Privacy Policy

Last updated: 10 May 2026

1. Who we are

DA Activity Tracker (the "App") is operated independently and is not officially affiliated with or endorsed by the Democratic Alliance political party. This Privacy Policy explains how we collect, use, and protect your personal information in compliance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa.

For the purposes of POPIA, the operator of the App is the Responsible Party for the limited personal information we collect on our authentication servers.

2. Information we collect

2.1 Information stored on your device only

The following information is created and stored entirely on your phone in a local SQLite database. It is not transmitted to our servers or anywhere else:

• Photos taken via the in-app camera or selected from your gallery to document activities.
• Location data — GPS coordinates and reverse-geocoded addresses captured when you log an activity (only with your permission).
• Activity data — titles, descriptions, categories, and dates you enter for each logged activity.
• App preferences — your PIN (stored as a one-way hash), biometric setting, and other in-app settings.

2.2 Information stored on our servers

The following limited information is stored on our authentication provider (Supabase, see Section 6) so that you can sign in across devices and so we can verify your identity:

• Email address (used as your sign-in identifier)
• Phone number (collected for record-keeping and future features such as SMS notifications — never sold or shared)
• Password (stored as a salted, irreversible hash by our authentication provider — we cannot read your password)
• Account metadata (account creation date, last sign-in timestamp)

2.3 Information stored on our cloud backup (Premium only)

When you have an active Premium subscription, the following data is also synced to our private cloud backup so you can switch devices without losing your work:

• Activity rows — title, description, category, GPS, address, date, and timestamps.
• Compressed activity photos — both the original and the watermarked version, downscaled to a maximum 1280-pixel longest edge as JPEG.
• Subscription record — your billing state, current period end, and the unique identifier and human-readable name of the device currently authorised to sync. Subscription is single-device: signing in on a new phone prompts you to switch, and confirms only after explicit confirmation.

Cloud-synced data is hosted by Supabase (in the EU region) and routed through PowerSync Cloud. See Section 6.

3. How we use your information

Your information is used solely to:

• Let you record and track your DA-related activities on your own device.
• Generate proof-of-attendance PDF documents that you can share or hand to your branch.
• Display your activity locations on an in-app map.
• Authenticate you when you sign in to the App.
• Send you a one-time verification code at sign-up.

We do not use your data for advertising, profiling, analytics, marketing, or sale to any third party.

4. Permissions we request

• Camera — to take photos of your activities. You can decline; in that case you can still upload existing photos from your gallery.
• Photo Library — to let you select existing photos to attach to an activity.
• Location (When In Use) — to GPS-tag your activities at the moment you log them. You can decline; in that case activities will be saved without coordinates.
• Face ID / Touch ID — only used to unlock the App if you enable biometric unlock. The biometric data never leaves your device.

5. Data retention

Your activity data, photos, and location data are kept on your device for as long as you keep the App installed. Uninstalling the App will delete this data permanently from your device.

Your account information (email, phone, hashed password) is kept on our authentication servers until you delete your account. When you delete your account from inside the App (Settings → Delete Account), your record is permanently and immediately removed from our authentication servers.

Premium cloud backup: when your Premium subscription ends — whether by cancellation, expiration, or non-renewal — every cloud-backed activity row and photo we hold for you is hard-deleted within minutes of the period end. Your local copy on the device is unaffected. Re-subscribing creates a fresh cloud copy from your device.

6. Third-party services we use

We use a small number of trusted third-party services to operate the App. Each is bound by their own privacy obligations:

• Supabase — handles user authentication and (for Premium) cloud backup of activities and photos. Stores your email, phone, hashed password, and Premium activity data. Hosted in the EU. Privacy policy.
• PowerSync Cloud — sync engine for Premium. Routes data between your device and Supabase. Stores no user data of its own. Privacy policy.
• RevenueCat — handles Premium subscription billing and entitlement state. Bound to your Apple ID or Google account; we never see your card details. Privacy policy.
• Resend — delivers the one-time verification code email at sign-up. Receives only your email address and the code itself. Privacy policy.
• Sentry — anonymous crash reporting. When the app encounters an error, an anonymous report is sent containing the error details, device type, and OS version. No personal information, photos, activity data, or location data is included in crash reports. All text and images in error replays are masked. Privacy policy.
• Apple App Store / Google Play — distribute the App. They may collect aggregate download statistics.

We do not use any analytics, advertising, or tracking SDKs.

7. Your rights under POPIA

As a data subject under POPIA, you have the following rights regarding the personal information we hold about you:

• Right of access — you may request confirmation of what personal information we hold about you.
• Right to correction — you may ask us to correct inaccurate or incomplete personal information.
• Right to deletion — you may delete your account at any time directly inside the App (Settings → Delete Account), which removes your record from our servers permanently.
• Right to object — you may object to the processing of your personal information.
• Right to lodge a complaint — you may lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za).

8. Children's privacy

The App is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. Security

We take reasonable technical and organisational measures to protect your personal information:

• All data on our authentication servers is encrypted in transit (TLS) and at rest.
• Passwords are hashed using industry-standard one-way hashing — even we cannot read them.
• Local data on your device can be optionally protected with a PIN and biometric lock.
• Your PIN is stored as a one-way hash on your device — it never leaves your phone.

Despite these measures, no system is completely secure. You are responsible for keeping your sign-in credentials and device safe.

10. International data transfers

Our authentication and email-delivery providers may store your information on servers located outside South Africa (typically in the EU or US). By using the App, you consent to this transfer. Both providers comply with GDPR and equivalent data protection standards that meet POPIA's cross-border transfer requirements.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the App and an updated "Last updated" date will appear at the top of this page. Continued use of the App after changes take effect constitutes acceptance of the updated policy.

12. Contact us

If you have questions about this Privacy Policy or wish to exercise any of your rights under POPIA, you can reach us at:

• Email: privacy@myda.co.za
• Website: myda.co.za