Privacy Policy

Effective Date: 2026-03-11

1. Introduction

MyProtektor ("we," "us," or "our") is a cloud-based security guard management platform operated by Mike Roth, Founder, Michael-Gaismayr-Strasse 52b, 6900 Bregenz, Austria, European Union. We are committed to protecting the privacy and personal information of every individual who uses our web application, mobile application, and related services (collectively, the "Service").

This Privacy Policy explains what information we collect, why we collect it, how we use and share it, how long we keep it, and what rights you have in relation to your personal data. It applies to all users of the Service regardless of their assigned role, including security firm owners, administrators, guards, clients, and lite-access users.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any aspect of this policy, you should discontinue use of the Service.

2. What Data We Collect

We collect several categories of information depending on how you interact with the Service and which role you hold within your organisation.

2.1 Personal Identification Data

When you register for an account or are invited to join an organisation, we collect:

• Identity Information: Your full name, email address, phone number, and profile photograph
• Organisation Details: The name of your security company or the organisation you belong to, your role or position, and your assigned platform role
• Authentication Credentials: Your password (stored in hashed form, never in plain text), multi-factor authentication enrolment data, and linked social sign-in identifiers (Google, Apple)
• Billing Information: For account owners, the billing name, payment method details (processed and stored by Stripe, not retained on our servers), subscription plan selection, and transaction history

2.2 Location and GPS Data

Location data is central to the security management functions of our Service. We collect:

• Real-Time Guard Positions: GPS coordinates transmitted from the mobile devices of on-duty guards at regular intervals to enable live tracking on the dashboard
• Incident Location Data: The geographic coordinates captured automatically when an incident report is created or a panic alert is triggered
• Patrol Route Data: GPS traces recorded during guard patrols to verify route completion and checkpoint attendance
• Property Addresses: Physical addresses of sites, properties, and locations managed within the Service for mapping and geofencing purposes

Location tracking on the mobile application can be controlled through your device's operating system settings. However, disabling location services may prevent certain core features from functioning correctly.

2.3 Security and Incident Data

The primary function of our Service is security incident management. We collect:

• Incident Reports: Written descriptions, severity classifications, resolution statuses, assigned personnel, review notes, and publication history
• Photographic and Video Evidence: Images and videos captured by guards and attached to incident reports as evidentiary records
• Patrol Verification Records: QR code scan logs including the checkpoint identifier, timestamp, guard identity, and GPS coordinates at the time of scan
• Panic Alert Records: Emergency activation events including the timestamp, sender identity, GPS coordinates, and alert acknowledgment times
• Access Control Logs: Records of site access events if the access control module is enabled for your organisation

2.4 Device and Technical Data

We automatically collect technical data when you use the Service:

• Device Information: Device manufacturer and model, operating system name and version, unique device identifiers, and push notification tokens
• Browser Information: Browser type and version, screen resolution, and language preference (web application users)
• Network Information: IP address, internet service provider, and general geographic region derived from IP data
• Usage Telemetry: Features accessed, screens viewed, actions performed, session duration, and interaction patterns
• Error and Crash Reports: Application error logs, crash stack traces, and performance diagnostic data used to identify and resolve technical issues

3. Why We Collect Your Data

We process your personal data for specific, legitimate purposes directly related to operating and improving the Service:

3.1 Delivering the Service

• Authenticating your identity and managing your user session
• Enforcing role-based permissions so you see only the features and data appropriate to your access level
• Processing and displaying incident reports, patrol data, and emergency alerts
• Rendering map views with guard locations, incident markers, and patrol routes
• Sending push notifications for security alerts, incident updates, and emergency activations
• Processing subscription payments and managing your billing lifecycle

3.2 Safety and Security

• Forwarding panic alert notifications with GPS coordinates to designated personnel
• Monitoring for fraudulent activity, unauthorised access, and platform abuse
• Maintaining audit trails for accountability and regulatory compliance
• Protecting the integrity and availability of the Service infrastructure

3.3 Improvement and Analytics

• Analysing usage patterns to understand which features are most valuable and where improvements are needed
• Diagnosing technical issues and optimising application performance
• Conducting aggregated, anonymised research to improve security industry practices

3.4 Communication

• Sending transactional emails related to your account, subscription, or security operations
• Delivering product announcements, feature updates, and platform news (with your consent where required)
• Responding to your support requests and enquiries

4. Legal Basis for Processing (POPIA)

As a platform primarily serving users in South Africa, we process personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA). Our legal bases for processing are:

• Consent: Where you have given clear, informed consent to the processing of your data for a specified purpose, such as enabling location tracking or receiving marketing communications
• Contract Performance: Where processing is necessary to fulfil our obligations under the service agreement with you, such as managing your account, processing payments, and delivering the features you subscribe to
• Legitimate Interest: Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your fundamental rights, such as improving the Service, preventing fraud, and ensuring platform security
• Legal Obligation: Where processing is required to comply with a legal duty, such as retaining financial records for tax purposes or responding to lawful requests from authorities
• Vital Interest: Where processing is necessary to protect the life or physical safety of a person, such as transmitting GPS coordinates during a panic alert

5. Who We Share Your Data With

We do not sell your personal information to third parties. We share data only in the following limited circumstances:

5.1 Within Your Organisation

Data you generate within the Service, such as incident reports, patrol records, and location data, is visible to other members of your organisation according to the role-based permission hierarchy. For example, Admins and Owners can see guard locations and incident details, while Clients see only published incident summaries for their assigned properties.

5.2 Service Providers

We engage trusted third-party providers who process data on our behalf under strict contractual obligations:

• Cloud infrastructure providers: Cloud infrastructure, authentication services, real-time databases, file storage, and serverless processing
• Mapping providers: Map rendering, geocoding, and geolocation services
• Payment providers: Secure payment processing, subscription management, and billing
• Mobile messaging providers: Push notification delivery to mobile devices
• Monitoring providers: Application error monitoring and crash reporting
• Web hosting and delivery providers: Web application hosting, content delivery, and web analytics
• Communication providers: SMS delivery for notifications and transactional email delivery
• Abuse prevention providers: Rate limiting services (including hashed identifiers)
• Analytics and marketing providers: Anonymised usage analytics, tag management, and conversion tracking
• Device integrity providers: Authentication, device attestation, and platform integrity verification
• Affiliate tracking providers: Affiliate programme tracking and commission management

5.3 Legal and Regulatory Disclosures

• When required by law, regulation, legal process, or enforceable governmental request
• When necessary to protect the rights, property, or safety of MyProtektor, our users, or the public
• When needed to detect, prevent, or address fraud, security issues, or technical problems
• In connection with a merger, acquisition, or sale of assets, in which case you will be notified of any change in ownership or control of your personal data

5.4 Emergency Situations

When a panic alert is triggered, we may share the sender's name, phone number, and GPS coordinates with designated emergency contacts and responding security personnel within your organisation. This sharing is based on the vital interest legal basis and the urgent need to protect life and safety.

6. Data Security Measures

We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

6.1 Technical Safeguards

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Encryption at Rest: Stored data is encrypted using AES-256 encryption on enterprise-grade cloud infrastructure
• Authentication Security: Passwords are hashed using industry-standard algorithms and are never stored in plain text. Multi-factor authentication is available and encouraged for all accounts
• Cryptographic Signatures: QR patrol codes are signed using Ed25519 public-key cryptography to prevent forgery
• Access Controls: Role-based access control is enforced at both the application level and the database level through server-side security rules

6.2 Organisational Safeguards

• Access to personal data is restricted to authorised personnel on a need-to-know basis
• Security incident response procedures are documented and regularly tested
• Infrastructure is hosted in data centres that hold internationally recognised security certifications

7. Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law:

• Account Data: Retained for the duration of your active account. After account deletion, a 90-day recovery period applies during which you may reactivate your account. After the recovery period, personal identification data is removed, except where legally required to be kept longer
• Incident Reports: Retained for a minimum of 7 years to satisfy legal, insurance, and regulatory requirements in the security industry
• Patrol and GPS Data: Real-time location data is retained for 30 days. Historical patrol records are retained for up to 3 years for operational review, compliance reporting, and trend analysis
• Financial and Billing Records: Retained for 7 years in accordance with South African tax and financial record-keeping laws
• Access and Audit Logs: Retained for 12 months for security monitoring and forensic purposes
• Push Notification Tokens: Retained while active and automatically deleted when a device is unregistered or a token becomes invalid
• Inactive Accounts: Accounts with no login activity for 24 consecutive months may be flagged for deletion. We will notify you before any deletion occurs

8. Your Rights

Under POPIA and other applicable data protection laws, you have the following rights in relation to your personal data:

8.1 Right of Access

You have the right to request confirmation of whether we hold personal data about you and to obtain a copy of that data. We will respond to access requests within a reasonable period, not exceeding 30 days.

8.2 Right to Correction

You have the right to request that we correct or update any personal data that is inaccurate, incomplete, or misleading. You can update most account information directly through your profile settings.

8.3 Right to Deletion

You have the right to request the deletion of your personal data, subject to any legal obligations that require us to retain certain records. Upon receiving a valid deletion request, we will remove your personal data within 30 days, except for data we are legally obligated to retain.

8.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. The Service provides data export features that allow you to download your incident reports, patrol records, and other operational data in CSV or PDF formats.

8.5 Right to Object

You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis. Upon receiving your objection, we will assess whether our legitimate interest overrides your rights and will inform you of the outcome.

8.6 Right to Restriction

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where the accuracy of the data is contested or where you have objected to the processing pending verification of our legitimate grounds.

8.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

8.8 Exercising Your Rights

To exercise any of these rights, please contact us using the details provided in Section 13. We may need to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

9. International Data Transfers

MyProtektor primarily stores and processes data within infrastructure operated by Google Cloud Platform. While our primary data processing occurs in regions selected to serve Southern Africa, some data may be transferred to and processed in other countries where our service providers maintain infrastructure.

When personal data is transferred outside of South Africa, we ensure that appropriate safeguards are in place, including:

• Contractual obligations requiring recipients to protect data to standards equivalent to those provided by POPIA
• Ensuring recipients operate in jurisdictions that provide an adequate level of data protection
• Implementing supplementary technical measures such as encryption to protect data during transfer

10. Children's Privacy

MyProtektor is designed for professional security operations and is intended for use by adults. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has provided us with personal data without parental or guardian consent, we will take steps to delete that information promptly. If you believe that a child has provided us with personal data, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

• Update the "Effective Date" at the top of this document
• Send an email notification to all registered account holders
• Display a notice within the Service interface
• Publish the updated policy on our website

We encourage you to review this policy periodically. Your continued use of the Service after a revised policy becomes effective constitutes your acceptance of the changes.

12. Regulatory Authority

If you believe that your personal information has been processed in violation of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa:

We encourage you to contact us first so that we may address your concerns directly before escalating to the regulator.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your personal information is handled, please contact us: