Privacy Policy
Effective date: 12 March 2026 · Last updated: 12 March 2026
Walkabout Software (Pty) Ltd ("Walkabout", "we", "us", or "our"), a company registered in the Republic of South Africa, is committed to protecting your privacy and Personal Information. This Privacy Policy explains how we collect, use, store, and share information when you use the Walkabout platform, including the web application at walkabout.work and the Walkabout mobile application (the "Service").
This policy is drafted in compliance with:
- The Protection of Personal Information Act 4 of 2013 ("POPIA") of South Africa;
- The General Data Protection Regulation (EU) 2016/679 ("GDPR");
- The UK General Data Protection Regulation ("UK GDPR");
- Other applicable data protection laws in jurisdictions where our Users are located.
1. Information We Collect
1.1 Information provided by your organisation
When your employer or contracting organisation ("Client") provisions your account, they may provide:
- Full name, known name / preferred name;
- Email address (work and/or personal);
- Mobile phone number (work and/or personal);
- Employee code / identifier;
- Job title and position;
- Project assignments and roles;
- Organisation membership details.
1.2 Information you provide directly
- Login credentials (email or phone number used for authentication);
- Messages and communications sent through the Service;
- Daily diary entries, reports, and uploaded photographs;
- Access request details (name, email, phone number, organisation).
1.3 Information from third-party integrations
Where your project uses third-party time & attendance systems (e.g., AllWage), we may receive:
- Clock-in and clock-out times;
- Attendance status (present, absent, pending);
- Shift information;
- Employee group / trade classification.
This data is received via API from the third-party provider configured by your organisation. Walkabout does not collect biometric data directly — biometric processing (fingerprint, facial recognition) occurs on the third-party provider's systems. We only receive the resulting attendance records.
1.4 Information collected automatically
- Device type, operating system, and browser information;
- IP address and approximate location;
- Usage data (pages visited, features used, timestamps);
- Authentication logs and session information.
2. How We Use Your Information
We process Personal Information for the following purposes:
| Purpose | Legal Basis (POPIA / GDPR) |
|---|---|
| Providing and operating the Service | Performance of contract; legitimate interest |
| Authenticating your identity (email magic link, SMS OTP) | Performance of contract; legitimate interest |
| Sending in-app notifications and messages | Performance of contract |
| Sending WhatsApp reminders for outstanding tasks | Legitimate interest; consent where required |
| Generating reports (daily diaries, PDF exports) | Performance of contract |
| Improving and maintaining the Service | Legitimate interest |
| Responding to support requests | Performance of contract |
| Complying with legal obligations | Legal obligation |
| Preventing fraud and ensuring security | Legitimate interest; legal obligation |
3. Data Sharing & Sub-processors
We do not sell your Personal Information. We share data only with:
3.1 Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, storage, edge functions | EU (Ireland, eu-west-1) |
| Amazon Web Services (AWS) | Infrastructure hosting (via Supabase) | EU (Ireland, eu-west-1) |
| Vercel Inc. | Web application hosting and CDN | Global edge network |
| Twilio Inc. | SMS / WhatsApp OTP delivery and reminders | United States |
| Cloudflare Inc. | Turnstile CAPTCHA, DDoS protection | Global edge network |
| Anthropic PBC | AI-powered diary analysis (Claude API & Claude.ai) | United States |
| Google LLC | AI-powered analysis (Gemini API) | United States |
| AllWage / Agrigistics (Pty) Ltd | Time & attendance — biometric clock-in data (per-project, where configured) | South Africa |
| SendGrid (Twilio Inc.) | Transactional email delivery (planned) | United States |
3.2 Your organisation
Client administrators can view data related to their organisation, including employee profiles, project assignments, diary entries, and messages sent within the organisation.
3.3 Legal requirements
We may disclose information where required by law, court order, or regulatory authority, or where necessary to protect our legal rights.
4. International Data Transfers
- Your data is primarily stored in the European Union (Ireland) on Supabase / AWS infrastructure.
- Some sub-processors (Twilio, Anthropic, Vercel) may process data in the United States. Where this occurs, we rely on:
- EU Standard Contractual Clauses (SCCs);
- The EU-U.S. Data Privacy Framework, where applicable;
- Adequate safeguards under POPIA Section 72.
- For transfers from South Africa, we ensure compliance with POPIA Section 72 by confirming the recipient jurisdiction provides adequate protection or that a binding agreement is in place.
5. Data Retention
- We retain Personal Information for as long as your account is active or as needed to provide the Service.
- After account termination, Client data is available for export for 30 days, after which it may be permanently deleted.
- Authentication logs and security data are retained for up to 12 months.
- We may retain anonymised, aggregated data indefinitely for analytics and improvement purposes.
- Where a longer retention period is required by law (e.g., tax records, construction industry regulations), we will retain data for the legally mandated period.
6. Your Rights
Depending on your jurisdiction, you have the following rights regarding your Personal Information:
6.1 Under POPIA (South Africa)
- Right to access your Personal Information;
- Right to request correction of inaccurate information;
- Right to request deletion of your information;
- Right to object to the processing of your information;
- Right to withdraw consent (where processing is based on consent);
- Right to lodge a complaint with the Information Regulator (South Africa).
6.2 Under GDPR (European Union / UK)
In addition to the above, EU/UK residents have the right to:
- Data portability (receive your data in a structured, machine-readable format);
- Restrict processing in certain circumstances;
- Object to automated decision-making and profiling;
- Lodge a complaint with your local Data Protection Authority.
6.3 Exercising your rights
To exercise any of these rights, contact us at privacy@walkabout.work. We will respond within 30 days (or sooner if required by applicable law). We may ask you to verify your identity before processing your request.
Note: where your account is managed by a Client organisation, some requests may need to be directed to your employer/Client as the data controller.
7. Security
- All data in transit is encrypted using TLS 1.2 or higher;
- Data at rest is encrypted using AES-256;
- Row-Level Security (RLS) ensures users can only access data they are authorised to view;
- Authentication uses secure one-time passwords (OTP) and magic links — no passwords are stored;
- CAPTCHA protection (Cloudflare Turnstile) prevents automated abuse;
- Regular security reviews and dependency updates are performed;
- Access to production systems is restricted to authorised personnel.
While we implement industry-standard security measures, no system is completely secure. If you discover a security vulnerability, please report it to security@walkabout.work.
8. Cookies & Tracking
- The Service uses essential cookies for authentication and session management. These are strictly necessary and do not require consent.
- We use a project-context cookie to remember your selected project across page loads.
- We do not use third-party advertising or tracking cookies.
- Analytics, if enabled in future, will be disclosed in an updated version of this policy.
9. Children's Privacy
The Service is intended for use by adults in a professional context. We do not knowingly collect Personal Information from children under the age of 18. If we become aware that we have collected such information, we will take steps to delete it.
10. Changes to This Policy
- We may update this Privacy Policy from time to time. Material changes will be notified via the Service or by email at least 14 days before they take effect.
- The "Last updated" date at the top of this page indicates when the policy was last revised.
- Continued use of the Service after changes take effect constitutes acceptance.
11. Data Controller & Operator
- Data Controller / Responsible Party (POPIA): The Client organisation that manages your account is the data controller for employee data processed through the Service.
- Data Processor / Operator (POPIA): Walkabout Software (Pty) Ltd acts as the data processor, processing data on behalf of the Client in accordance with their instructions and our Data Processing Agreement.
- For data we collect directly (e.g., access requests, website visitors), Walkabout acts as the data controller.
12. Information Officer
In terms of POPIA, our designated Information Officer can be contacted at:
- Email: privacy@walkabout.work
- Walkabout Software (Pty) Ltd, South Africa
You may also contact the Information Regulator (South Africa) at:
- Website: www.justice.gov.za/inforeg/
- Email: enquiries@inforegulator.org.za
13. Contact
For any questions or concerns about this Privacy Policy or our data practices, please contact us at:
- Email: privacy@walkabout.work
- Walkabout Software (Pty) Ltd, South Africa
© 2026 Walkabout Software (Pty) Ltd. All rights reserved.