Tsamaya is a navigation app for South African metros that suggests driving routes which avoid areas and roads with elevated, statistically derived risk. This policy explains what personal information we process, why, and your rights under the Protection of Personal Information Act, 2013 (POPIA).
- Your location is used on your device to show the map and calculate routes. Route requests send coordinates only to our mapping provider — never your name or an account identity.
- We run no user accounts for drivers, no advertising, no sale of personal information, and no tracking across other apps.
- Saved places (like Home and Work) are stored only on your device. We cannot see them.
- We keep no server-side history of where you are or where you go.
- If you choose to send a report or feedback, we store what you submit (and your email only if you choose to provide it) — see “User reports and feedback” below.
1. Information we process, and why
| Information | Where it goes | Purpose | Lawful basis (POPIA s11) |
|---|---|---|---|
| Precise device location (while using the app) | Processed on-device; sent as bare coordinates to Mapbox (our mapping provider) when you request a route, search, or reverse-geocode | Show your position; calculate routes from where you are | Consent (the iOS location permission you grant) and our legitimate interest in providing the service you request |
| Destination searches and route endpoints | Mapbox Geocoding/Directions APIs (coordinates and search text only) | Find places; build the route | Performance of the service you request |
| Saved places (Home, Work, favourites), settings, onboarding state | Your device only (local app storage) | Convenience features | Consent |
| Technical request metadata (IP address, basic device info) | Our service providers (Mapbox; Supabase, which hosts our public zone/corridor dataset) receive standard network metadata when the app calls them | Operating and securing the services | Legitimate interest |
| Reviewer account email (admin/editor users only — not drivers) | Supabase authentication | Restricting data-editing tools to authorised reviewers | Performance of contract |
| Reports and feedback you choose to submit (see section 3) | Supabase (our hosted database) | Reviewing and improving the risk dataset and the app | Consent (you tap Send) |
We do not process: names, contact lists, payment details, advertising identifiers, or background location when the app is closed.
2. What we deliberately do not do
- No server-side storage of your location or trip history.
- No advertising or ad-tech SDKs.
- No sale or sharing of personal information for marketing.
- No profiling or automated decision-making about you.
3. User reports and feedback
The beta lets you suggest updates to risk areas, rate trips, and send feedback or bug reports — all without an account. When you submit a report we store:
- your selections — the risk tier you suggest, the kinds of incident you select, and the timing you choose;
- whatever you type in the note or message field — please do not include personal information about yourself or others;
- the area or road the report concerns, the time band, and the app version;
- a random installation identifier generated on your device — used only to spot duplicate or abusive submissions; it is not an account and identifies the installation, not you;
- your email address only if you choose to provide it, used only to reply to that report.
Post-trip ratings store only coarse trip statistics (such as a distance bucket, the time band, and whether a reroute happened) — never your start or end locations.
Reports are suggestions for human review; they never change the live dataset automatically. They are retained until reviewed and actioned, and are deletable on request via the contact address below.
4. Crash reporting and analytics
The app currently ships without crash reporting or product analytics. If we add a crash-reporting tool to improve stability, it would process technical crash data (device model, OS version, stack traces) and we will update this policy and the app’s privacy labels before enabling it.
5. Third-party processors
| Provider | Role | Data touched |
|---|---|---|
| Mapbox, Inc. (USA) | Map tiles, geocoding, routing | Coordinates, search text, IP, device metadata — see Mapbox’s privacy policy |
| Supabase (cloud hosting) | Hosts our public risk-zone dataset, user reports, and reviewer authentication | IP/request metadata; report contents (incl. optional emails); reviewer emails (admins only) |
| Apple Inc. | App distribution (App Store, TestFlight) | Per Apple’s terms |
These providers process data outside South Africa. POPIA s72 permits cross-border transfers where the recipient is bound by adequate protection; our providers are bound by their published data-protection terms.
6. Retention
- Location, searches, routes: not retained by us server-side. Transient processing only.
- On-device data (saved places, settings): retained until you delete it or uninstall the app.
- User reports and feedback: retained until reviewed and actioned; deletable on request via the contact address.
- Reviewer accounts: retained while the reviewer is authorised.
7. Security
Transport encryption (HTTPS/TLS) on all network calls; row-level security on our hosted dataset. The only personal information drivers can send us is what they choose to put in a report (an optional note and email); reports are stored under insert-only access rules — the app’s public key cannot read them back. No system is perfectly secure, and we cannot guarantee absolute security.
8. Your rights (POPIA)
You may request access to, correction of, or deletion of personal information we hold; object to processing; or complain to the Information Regulator (South Africa) — inforegulator.org.za, complaints.IR@inforegulator.org.za. Because we hold almost no personal information about drivers, most requests will be satisfiable by confirming we hold nothing beyond what is on your device.
To exercise any right: info@tsamayaapp.co.za. We respond within a reasonable time and at most within the periods POPIA prescribes.
9. Children
Tsamaya is a driving app and is not directed at children under 18. We do not knowingly process children’s personal information.
10. Safety-data is not personal data — but a note on it
The risk zones and road classifications shown in the app are derived from public, aggregated sources (including SAPS crime statistics and OpenStreetMap) plus curated review. They describe areas, never individuals, and contain no personal information.
11. Changes
We will post changes here and update the effective date. Material changes will be flagged in the app.