Legal

Privacy Policy

Last updated: 17 April 2026

Introduction

Barabbas Tech (Pty) Ltd, a company registered in the Republic of South Africa, operates the Safety Pro platform ("Safety Pro", "we", "us" or "our"), a workplace environmental, health and safety (EHS) management system used by organisations to manage sites, risk assessments and method statements (RAMS), incident reports, inspections, permits to work, training records, toolbox talks, daily safe task instructions (DSTIs), personal protective equipment (PPE) issuances, and related safety file documentation.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and the rights that you have in relation to your information. It applies to the Safety Pro web application, mobile application, and associated services.

If you have any questions about this policy, please contact our Information Officer at brandon@barabbas.co.za.

Information we collect

Account and profile information

When you or your organisation create an account, we collect your first name and surname, email address, phone number, job title, South African identity number (where required for employee verification and OHS Act record-keeping), employee number, and an optional profile photograph. We also record your authentication provider (email, Google, Apple) and your most recent sign-in timestamp.

Organisation information

For the organisation you belong to, we collect the registered company name, VAT number, company registration number, registered and operating addresses, industry classification, website, region, and the primary contact person's name, email and phone number.

Workplace safety content

In the normal course of using Safety Pro, you and your colleagues contribute workplace safety records. These include site assignments and roles, incident reports (incident description, severity classification, root cause analysis, corrective actions and witness details), risk assessments and method statements, permits to work, inspection outcomes, toolbox talk attendance, training attendance and competency records, DSTIs, certificates of fitness and competency, and PPE issuance records.

Media and signatures

You may upload documents, capture photographs through the in-app camera (for example to evidence incidents, inspections or safety file items), and record handwritten signatures as proof of training attendance, RAMS acknowledgement, and permit approvals. Signatures are stored as image data against the associated record.

Location data

With your permission, Safety Pro collects precise (fine) and approximate (coarse) GPS coordinates when you record an incident or create a site. Location is collected in the foreground only; we do not track your location in the background.

Device and technical information

We collect the push notification token issued by our push-notification provider, your device identifier, the mobile platform (iOS or Android), the app version, the operating system version, the IP address from which you access the service, and your browser or app user agent.

Activity and audit information

To maintain an OHS Act-compliant audit trail, we record which user created, updated or deleted each record, when those actions occurred, and (for legal acceptance events and document downloads) the IP address from which the action was taken. We also retain point-in-time revision snapshots of key safety records.

AI assistant interactions

If you use the Safety Pro AI assistant, we store your chat sessions and messages, any feedback you provide on assistant responses, and the prompts and outputs of AI-generated risk assessments and method statements.

How we use your information

We use the information we collect to deliver and operate the Safety Pro service, to authenticate users and manage access, to deliver push notifications about incidents, approvals, expiries and other operational events you have subscribed to, to maintain the audit trail required by the South African Occupational Health and Safety Act, 1993 and ISO 45001, to compile and make available your safety file documentation, to provide AI-assisted drafting of risk assessments and method statements, to investigate and prevent fraud and abuse, to secure the service, and to communicate administrative messages to you about your account and the service.

Legal basis for processing

We rely on the following legal grounds under section 11 of the Protection of Personal Information Act, 2013 (POPIA) and, where applicable, Article 6 of the General Data Protection Regulation (GDPR):

  • Performance of a contract: processing that is necessary to deliver the service to you or to your organisation under its subscription agreement.
  • Legal obligation: record-keeping mandated by the OHS Act and its regulations.
  • Legitimate interests: securing the service, preventing fraud, and improving the product. Where we rely on this ground we have carried out a balancing test to ensure that our interests do not override your rights.
  • Consent: separately obtained and revocable, for use of the device camera and microphone, precise location, and any marketing communications.

Third-party processors and independent controllers

Processors acting on our behalf

We share personal information with the following categories of processor, each engaged under a written data processing agreement that binds it to process information only on documented instructions from us, to apply appropriate technical and organisational security safeguards, to assist us with breach notification, and to return or delete the information when our engagement ends:

  • Cloud hosting and database providers: operation of the application, database and file storage. Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256), and may be processed outside South Africa, including in the United States.
  • Email and push-notification providers: delivery of transactional email (such as invitations, one-time passcodes and system notifications) and routing of push notifications. For push delivery, a device push token is shared so notifications can be directed to your device; message content is transmitted for delivery and not retained by the relay once delivered.
  • AI service providers: processing of the text content of chat prompts, risk assessment drafting prompts and method statement drafting prompts to power the AI assistant features. We use these providers through their business and developer interfaces, under which the content we submit is not used to train their models, and is subject only to limited, short-term retention (typically up to thirty days) for security and abuse-monitoring purposes before deletion. See "AI assistant: accuracy and human oversight" below.

A current list of the specific processors within each category, including their locations and the safeguards that apply, is available to subscribing organisations on request and under the data processing terms of your subscription agreement.

Independent controllers

Some providers do not act on our behalf but determine their own purposes for the limited data they receive, and are therefore independent responsible parties (controllers) in their own right. Their handling of your information is governed by their own privacy policies, which we encourage you to review:

  • Google Maps Platform: when you create a site or record a location, the address or coordinates are sent to Google to return geocoding results and to render map tiles. Google acts as an independent controller of that data under Google's Privacy Policy (https://policies.google.com/privacy). We retain only the resulting location against your record and do not separately store cached map data beyond the limits Google permits.
  • Payfast: subscription payments in South African Rand are processed by Payfast (Pty) Ltd, a South African PCI-DSS Level 1 payment service provider, on its own secure hosted payment page. Your full card details are entered directly with Payfast and are never collected by, transmitted through, or stored on Safety Pro's systems. Payfast processes payment and cardholder information as an independent responsible party under its own privacy policy (https://payfast.io/privacy-policy/).

We do not sell personal information and we do not share it with third parties for their own marketing purposes.

Data retention

Active records are retained for as long as your organisation's subscription is active. When a record is deleted from within the application it is marked with a deletion timestamp (soft delete) and excluded from normal views while it remains subject to legal retention obligations. Safety and compliance records required under the OHS Act are typically retained for three to five years, and in the case of certain occupational exposure records up to forty years. Audit logs are retained for ninety days. Encrypted backups are retained on a rolling thirty-day cycle. On a verified erasure request we will hard-delete information that is not subject to an overriding legal retention obligation.

Security

All traffic between your device and Safety Pro is protected by TLS 1.2 or higher. Data at rest is encrypted by our managed storage provider. Authentication uses RS256-signed JSON Web Tokens with short lifetimes, and session cookies are marked HttpOnly, Secure and SameSite. Access to records is enforced by role-based access control scoped to the organisation and site. Administrative actions are recorded in an audit log. We operate an incident response process and will notify affected data subjects and regulators within seventy-two hours where required under GDPR, or within a reasonable time as required by section 22 of POPIA.

International transfers

Because some of our processors, and the independent controllers described above, are based outside South Africa, including in the United States, personal information will be transferred to, stored in, and processed in jurisdictions outside South Africa. Where your organisation has indicated cross-border consent at the organisation level (as contemplated by section 72 of POPIA) this consent covers those transfers. For transfers originating in the European Economic Area, the United Kingdom or Switzerland, our processors rely on the European Commission's Standard Contractual Clauses and, where applicable, certification under the EU-US Data Privacy Framework. All transfers are made under written agreements that require an adequate level of protection.

AI assistant: accuracy and human oversight

The Safety Pro AI assistant, and its risk-assessment and method-statement drafting features, are powered by third-party AI service providers using predictive language models. AI-generated output may be incomplete, inaccurate, outdated or unsuitable for your specific site, task or jurisdiction.

Safety Pro is a software tool that supports, and does not substitute for, the judgement of a qualified health and safety professional. It is intended to be used by, or under the supervision of, a competent person. Every AI-generated risk assessment, method statement or other safety output is a draft only and must be reviewed, verified, adapted and formally approved by a competent person before it is relied upon or put into use. Your organisation remains responsible for the accuracy, completeness and legal compliance of its safety records and for engaging appropriate health and safety expertise. These responsibilities are set out more fully in our Terms of Service.

Your rights

Subject to verification of your identity, you have the following rights in relation to your personal information:

  • Under POPIA (sections 23 to 25): to request access to your information, to request correction of inaccurate information, to request deletion of information that is no longer required, and to object to processing. You may lodge a complaint with the Information Regulator of South Africa at inforeg@justice.gov.za.
  • Under the GDPR (Articles 15 to 22): access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent.
  • Under the CCPA and CPRA (California residents): the right to know, the right to delete, the right to correct, and the right to opt out of the sale of personal information. We do not sell personal information.

We will respond to a verified request within thirty days. Please direct requests to brandon@barabbas.co.za.

Children's privacy

Safety Pro is designed for use by adults in a workplace setting and is not directed at children under the age of sixteen. We do not knowingly collect personal information from children. If you believe that we have inadvertently collected information about a child, please contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. When we make an update, we will notify you within the Safety Pro application and provide a link to the revised policy so that you can review it in full before deciding whether to continue. We will require you to accept the updated Privacy Policy before you continue to use Safety Pro. The "Effective date" shown below always reflects the current version, and your acceptance is recorded against the version in force at the time you accept.

Contact

Information Officer: Brandon Harmse, Barabbas Tech (Pty) Ltd, Republic of South Africa. Email: brandon@barabbas.co.za.

Effective date

This Privacy Policy is effective from 31 May 2026.