Privacy Policy

Last updated: 29 June 2026

This policy explains what data we collect, why we need it, and how we protect it.

The short version: We collect only what we need to run batapp. We don't sell your data. You own your data and can delete it anytime.

By using batapp, you also agree to our Terms & Conditions.


Who we are

batapp is provided by Albertec IT Solutions CC (Reg No: 2008/017765/23), a South African company.

We're the "responsible party" under POPIA (South Africa's data protection law).

Two different roles. For your account, billing, support and website data, Albertec is the responsible party (controller) — we decide how that data is handled. For the asset data your organisation puts into batapp, your organisation is the responsible party and Albertec is the operator (processor) — we only process it on your instructions to run the service. How we handle data in that operator role is set out in our Data Processing Addendum.


What we collect and why

Information you give us

WhatWhy we need it
Name & emailTo create your account and contact you about your service
PasswordTo secure your account (we store it hashed — a one-way scramble, never plain text and never reversible)
Company detailsTo set up your organisation in batapp

Your asset data

Everything you add to batapp — assets, categories, locations, custom fields, check-out records — belongs to you. We store it to provide the service.

Photos you upload

When you attach photos to assets, we store them in cloud storage. Photos are linked to your organisation and deleted when you delete the asset or your account.

Location data (mobile app)

Whether location is captured is controlled by your organisation's settings. Some organisations require location access in order to scan or capture assets. If your organisation has enabled this, you'll be asked to grant location permission before scanning, and scanning is unavailable without it.

When enabled, the app captures the device's coordinates at the moment you scan or tag an asset, where GPS is available, and stores those coordinates against that asset record. This is a single point captured per scan, while the app is in use. We never use background or continuous tracking to follow you.

Recording an asset's physical location is a core asset-management function that organisations rely on. Under POPIA, the lawful basis is the legitimate interest of the organisation tracking its own assets, with your consent given through the operating system's location permission. You control that permission through your device settings.

Barcode & camera access

The mobile app uses your camera to:

  • Scan barcodes and QR codes for quick asset lookup
  • Take photos of assets

We don't access your camera roll or other photos — only what you explicitly capture in the app.

Payment information

When you subscribe to a paid plan:

WhatHow it's handled
Card detailsProcessed by our PCI-DSS Level 1 payment provider — we never see or store your full card number
Billing & tax detailsName, address, and where applicable your VAT and company registration numbers — stored to issue valid tax invoices and meet our accounting obligations
Transaction historyWe keep records of payments for accounting
Payment method tokensStored securely to process recurring payments

We do not:

  • Store your full card number, CVV, or PIN
  • Have access to your banking credentials
  • Share payment data with anyone except our payment processor

Automatic technical data

We automatically collect:

  • Usage data: Which features you use, how often, error logs
  • Device info: Browser type, operating system, screen size
  • Mobile specifics: App version and device ID

This helps us fix bugs, improve the app, and provide support.


How we use your data

We use your information to:

  1. Run batapp — deliver features, sync data between devices, process your requests
  2. Provide support — respond when you contact us, troubleshoot issues
  3. Improve the service — understand usage patterns, fix bugs, develop new features
  4. Keep things secure — detect fraud, prevent unauthorized access
  5. Send important updates — service changes, maintenance notices, security alerts
  6. Marketing — our own product news and offers, only with your consent, and you can opt out anytime. We don't share your data with third parties for their marketing

We process your data based on:

  • Contract: We need it to provide the service you signed up for
  • Consent: Where you've specifically agreed (like marketing emails)
  • Legitimate interest: For security, fraud prevention, and improving the service
  • Legal obligation: Where the law requires it

Who can see your data

Within your organisation

batapp has role-based access. What people see depends on their role:

RoleWhat they can see
ViewerRead-only access to assets
ScannerView assets + scan barcodes
EditorAdd, edit, and manage assets
AdminEverything + organisation management + user management

Admins in your organisation control who has access. We don't share data between different organisations.

Separately, our own support staff can access your data through an Albertec-only Support role to help you when needed — your admins can't assign this role, and the access is typically temporary and used only for troubleshooting.

Check-out records

When assets are checked out/in, we record who, when, and any notes. This is visible to users with appropriate access in your organisation.

Third-party services

We use a small set of trusted providers to run batapp — for hosting, email, payments, analytics and error tracking. We name each one, what they do, and where they're based on our Subprocessors page.

Our payment processor receives only what's needed to process your payment: card details, billing address, and transaction amount. They may use this data for fraud prevention as required by card networks.

These providers only access what they need to provide their service. We don't sell or rent your data to anyone. For how we keep your data safe, see our Security Overview.

We may share data if required by law, court order, or to protect our legal rights. We'll notify you if legally permitted.


Where your data lives

Your data is hosted in Germany (the EU), which has data-protection laws recognised as providing an adequate level of protection. A few supporting services (such as product analytics and email) also process limited data; these providers, their regions, and the data-protection terms we have with them are set out on our Subprocessors page.


How we protect your data

  • Encryption: Data is encrypted in transit (TLS); backups and uploaded files are encrypted at rest, and access to the database is restricted and controlled
  • Access controls: Staff access is limited, role-based, and logged
  • Secure authentication: Passwords are hashed; we follow industry-standard security practices
  • Encrypted backups: Backups are encrypted and stored separately from the live system
  • Regular monitoring: We watch for suspicious activity and patch regularly

No system is 100% secure, but we take reasonable precautions to protect your information. For a fuller picture of how we run things, see our Security Overview.

If something goes wrong: If a security breach affects your personal information, we'll notify you and the Information Regulator as required by POPIA (and the GDPR where it applies), without undue delay. To report a vulnerability or suspected incident, see our Security Contact page.


How long we keep your data

Data typeRetention period
Account dataWhile you're subscribed + 30 days after cancellation
Asset data & photosWhile your account is active + 30 days after cancellation (so you can export)
Audit trail (asset history, check-outs)7 years (for compliance)
Payment & billing records5 years (required by tax law)
Support messages3 years from last contact
Usage analytics2 years
Security logs1 year

Organisation deletion is handled on request — we can provide a data export before deleting. Audit trails and financial records are retained longer for compliance — see details below.


Your rights

Under POPIA (and GDPR if you're in Europe), you have the right to:

  • Access — request a copy of your data
  • Correction — fix inaccurate information
  • Deletion — have your data removed
  • Object — stop certain processing (like marketing)
  • Portability — get your data in a usable format
  • Complain — lodge a complaint with the Information Regulator

How to delete your account

You can delete your own account directly from the app:

  1. Go to Profile settings
  2. Select Delete account
  3. Confirm the action — this is permanent

Alternatively, email [email protected] with subject "Account Deletion Request" and include your name and account email.

When your account is deleted:

  • Your login credentials are removed (you can no longer access the service)
  • Your organisation memberships are removed

The following is retained:

  • User profile record — retained for audit trail integrity (see below)
  • Audit trail records (7 years — for compliance)
  • Security logs (1 year — for security purposes)

Audit trail retention

batapp is an asset management system. Records of who authorised asset movements, disposals, and write-offs form part of your organisation's compliance and accountability trail.

We retain your user profile record (name, email) after account deletion to preserve the integrity of these audit records — so that historical records continue to show who performed each action. This is a legitimate interest under Art. 17(3) of GDPR and equivalent POPIA provisions. Your access credentials are removed, so you cannot log in.

If you formally invoke your right to erasure and wish your profile record removed from audit history, contact us at [email protected]. We will consider each request on its merits, weighing your rights against the legitimate interests of the organisations whose records reference your actions.

Organisation deletion

Deleting an entire organisation is not a self-service action. To delete an organisation and all its data, an organisation admin must email us at [email protected] with subject "Organisation Deletion Request", including the organisation name and the admin's account email.

We can provide an export of your organisation's data on request before deletion. Once confirmed, all asset data, photos, locations, and configuration are permanently deleted, and all members are removed from the organisation.

If you're the last admin of an organisation, deleting your own account can leave it without an admin — email us and we'll help you delete the organisation.

The following is retained after organisation deletion:

  • Audit trail records (7 years — for compliance, anonymised)
  • Transaction & billing records (5 years — required by tax law)
  • Security logs (1 year — for security purposes)

Deleting specific data

Want to delete specific data without closing your account? Email us at [email protected] with subject "Partial Data Deletion Request" and describe what you'd like removed.

Making a request

For any data request, email [email protected]. We aim to respond as quickly as we can, and within 30 days at the latest — the maximum allowed under POPIA and the GDPR.


Cookies and local storage

On the web app

We don't use cookies at all. Your session, preferences, and offline data are stored locally on your device — in your browser's local storage and IndexedDB — not in cookies.

You can clear this local data through your browser settings.

On the mobile app

We use:

  • App analytics to improve performance
  • Crash reporting to fix bugs

Control these through your device's privacy settings.


Mobile app permissions

PermissionWhy we ask
CameraTo scan barcodes and take asset photos
StorageTo save photos locally before upload
LocationFor asset geolocation; may be required for scanning depending on your organisation's settings
NotificationsTo send important updates

You can revoke any permission in your device settings. Some features won't work without their required permissions.

Offline mode and sync

When you work offline:

  • Data is stored locally on your device, in the app's local storage
  • It syncs automatically over an encrypted connection when you reconnect
  • Local data is protected by your device's own security, so keep your device locked and protected with a passcode

Children

batapp is for business use. We don't knowingly collect data from anyone under 18. If we discover we have, we'll delete it immediately.


Changes to this policy

We'll update this policy when our practices change. For significant changes:

  • We'll email you
  • We'll note the change on our website
  • Continued use means you accept the changes

Questions or complaints

Contact us:

Information Regulator South Africa:


Back Home