Legal Document

Privacy Policy

Effective Date: 1 January 2025 Version: 1.0 Last Updated: January 2025

Introduction
Who We Are
What Information We Collect
How We Use Your Information
Who We Share Information With
How Long We Keep Your Information
Your Rights Under POPIA
Security Measures
Cookies
Contact & Complaints

1. Introduction

NutriTrack is a Software as a Service (SaaS) platform designed to facilitate the management and administration of the National School Nutrition Programme (NSNP) in South Africa. This Privacy Policy explains how Azania Digital Solutions (Pty) Ltd ("we", "us", "our", "the Company") collects, uses, stores, and protects personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA).

By registering for or using the NutriTrack platform, you confirm that you have read and understood this Privacy Policy. If you do not agree, you must not use the platform.

POPIA Compliance: We are registered with the Information Regulator of South Africa as a Responsible Party. All personal information is processed lawfully, fairly and in a transparent manner.

2. Who We Are

Company Name	Azania Digital Solutions (Pty) Ltd
Product	NutriTrack NSNP Management System
Information Officer	[To be appointed — required under POPIA s.55]
Email	privacy@nutritrack.co.za
Physical Address	[Company registered address]
Information Regulator Ref	[Registration reference upon filing]

3. What Information We Collect

3.1 School & Institutional Information

School name, EMIS number, district and circuit
School type, quintile classification and total enrolment
School postal and physical address
School telephone number and email address

3.2 Personal Information of Registered Users

Full name and job title
Email address and telephone number
Username (chosen by the user)
Password (stored in encrypted/hashed format — never in plain text)
Role within the system (school user, district admin, department)

3.3 Programme Data

Number of learners served per grade, per day and per month
Meal composition records (starch, protein, vegetables)
Food handler names, ID numbers and payment records
Stock levels and delivery records
NSNP budget and expenditure data
Monitoring visit scores and observations

3.4 System & Usage Data

Login timestamps and IP addresses
Form submission and edit history
Messages sent within the platform

Special Note on Learner Data: We collect aggregate learner numbers per grade and gender for NSNP reporting purposes. We do not collect the names, ID numbers or any directly identifying information of individual learners.

4. How We Use Your Information

We process personal information only for the following lawful purposes:

Purpose	Legal Basis (POPIA)
Providing access to the NutriTrack platform	Performance of a contract (s.11(1)(b))
Authenticating users and maintaining security	Legitimate interest (s.11(1)(f))
Enabling schools to submit NSNP forms and reports	Compliance with legal obligation (s.11(1)(c))
Enabling districts to review and approve submissions	Public interest / official authority (s.11(1)(e))
Generating programme statistics for the Department of Education	Public interest (s.11(1)(e))
Sending system notifications and support responses	Legitimate interest (s.11(1)(f))
Improving platform functionality	Legitimate interest (s.11(1)(f))

We do not sell, rent or trade personal information to third parties. We do not use personal information for direct marketing without explicit consent.

5. Who We Share Information With

5.1 Within the Platform

School users' names and school details are visible to their district administrators and to Department of Education officials with oversight access. This is a core function of the platform and a requirement of the NSNP programme.

5.2 Third-Party Processors

We use the following third-party service providers who process data on our behalf under Data Processing Agreements:

Provider	Purpose	Data Location
Hosting Provider (VPS)	Server infrastructure	South Africa (Johannesburg)
Let's Encrypt	SSL certificate issuance	USA (certificate metadata only)

5.3 Legal Disclosure

We may disclose personal information to law enforcement, regulatory authorities or courts where required by law, court order or to protect the rights, property or safety of our users or the public.

6. How Long We Keep Your Information

Data Type	Retention Period
User account information	Duration of account + 3 years after closure
NSNP form submissions and reports	7 years (aligned with government financial records requirements)
Messages and communications	3 years
System access logs	12 months
Food handler payment records	7 years (SARS requirements)

After the applicable retention period, personal information is securely deleted or anonymised.

7. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

📋 Right of Access

Request a copy of all personal information we hold about you.

✏️ Right to Correction

Request correction of inaccurate or incomplete information.

🗑️ Right to Deletion

Request deletion of your information, subject to legal retention requirements.

🚫 Right to Object

Object to processing of your information for specific purposes.

📦 Right to Portability

Receive your data in a structured, machine-readable format.

⚠️ Right to Complain

Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, contact us at privacy@nutritrack.co.za. We will respond within 30 days.

To lodge a complaint with the Information Regulator: inforeg@justice.gov.za | Tel: 010 023 5207

8. Security Measures

We implement the following security safeguards required under POPIA s.19:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS)
Password hashing: All passwords are hashed using bcrypt — we never store passwords in plain text
Role-based access control: Users can only access data appropriate to their role
Session management: Sessions expire after 8 hours of activity
Server security: Servers are hosted in South Africa and maintained with current security patches
Backup: Data is backed up regularly to prevent loss

Security Breach Notification: In the event of a security breach involving personal information, we will notify the Information Regulator and affected data subjects within 72 hours, as required by POPIA s.22.

9. Cookies

NutriTrack uses only a single session cookie (connect.sid) which is strictly necessary for maintaining your logged-in session. This cookie:

Contains no personal information — only a random session identifier
Expires when you close your browser or after 8 hours
Is marked HttpOnly and Secure — it cannot be accessed by JavaScript or transmitted over unencrypted connections

We do not use tracking cookies, advertising cookies or third-party analytics.

10. Contact & Complaints

Privacy enquiries	privacy@nutritrack.co.za
General support	support@nutritrack.co.za
Information Regulator (SA)	inforeg@justice.gov.za \| 010 023 5207
Information Regulator website	inforegulator.org.za

This Privacy Policy may be updated from time to time. We will notify registered users of material changes via the platform messaging system. Continued use of the platform after notification constitutes acceptance of the updated policy.