Legal

Privacy Policy

Last updated 19 June 2026
Plain-English summary. itemtrack is asset-tracking software for South African businesses. We track things — tools, equipment, stock — not people. But running the service does mean we process some personal information about the people who use it: the admins who sign up, and the team members who scan items on the mobile app (their name, contact details, and the location and photo captured on each scan). We treat that under South Africa's Protection of Personal Information Act (POPIA). We don't sell your data and we don't use it to train AI models.

1. Who is responsible

Two parties are involved when a team member's personal information is processed on itemtrack:

  • The business using itemtrack — the Responsible Party under POPIA. They decide who gets a login, which items are tracked, and why.
  • Ironsyde (Pty) Ltd ("itemtrack", "we", "us") — the Operator under POPIA. We process the data only on the business's instructions.

If you are a team member and have questions about your data, ask your employer first — they control it. If you don't get a satisfactory answer, contact us through our contact form.

2. What we collect

From the businesses using us

  • Name, email, phone, and company name at signup.
  • Billing details when you subscribe to a paid plan — processed by our payments provider (see section 6); we do not store your full card number.
  • Usage and audit logs (which dashboard pages were visited, from which IP) for troubleshooting and security.

From team members added to a workspace

  • Name, email, and phone number (entered by an admin, or by the team member during mobile sign-in).
  • A one-time PIN (OTP) sent by SMS to verify a phone number at sign-in, and a device key stored on their paired device.
  • Scan events: each time a team member scans an item, we record the item, the time, the location (GPS) of the device at that moment, an optional photo of the item, and which team member performed the scan.

The GPS location and photo are captured to give the business an accurate, auditable record of where an asset was and who handled it — they are personal information about the team member who performed the scan, and we treat them as such.

3. Why we collect it

  • To let the business track its assets accurately — what exists, where it is, who has it, and its condition.
  • To run inspections, reconciliations, and exports, and to sync to third-party systems (ERPs) where the business configures a connector.
  • To send operational notifications (job assignments, reminders) by email, SMS, or push.
  • To keep the service secure (rate-limiting, audit logs, abuse detection) and to bill paid subscriptions.

We do not use your data for advertising profiling, and we do not use it to train our own or anyone else's AI models.

4. Lawful basis

  • For the business: the subscription agreement (a contractual basis).
  • For team members: the business is the Responsible Party and is responsible for having a lawful basis — typically the employment relationship and legitimate operational interest in knowing where its assets are. The business must tell its team members what is collected (including location and photos on scans) as required by POPIA section 18.

5. Where data lives

  • Account records, items, locations, scan events, and inspection data live in PostgreSQL. Each tenant gets an isolated database — there is no shared-table multi-tenancy, and one tenant's queries can never reach another's data.
  • Scan and item photos live in encrypted-at-rest object storage, in a private container namespaced per tenant.
  • Our primary database and application hosting are in South Africa.
  • Some of the supporting services in section 6 — email delivery, push notifications, and the optional AI inspection assistant — are operated by reputable international providers and may process limited data outside South Africa. See section 9 on cross-border processing.

6. Who we share it with

We share data only with the sub-processors needed to run the service:

  • Cloud hosting & encrypted object storage — application servers and item/scan photo storage (South Africa).
  • Transactional email provider — signup, password reset, invites, and operational email.
  • SMS provider — one-time sign-in PINs and job notifications to team members.
  • Push-notification provider — Google Firebase Cloud Messaging, for app notifications.
  • Subscription payments providerPayFast, a South African payment gateway, processes subscription card payments when paid plans are enabled. Card details are entered on the provider's secure systems; we receive only a token and the transaction result.
  • AI inspection assistant — where a tenant uses the optional AI step-builder to draft inspection checklists, the text you enter is sent to a third-party large-language-model provider to generate the draft. We do not send it your scan photos, locations, or team-member records, and the provider does not train its models on it.
  • ERP / third-party integrations of your choosing — only where the business explicitly connects them; data flows only to the system you configured.

We don't sell your data. We don't share it with data brokers or advertising networks. We use a small number of named vendors within each category above; on reasonable written request from a customer with a legitimate compliance reason, we'll share the current named list under NDA.

7. Marketing site, cookies, and ad measurement

  • The app (dashboard and mobile API) uses cookies strictly for authentication and CSRF protection. No third-party tracking runs on any authenticated page.
  • The public marketing site (itemtrack.co.za) sets a first-party cookie to keep your session consistent and to assign a landing-page A/B-test variant. We record first-party analytics — pages viewed, referrer, and the campaign tags (UTM parameters) on the link you arrived from — to understand which marketing works.
  • Ad measurement. If you arrive from a Google or Meta ad, we capture the ad click identifier (such as gclid) so that, if you later sign up, we can tell the ad platform the campaign worked. This conversion measurement uses hashed (not plain-text) contact details. It runs only on the public site and the signup flow — never inside the app.

8. How long we keep it, and deletion

  • While you're a customer: we keep your tenant data for as long as your workspace is active, so the service works.
  • Self-serve deletion: an admin can delete items, team members, and other records directly in the app at any time. Deleting a team member removes their personal details from the active workspace; historical scan events may retain a reference for the business's own audit trail until the business deletes them.
  • Account closure: when a workspace is closed, its database and photos are removed from active systems. Copies in encrypted backups roll off automatically within our standard backup-retention cycle, after which they are gone.
  • Logs: security and audit logs are kept for a limited period for troubleshooting and abuse detection, then rotated out.

9. Cross-border processing

Our core data (your databases and photos) is hosted in South Africa. A few supporting providers — transactional email, push notifications (Google Firebase), and the optional AI inspection assistant — may process limited data on servers outside South Africa. Where that happens, POPIA section 72 permits the transfer because the recipient is bound by laws or agreements that provide an adequate level of protection comparable to POPIA, and/or the transfer is necessary to perform the service you asked for. We keep the categories of data sent abroad to the minimum needed to deliver each feature.

10. Your rights

Under POPIA, any data subject can:

  • Ask what personal information we hold about them.
  • Correct information that is inaccurate.
  • Have information deleted, where lawful to do so.
  • Object to processing.
  • Lodge a complaint with the Information Regulator — inforegulator.org.za.

Team members should raise requests with their employer (the Responsible Party) first. To raise anything directly with us, use our contact form and mark your message "POPIA request". We respond within 30 days.

11. Security

  • Encryption in transit (HTTPS/TLS) and at rest.
  • Passwords and device API keys stored as bcrypt hashes — never in plain text.
  • Per-tenant database isolation; cross-tenant access is structurally impossible.
  • Connector secrets and OAuth tokens encrypted at rest with a dedicated key.
  • Audit logs of admin actions and failed sign-ins.

12. Breach notification

If we become aware of a security compromise affecting your personal information, we'll notify you by email as soon as we reasonably can, with the detail you need to meet your own obligations to affected data subjects and to the Information Regulator under POPIA section 22.

13. Children

itemtrack is workplace software, not intended for anyone under 18. If you believe we've collected a minor's information, contact us and we'll delete it.

14. Changes to this policy

We'll update this policy as the product evolves. Material changes are emailed to the primary account holder. The "last updated" date at the top reflects the most recent revision.

15. Contact & Information Officer

  • Privacy questions and POPIA requests: via our contact form.
  • Our Information Officer: Gareth De Bruyn, reachable through the contact form above.
  • Registered entity: Ironsyde (Pty) Ltd, registration number 2026/025235/07, Cape Town, South Africa.
Note on this document. This is a reasonable-effort privacy policy reflecting how itemtrack actually operates. It is not legal advice, and it does not exempt businesses using itemtrack from their own POPIA obligations to their team members. Have a South African attorney review it before relying on it in a regulated context. Items highlighted in yellow need real values filled in before this goes live.