Logotipo do Safety Pro
EntrarComeçar

Jurídico

Política de Privacidade

Última atualização: 17 April 2026

A versão vinculativa deste documento é a em inglês. Está disponível uma tradução a pedido para brandon@barabbas.co.za.

Introduction

Barabbas Tech (Pty) Ltd, a company registered in the Republic of South Africa, operates the Safety Pro platform ("Safety Pro", "we", "us" or "our") — a workplace environmental, health and safety (EHS) management system used by organisations to manage sites, risk assessments and method statements (RAMS), incident reports, inspections, permits to work, training records, toolbox talks, daily safe task instructions (DSTIs), personal protective equipment (PPE) issuances, and related safety file documentation.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and the rights that you have in relation to your information. It applies to the Safety Pro web application, mobile application, and associated services.

If you have any questions about this policy, please contact our Information Officer at brandon@barabbas.co.za.

Information we collect

Account and profile information

When you or your organisation create an account, we collect your first name and surname, email address, phone number, job title, South African identity number (where required for employee verification and OHS Act record-keeping), employee number, and an optional profile photograph. We also record your authentication provider (email, Google, Apple) and your most recent sign-in timestamp.

Organisation information

For the organisation you belong to, we collect the registered company name, VAT number, company registration number, registered and operating addresses, industry classification, website, region, and the primary contact person's name, email and phone number.

Workplace safety content

In the normal course of using Safety Pro, you and your colleagues contribute workplace safety records. These include site assignments and roles, incident reports (incident description, severity classification, root cause analysis, corrective actions and witness details), risk assessments and method statements, permits to work, inspection outcomes, toolbox talk attendance, training attendance and competency records, DSTIs, certificates of fitness and competency, and PPE issuance records.

Media and signatures

You may upload documents, capture photographs through the in-app camera (for example to evidence incidents, inspections or safety file items), and record handwritten signatures as proof of training attendance, RAMS acknowledgement, and permit approvals. Signatures are stored as image data against the associated record.

Location data

With your permission, Safety Pro collects precise (fine) and approximate (coarse) GPS coordinates when you record an incident or create a site. Location is collected in the foreground only — we do not track your location in the background.

Device and technical information

We collect the push notification token issued by Firebase Cloud Messaging, your device identifier, the mobile platform (iOS or Android), the app version, the operating system version, the IP address from which you access the service, and your browser or app user agent.

Activity and audit information

To maintain an OHS Act-compliant audit trail, we record which user created, updated or deleted each record, when those actions occurred, and (for legal acceptance events and document downloads) the IP address from which the action was taken. We also retain point-in-time revision snapshots of key safety records.

AI assistant interactions

If you use the Safety Pro AI assistant, we store your chat sessions and messages, any feedback you provide on assistant responses, and the prompts and outputs of AI-generated risk assessments and method statements.

How we use your information

We use the information we collect to deliver and operate the Safety Pro service, to authenticate users and manage access, to deliver push notifications about incidents, approvals, expiries and other operational events you have subscribed to, to maintain the audit trail required by the South African Occupational Health and Safety Act, 1993 and ISO 45001, to compile and make available your safety file documentation, to provide AI-assisted drafting of risk assessments and method statements, to investigate and prevent fraud and abuse, to secure the service, and to communicate administrative messages to you about your account and the service.

Legal basis for processing

We rely on the following legal grounds under section 11 of the Protection of Personal Information Act, 2013 (POPIA) and, where applicable, Article 6 of the General Data Protection Regulation (GDPR):

  • Performance of a contract — processing that is necessary to deliver the service to you or to your organisation under its subscription agreement.
  • Legal obligation — record-keeping mandated by the OHS Act and its regulations.
  • Legitimate interests — securing the service, preventing fraud, and improving the product. Where we rely on this ground we have carried out a balancing test to ensure that our interests do not override your rights.
  • Consent — separately obtained and revocable, for use of the device camera and microphone, precise location, and any marketing communications.

Third-party sub-processors

We share personal information with the following sub-processors, each of which is contractually bound to process information only on our behalf and in accordance with this policy:

  • Convex — backend application platform, database and file storage (hosted in the United States on AWS).
  • Google Firebase Cloud Messaging — delivery of push notifications to Android and iOS devices.
  • Google Maps Platform — geocoding of site addresses and rendering of map tiles within the application.
  • Expo (EAS Push) — relay of push notifications to mobile devices.
  • OpenAI — processing of chat prompts, risk assessment drafting prompts, and method statement drafting prompts by the AI assistant.
  • Resend — delivery of transactional email such as invitations, one-time passcodes and system notifications.
  • Payfast — processing of subscription payments in South African Rand.
  • Vercel — hosting of the Safety Pro web application and processing of associated request logs.

We do not sell personal information and we do not share it with third parties for their own marketing purposes.

Data retention

Active records are retained for as long as your organisation's subscription is active. When a record is deleted from within the application it is marked with a deletion timestamp (soft delete) and excluded from normal views while it remains subject to legal retention obligations. Safety and compliance records required under the OHS Act are typically retained for three to five years, and in the case of certain occupational exposure records up to forty years. Audit logs are retained for ninety days. Encrypted backups are retained on a rolling thirty-day cycle. On a verified erasure request we will hard-delete information that is not subject to an overriding legal retention obligation.

Security

All traffic between your device and Safety Pro is protected by TLS 1.2 or higher. Data at rest is encrypted by Convex-managed storage. Authentication uses RS256-signed JSON Web Tokens with short lifetimes, and session cookies are marked HttpOnly, Secure and SameSite. Access to records is enforced by role-based access control scoped to the organisation and site. Administrative actions are recorded in an audit log. We operate an incident response process and will notify affected data subjects and regulators within seventy-two hours where required under GDPR, or within a reasonable time as required by section 22 of POPIA.

International transfers

Because our infrastructure providers (Convex, Firebase, Vercel, OpenAI, Resend) are based in the United States, personal information will be transferred to, stored in, and processed in the United States and other jurisdictions outside South Africa. Where your organisation has indicated cross-border consent at the organisation level (as contemplated by section 72 of POPIA) this consent covers those transfers. All transfers are made under written sub-processor agreements that require an adequate level of protection.

Your rights

Subject to verification of your identity, you have the following rights in relation to your personal information:

  • Under POPIA (sections 23 to 25) — to request access to your information, to request correction of inaccurate information, to request deletion of information that is no longer required, and to object to processing. You may lodge a complaint with the Information Regulator of South Africa at inforeg@justice.gov.za.
  • Under the GDPR (Articles 15 to 22) — access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent.
  • Under the CCPA and CPRA (California residents) — the right to know, the right to delete, the right to correct, and the right to opt out of the sale of personal information. We do not sell personal information.

We will respond to a verified request within thirty days. Please direct requests to brandon@barabbas.co.za.

Children's privacy

Safety Pro is designed for use by adults in a workplace setting and is not directed at children under the age of sixteen. We do not knowingly collect personal information from children. If you believe that we have inadvertently collected information about a child, please contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. Where a change materially affects your rights we will give you at least thirty days' prior notice by email and by in-app banner. Your continued use of Safety Pro after the effective date of a revised policy constitutes acceptance of that revision.

Contact

Information Officer: Brandon Harmse, Barabbas Tech (Pty) Ltd, Republic of South Africa. Email: brandon@barabbas.co.za.

Effective date

This Privacy Policy is effective from 17 April 2026.