Privacy Policy
Effective date: 13 May 2026 | POPIA Compliant
Information Officer: info@vehiclecare.co.za
Summary: VehicleCare respects your privacy. We only collect the personal information necessary to provide our vehicle maintenance services. We do not sell your data. We process all information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA). This policy explains what we collect, why we collect it, how we protect it, and your rights under South African law.
1. Who We Are
VehicleCare (Pty) Ltd ("VehicleCare", "we", "us", "our") is a South African company registered in Johannesburg, Gauteng. We operate the VehicleCare mobile application and website (collectively, the "Services").
Information Officer: The person responsible for ensuring POPIA compliance within our organisation. Contact: info@vehiclecare.co.za
Deputy Information Officer: info@vehiclecare.co.za
2. What Personal Information We Collect
Under POPIA, "personal information" means information relating to an identifiable, living natural person or juristic person. We collect the following categories:
2.1. Account Information
- Full name and surname
- Email address
- Mobile phone number
- Encrypted password (we cannot see your actual password)
- Profile picture (optional)
2.2. Vehicle Information
- Vehicle make, model, year, and registration number
- Current odometer reading and daily average kilometres
- VIN number (optional, for parts compatibility)
- Service history and maintenance records
- Wear item status and replacement dates
- Photographs of vehicle condition or documents (optional)
2.3. Compliance Document Information
- License disk expiry date
- Driver's license expiry date and card number
- Roadworthy certificate number and expiry date
- Professional Driving Permit (PrDP) details and expiry
- Insurance policy number, provider, and renewal date
2.4. Usage & Technical Information
- IP address and approximate geolocation (city-level, for fraud prevention)
- Device type, operating system, and browser information
- App usage patterns and feature interactions
- Crash logs and error reports (anonymised where possible)
- Cookies and similar tracking technologies (see Section 8)
2.5. Payment Information
- We do not store your full credit card or banking details
- Payment processing is handled by PayFast (Pty) Ltd, a PCI-DSS compliant provider
- We retain transaction references, amounts, dates, and payment status only
3. How We Collect Personal Information
3.1. Directly from you: When you register an account, add a vehicle, log a service, upload a document, or contact support.
3.2. Automatically: Through cookies, server logs, analytics tools, and app telemetry when you use the Services.
3.3. From third parties: We do not purchase personal information from data brokers. We may receive limited information from payment processors (PayFast) to confirm transactions.
4. Purpose of Processing (Lawful Basis)
POPIA requires that we process personal information for a specific, explicitly defined, and lawful purpose. We process your information for the following purposes:
| Purpose | Legal Basis (POPIA) |
|---|---|
| Account creation and authentication | Performance of contract (Section 11(1)(a)) |
| Vehicle maintenance tracking and reminders | Performance of contract |
| Compliance document expiry alerts | Performance of contract |
| Payment processing and billing | Performance of contract + Legal obligation |
| Customer support and dispute resolution | Performance of contract |
| Service improvement and bug fixes | Legitimate interest (Section 11(1)(f)) |
| Fraud prevention and security | Legitimate interest + Legal obligation |
| Marketing communications (with consent) | Consent (Section 11(1)(a)) — opt-in only |
| Tax and regulatory compliance | Legal obligation (Section 11(1)(b)) |
5. How We Protect Your Information
5.1. Encryption: All data transmitted between your device and our servers is encrypted using TLS 1.3. Data at rest is encrypted using AES-256.
5.2. Access controls: Personal information is accessible only to authorised personnel who require it for their duties. All staff are bound by confidentiality agreements.
5.3. Infrastructure: Our servers are hosted in secure, ISO 27001-certified data centres. We use Supabase for database hosting with row-level security policies.
5.4. Regular audits: We conduct annual security assessments, penetration testing, and POPIA compliance audits.
5.5. Breach notification: In the event of a personal information breach, we will notify the Information Regulator and affected users within 72 hours as required by Section 22 of POPIA, unless the breach is unlikely to result in serious harm.
6. Sharing & Disclosure of Personal Information
6.1. We do not sell your personal information. Period.
6.2. We may share personal information with the following categories of recipients, strictly limited to what is necessary:
- Service providers: PayFast (payment processing), Supabase (cloud database), Google Cloud (hosting infrastructure), SendGrid (email delivery). All providers are contractually bound to POPIA-compliant data processing agreements.
- Legal authorities: When required by South African law, court order, or to protect our legal rights.
- Business transfers: In the event of a merger, acquisition, or asset sale, we will ensure the successor is bound by this Privacy Policy.
6.3. We do not transfer personal information outside South Africa except where the recipient country has substantially similar data protection laws or we have obtained your explicit consent, as required by Section 72 of POPIA.
7. Data Retention & Deletion
7.1. We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected:
- Active accounts: For the duration of your account plus 1 year after closure (for dispute resolution and legal compliance).
- Financial records: 5 years as required by the Tax Administration Act 28 of 2011.
- Marketing consents: Until you withdraw consent or we cease marketing activities.
- Server logs: 12 months for security and debugging purposes.
7.2. Account deletion: You may request deletion of your account and personal information at any time by emailing info@vehiclecare.co.za. We will process deletion within 30 days, except where retention is required by law.
7.3. Upon deletion, your personal information is permanently removed from active systems. Backup copies may persist for up to 90 days in encrypted, access-controlled archives before secure destruction.
8. Cookies & Tracking Technologies
8.1. We use cookies and similar technologies to enhance your experience, analyse usage, and deliver relevant content.
8.2. Types of Cookies We Use
| Category | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, account access | Session / 30 days |
| Functional | Preferences, language, checklist state | 1 year |
| Analytics | Google Analytics 4 — anonymised usage data | 14 months |
| Marketing | Only with explicit consent — conversion tracking | 90 days |
8.3. You can manage cookie preferences through your browser settings or our cookie consent banner. Essential cookies cannot be disabled as they are necessary for the Services to function.
9. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights regarding your personal information:
Right of Access (Section 23)
Request confirmation of whether we hold your personal information and receive a copy of it.
Right to Correction (Section 24)
Request that we correct inaccurate, misleading, or outdated personal information.
Right to Deletion (Section 24)
Request destruction or deletion of personal information that is no longer necessary.
Right to Object (Section 11(3))
Object to processing of your personal information for direct marketing or legitimate interest purposes.
Right to Complain (Section 74)
Lodge a complaint with the Information Regulator if you believe we have violated POPIA.
Right to Withdraw Consent
Withdraw consent for processing at any time. This does not affect the lawfulness of prior processing.
To exercise any of these rights, email info@vehiclecare.co.za with the subject line "POPIA Request". We will respond within 30 days and may request proof of identity to prevent unauthorised access.
10. Children's Privacy
10.1. The Services are not intended for children under the age of 18. We do not knowingly collect personal information from minors.
10.2. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at info@vehiclecare.co.za and we will delete such information promptly.
11. Changes to This Privacy Policy
11.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.
11.2. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The "Effective date" at the top of this page indicates when the current version became active.
11.3. Continued use of the Services after changes constitutes acceptance of the updated Privacy Policy.
12. Contact Us & Complaints
For privacy-related questions, requests, or concerns, contact our Information Officer:
VehicleCare Information Officer
Email: info@vehiclecare.co.za
If you are not satisfied with our response, you have the right to lodge a complaint with the South African Information Regulator:
Website: www.inforegulator.org.za
Email: inforeg@justice.gov.za
© 2026 VehicleCare. All rights reserved. | Terms of Service | Refund Policy