Privacy Policy
Last updated: 29 June 2026
This policy explains what data we collect, why we need it, and how we protect it.
The short version: We collect only what we need to run batapp. We don't sell your data. You own your data and can delete it anytime.
By using batapp, you also agree to our Terms & Conditions.
Who we are
batapp is provided by Albertec IT Solutions CC (Reg No: 2008/017765/23), a South African company.
- Information Officer: Theuns Alberts
- Email: [email protected]
- Website: https://batapp.co.za
We're the "responsible party" under POPIA (South Africa's data protection law).
Two different roles. For your account, billing, support and website data, Albertec is the responsible party (controller) — we decide how that data is handled. For the asset data your organisation puts into batapp, your organisation is the responsible party and Albertec is the operator (processor) — we only process it on your instructions to run the service. How we handle data in that operator role is set out in our Data Processing Addendum.
What we collect and why
Information you give us
| What | Why we need it |
|---|---|
| Name & email | To create your account and contact you about your service |
| Password | To secure your account (we store it hashed — a one-way scramble, never plain text and never reversible) |
| Company details | To set up your organisation in batapp |
Your asset data
Everything you add to batapp — assets, categories, locations, custom fields, check-out records — belongs to you. We store it to provide the service.
Photos you upload
When you attach photos to assets, we store them in cloud storage. Photos are linked to your organisation and deleted when you delete the asset or your account.
Location data (mobile app)
Whether location is captured is controlled by your organisation's settings. Some organisations require location access in order to scan or capture assets. If your organisation has enabled this, you'll be asked to grant location permission before scanning, and scanning is unavailable without it.
When enabled, the app captures the device's coordinates at the moment you scan or tag an asset, where GPS is available, and stores those coordinates against that asset record. This is a single point captured per scan, while the app is in use. We never use background or continuous tracking to follow you.
Recording an asset's physical location is a core asset-management function that organisations rely on. Under POPIA, the lawful basis is the legitimate interest of the organisation tracking its own assets, with your consent given through the operating system's location permission. You control that permission through your device settings.
Barcode & camera access
The mobile app uses your camera to:
- Scan barcodes and QR codes for quick asset lookup
- Take photos of assets
We don't access your camera roll or other photos — only what you explicitly capture in the app.
Payment information
When you subscribe to a paid plan:
| What | How it's handled |
|---|---|
| Card details | Processed by our PCI-DSS Level 1 payment provider — we never see or store your full card number |
| Billing & tax details | Name, address, and where applicable your VAT and company registration numbers — stored to issue valid tax invoices and meet our accounting obligations |
| Transaction history | We keep records of payments for accounting |
| Payment method tokens | Stored securely to process recurring payments |
We do not:
- Store your full card number, CVV, or PIN
- Have access to your banking credentials
- Share payment data with anyone except our payment processor
Automatic technical data
We automatically collect:
- Usage data: Which features you use, how often, error logs
- Device info: Browser type, operating system, screen size
- Mobile specifics: App version and device ID
This helps us fix bugs, improve the app, and provide support.
How we use your data
We use your information to:
- Run batapp — deliver features, sync data between devices, process your requests
- Provide support — respond when you contact us, troubleshoot issues
- Improve the service — understand usage patterns, fix bugs, develop new features
- Keep things secure — detect fraud, prevent unauthorized access
- Send important updates — service changes, maintenance notices, security alerts
- Marketing — our own product news and offers, only with your consent, and you can opt out anytime. We don't share your data with third parties for their marketing
We process your data based on:
- Contract: We need it to provide the service you signed up for
- Consent: Where you've specifically agreed (like marketing emails)
- Legitimate interest: For security, fraud prevention, and improving the service
- Legal obligation: Where the law requires it
Who can see your data
Within your organisation
batapp has role-based access. What people see depends on their role:
| Role | What they can see |
|---|---|
| Viewer | Read-only access to assets |
| Scanner | View assets + scan barcodes |
| Editor | Add, edit, and manage assets |
| Admin | Everything + organisation management + user management |
Admins in your organisation control who has access. We don't share data between different organisations.
Separately, our own support staff can access your data through an Albertec-only Support role to help you when needed — your admins can't assign this role, and the access is typically temporary and used only for troubleshooting.
Check-out records
When assets are checked out/in, we record who, when, and any notes. This is visible to users with appropriate access in your organisation.
Third-party services
We use a small set of trusted providers to run batapp — for hosting, email, payments, analytics and error tracking. We name each one, what they do, and where they're based on our Subprocessors page.
Our payment processor receives only what's needed to process your payment: card details, billing address, and transaction amount. They may use this data for fraud prevention as required by card networks.
These providers only access what they need to provide their service. We don't sell or rent your data to anyone. For how we keep your data safe, see our Security Overview.
Legal requirements
We may share data if required by law, court order, or to protect our legal rights. We'll notify you if legally permitted.
Where your data lives
Your data is hosted in Germany (the EU), which has data-protection laws recognised as providing an adequate level of protection. A few supporting services (such as product analytics and email) also process limited data; these providers, their regions, and the data-protection terms we have with them are set out on our Subprocessors page.
How we protect your data
- Encryption: Data is encrypted in transit (TLS); backups and uploaded files are encrypted at rest, and access to the database is restricted and controlled
- Access controls: Staff access is limited, role-based, and logged
- Secure authentication: Passwords are hashed; we follow industry-standard security practices
- Encrypted backups: Backups are encrypted and stored separately from the live system
- Regular monitoring: We watch for suspicious activity and patch regularly
No system is 100% secure, but we take reasonable precautions to protect your information. For a fuller picture of how we run things, see our Security Overview.
If something goes wrong: If a security breach affects your personal information, we'll notify you and the Information Regulator as required by POPIA (and the GDPR where it applies), without undue delay. To report a vulnerability or suspected incident, see our Security Contact page.
How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | While you're subscribed + 30 days after cancellation |
| Asset data & photos | While your account is active + 30 days after cancellation (so you can export) |
| Audit trail (asset history, check-outs) | 7 years (for compliance) |
| Payment & billing records | 5 years (required by tax law) |
| Support messages | 3 years from last contact |
| Usage analytics | 2 years |
| Security logs | 1 year |
Organisation deletion is handled on request — we can provide a data export before deleting. Audit trails and financial records are retained longer for compliance — see details below.
Your rights
Under POPIA (and GDPR if you're in Europe), you have the right to:
- Access — request a copy of your data
- Correction — fix inaccurate information
- Deletion — have your data removed
- Object — stop certain processing (like marketing)
- Portability — get your data in a usable format
- Complain — lodge a complaint with the Information Regulator
How to delete your account
You can delete your own account directly from the app:
- Go to Profile settings
- Select Delete account
- Confirm the action — this is permanent
Alternatively, email [email protected] with subject "Account Deletion Request" and include your name and account email.
When your account is deleted:
- Your login credentials are removed (you can no longer access the service)
- Your organisation memberships are removed
The following is retained:
- User profile record — retained for audit trail integrity (see below)
- Audit trail records (7 years — for compliance)
- Security logs (1 year — for security purposes)
Audit trail retention
batapp is an asset management system. Records of who authorised asset movements, disposals, and write-offs form part of your organisation's compliance and accountability trail.
We retain your user profile record (name, email) after account deletion to preserve the integrity of these audit records — so that historical records continue to show who performed each action. This is a legitimate interest under Art. 17(3) of GDPR and equivalent POPIA provisions. Your access credentials are removed, so you cannot log in.
If you formally invoke your right to erasure and wish your profile record removed from audit history, contact us at [email protected]. We will consider each request on its merits, weighing your rights against the legitimate interests of the organisations whose records reference your actions.
Organisation deletion
Deleting an entire organisation is not a self-service action. To delete an organisation and all its data, an organisation admin must email us at [email protected] with subject "Organisation Deletion Request", including the organisation name and the admin's account email.
We can provide an export of your organisation's data on request before deletion. Once confirmed, all asset data, photos, locations, and configuration are permanently deleted, and all members are removed from the organisation.
If you're the last admin of an organisation, deleting your own account can leave it without an admin — email us and we'll help you delete the organisation.
The following is retained after organisation deletion:
- Audit trail records (7 years — for compliance, anonymised)
- Transaction & billing records (5 years — required by tax law)
- Security logs (1 year — for security purposes)
Deleting specific data
Want to delete specific data without closing your account? Email us at [email protected] with subject "Partial Data Deletion Request" and describe what you'd like removed.
Making a request
For any data request, email [email protected]. We aim to respond as quickly as we can, and within 30 days at the latest — the maximum allowed under POPIA and the GDPR.
Cookies and local storage
On the web app
We don't use cookies at all. Your session, preferences, and offline data are stored locally on your device — in your browser's local storage and IndexedDB — not in cookies.
You can clear this local data through your browser settings.
On the mobile app
We use:
- App analytics to improve performance
- Crash reporting to fix bugs
Control these through your device's privacy settings.
Mobile app permissions
| Permission | Why we ask |
|---|---|
| Camera | To scan barcodes and take asset photos |
| Storage | To save photos locally before upload |
| Location | For asset geolocation; may be required for scanning depending on your organisation's settings |
| Notifications | To send important updates |
You can revoke any permission in your device settings. Some features won't work without their required permissions.
Offline mode and sync
When you work offline:
- Data is stored locally on your device, in the app's local storage
- It syncs automatically over an encrypted connection when you reconnect
- Local data is protected by your device's own security, so keep your device locked and protected with a passcode
Children
batapp is for business use. We don't knowingly collect data from anyone under 18. If we discover we have, we'll delete it immediately.
Changes to this policy
We'll update this policy when our practices change. For significant changes:
- We'll email you
- We'll note the change on our website
- Continued use means you accept the changes
Questions or complaints
Contact us:
- Email: [email protected]
- Information Officer: Theuns Alberts
Information Regulator South Africa:
- Website: https://inforegulator.org.za
- Email: [email protected]
