluntary, specific, and informed consent. You provide this consent when you agree to this Privacy Policy, grant location and notification permissions, and choose to log an issue or upgrade your account. You can withdraw your consent for certain processing activities at any time (see Section 9).
• Legitimate Interest: We process technical data for crash reporting (Crashlytics) based on our legitimate interest in maintaining a stable and functional application for our users.

5. Disclosure and Sharing of Your Information

We do not sell your Personal Information. However, to provide our service, we share your information with the following categories of third parties:

• Municipal and Government Agencies: We share your Issue-Specific Data and the specific location coordinates of the reported issue with the relevant local authorities responsible for public infrastructure.
• Third-Party Service Providers (Operators): We use trusted third-party services that process data on our behalf. We have agreements in place to ensure they protect your information. These include:
  • Google Firebase: Our core platform for backend services. This includes Firestore (data storage), Firebase Authentication (user identity), Cloud Functions (backend logic), Firebase Cloud Messaging (push notifications), Firebase Analytics, and Crashlytics.
  • Mailgun: Our email service provider used to send issue reports to municipalities. Issue data passes through their servers.
  • Google AdMob: Our advertising provider, which uses your device's Advertising ID.
  • Geocoding Services: The native geocoding service on your device's operating system (e.g., Google on Android) is used to derive street addresses from GPS coordinates.
  • OpenStreetMap: Provides map tiles for the in-app history map. This involves standard internet requests from your device.

6. Cross-Border Information Transfers

Our third-party service providers, such as Google Firebase and Mailgun, may have servers located outside of the Republic of South Africa. Therefore, your Personal Information may be transferred to and stored in other countries. We will only transfer your data to countries that have an adequate level of data protection laws or where the service provider has committed to binding agreements or corporate rules that ensure your information is protected to a standard similar to POPIA.

7. Data Security

We are committed to protecting the integrity and confidentiality of your Personal Information. We take appropriate and reasonable technical and organizational measures to prevent unauthorized access, loss, or damage to your data. These measures include:

• Using secure cloud infrastructure provided by Google Firebase.
• Implementing access controls to our data systems.
• Using encryption for data in transit (SSL/TLS).

While we take all reasonable steps, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify both the Information Regulator and affected data subjects as soon as reasonably possible.

8. Data Retention

We will only retain your Personal Information for as long as is necessary to fulfill the purposes for which it was collected, or as long as your account remains active. If you use the "Delete My Data" feature, your information will be permanently erased from our systems, unless we are required by law to retain it for a specific period.

9. Your Rights as a Data Subject

Under POPIA, you have the right to:

• Be Notified: To be notified that your Personal Information is being collected and if a data breach occurs.
• Access Your Information: To request a copy of the Personal Information we hold about you.
• Correct or Delete Your Information: To request the correction of inaccurate information or the deletion of your data. You can exercise this right directly in the App by:
  • Editing any issue with a "draft" status.
  • Deleting individual "draft" issues.
  • Using the "Delete My Data" feature in the Account screen to permanently delete your entire account and all associated data.
• Object to Processing: To object to the processing of your Personal Information on reasonable grounds. You can exercise this right by using the in-app toggle to disable Firebase Analytics collection.
• Withdraw Consent: To withdraw your consent at any time. You can manage App permissions (like location and notifications) through your device's operating system settings.
• Complain to the Regulator: To lodge a complaint with the Information Regulator of South Africa if you believe your rights have been infringed.

To exercise any of these rights formally, or for any queries, please contact our Information Officer at the details provided in Section 12. We will require you to verify your identity before processing such requests.

10. Children's Privacy

The Vul Indlela App is not intended for use by individuals under the age of 18. We do not knowingly collect Personal Information from children. If we become aware that we have inadvertently collected such data, we will take steps to delete it immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. We will notify you of any material changes by posting the new policy within the App or through other communication channels. You are advised to review this policy periodically.

12. Contact Us / Information Officer

The appointment of an Information Officer is a mandatory requirement under POPIA to act as the point of contact for data subjects and the Regulator.

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact our designated Information Officer:

• Company: MyWio (PTY) Ltd
• Information Officer: Bjorn Bergmann
• Email: privacy@myw.io

You have the right to lodge a complaint with the Information Regulator of South Africa:

• Website: https://inforegulator.org.za/
• Email: POPIAComplaints@inforegulator.org.za