Privacy Policy

AutoGuard App (Pty) Ltd (“AutoGuard App”, “we”, “us”, “our”), a private company incorporated in the Republic of South Africa under registration number 2024/150440/07, is the responsible party for the processing of Personal Information described in this Policy, except where we act as an operator on behalf of one of our Customers, in which case the Customer is the responsible party.

• Registered office: Waterford Court Office Park, Block I, Unit I43, 236 Glover Avenue, Die Hoewes, Centurion, 0163, Republic of South Africa.
• Registration number: 2024/150440/07
• Email: info@leogroup.co.za
• Phone: +27 12 111 9164

This Policy applies to:

• Visitors to the AutoGuard website (autoguardapp.com) and related domains.
• Prospective customers who request demos, trials or quotes.
• Licensees and authorised users of the AutoGuard platform, including administrators, operators and field staff (e.g. guards using the mobile app).
• Anyone whose Personal Information is processed through the platform on behalf of a Customer (e.g. employees, contractors, residents, visitors logged into a site).

By using AutoGuard or providing us with Personal Information, you confirm that you have read and understood this Policy.

Under POPIA, there are two distinct roles when Personal Information is processed:

• Responsible party: the party that determines the purpose and means of processing.
• Operator: the party that processes Personal Information on behalf of, and on the instructions of, the responsible party.

AutoGuard App acts as the responsible party for Personal Information collected directly by us (e.g. website visitors, sales enquiries, marketing contacts, support tickets, billing data).

For Personal Information processed through the AutoGuard platform on behalf of a Customer (e.g. data about a security company's guards, sites and incidents), AutoGuard App acts as an operator, and the Customer is the responsible party. In that case, the Customer's own privacy notice governs the relevant data subjects, and we process the information only on the documented instructions of the Customer.

In accordance with section 55 of POPIA, our Information Officer is the appointed director responsible for compliance and the handling of data subject requests.

The Information Officer can be contacted at:

The Information Officer
AutoGuard App (Pty) Ltd
Email: info@leogroup.co.za
Phone: +27 12 111 9164

We collect different categories of Personal Information depending on how you interact with us.

5.1 From website visitors and prospects

• Contact details: name, surname, work email address, telephone number, job title, company name.
• Enquiry content: the messages you send us, the modules you are interested in, your operating context (number of sites, guards, region).
• Technical data: IP address, device type, browser type, operating system, referring URL, pages viewed, time stamps.
• Marketing preferences: where you have opted in to receive marketing communications.

5.2 From Customer administrators and platform users

• Account credentials: username, password (hashed), multi-factor authentication factors, IP address of logins.
• Profile data: full name, work email, work telephone, role, photograph (optional).
• Usage data: pages and modules accessed, actions performed, audit log events.

5.3 Processed on behalf of Customers (operator role)

When our Customers use AutoGuard to manage their security operations, the following categories of Personal Information may be processed about their staff, contractors and other data subjects. AutoGuard App does not determine the purpose or means of this processing; it is processed strictly on the Customer's instructions:

• Identity data: full name, identity number, date of birth, gender, nationality, photograph.
• Employment data: employee number, PSIRA grade and registration number, employment contract metadata, employment status, certifications, expiry dates of documents (driver's licence, firearm competency, etc.).
• Contact data: residential and postal addresses, personal telephone, next-of-kin / emergency contact details.
• Operational data: shift assignments, rosters, sites worked, clock-in / clock-out events (with geolocation and photograph), patrol checkpoints scanned, occurrence book entries.
• Incident and evidence data: incident reports, photographs, voice notes, videos, statements, witness details, vehicle registrations, descriptions of suspects.
• Fleet and weapons data: firearm allocations, serial numbers, ammunition register, vehicle inspection records.
• Payroll-adjacent data: leave applications, overtime, attendance variance and salary band (where the Customer has enabled payroll integration).
• Biometric data (special Personal Information): facial photographs captured during clock-in for verification. This is processed only where the Customer has obtained the data subject's consent or where another lawful basis under section 27 of POPIA applies.
• Location data: real-time GPS position of mobile devices while users are on shift and the “on duty” flag is active.

We collect Personal Information:

• Directly from you, when you complete forms on our website, request a demo, register an account, contact support, attend a meeting or correspond with us.
• From Customer administrators, when they upload or enter information about their staff and operations into the platform.
• From end-users of the mobile app, when they log in, capture incidents, scan checkpoints, clock in or upload media.
• Automatically, through cookies, server logs, analytics tools and security monitoring.
• From third parties, such as identity verification providers, payment processors and lead-generation partners, where applicable and on a lawful basis.

We process Personal Information only for specific, explicitly defined and lawful purposes, as required by section 13 of POPIA. The table below sets out the principal purposes for which we process Personal Information as a responsible party, and the lawful basis on which we rely:

• To respond to enquiries and provide quotes: Performance of, or steps prior to entering into, a contract (section 11(1)(b)).
• To deliver and support the Services: Performance of a contract (section 11(1)(b)).
• To send transactional and service communications (e.g. password resets, security alerts, billing notices): Performance of a contract and legitimate interests (section 11(1)(b) and (f)).
• To send marketing communications about AutoGuard and related products: With consent (section 11(1)(a) and section 69 of POPIA), and only where the recipient has opted in or is an existing customer in respect of similar products.
• To meet legal and regulatory obligations (e.g. tax, anti-money laundering, statutory record-keeping): Compliance with a legal obligation (section 11(1)(c)).
• To detect, prevent and investigate fraud, unauthorised access and security incidents: Legitimate interests of AutoGuard App and our Customers (section 11(1)(f)) and protection of a legitimate interest of the data subject (section 11(1)(d)).
• To improve the Services and conduct analytics: Legitimate interests (section 11(1)(f)), and only using aggregated or de-identified information wherever practicable.

Where we process Personal Information as an operator on behalf of a Customer, we do so for the purposes determined by that Customer, on its documented instructions.

Some categories processed through AutoGuard (such as facial photographs used for clock-in verification, and information about criminal behaviour captured in incident reports) constitute “special Personal Information” under section 26 of POPIA.

Such information is processed only:

• With the express consent of the data subject; or
• Where another lawful exception under section 27 of POPIA applies (for example, processing necessary for the establishment, exercise or defence of a right or obligation in law); and
• With additional technical and organisational security measures appropriate to the sensitivity of the data.

It is the responsibility of the Customer (as responsible party) to ensure that an appropriate lawful basis exists before submitting special Personal Information to the platform.

AutoGuard is intended for use in a workplace context and is not directed at children under the age of 18. We do not knowingly process the Personal Information of children, except where it is processed as part of an incident report by our Customers and the conditions of section 35 of POPIA are met.

We do not sell Personal Information. We share Personal Information only as necessary to deliver the Services or to meet legal obligations, including with:

• Hosting and infrastructure providers (e.g. cloud servers located in South Africa or, where agreed, the European Union), bound by written agreements requiring POPIA-equivalent protection.
• Email and SMS providers for the delivery of transactional and notification messages.
• Payment processors for the processing of subscription or licence fees.
• Identity and document verification providers, where the Customer has enabled this feature.
• Professional advisors (auditors, lawyers, accountants) under appropriate confidentiality obligations.
• Law enforcement, regulators and courts, where required by law or where necessary to protect our rights or the rights of others.
• Acquirers, in the event of a sale, merger, reorganisation or sale of substantially all of our assets, in which case we will ensure equivalent protection of Personal Information.

All third parties acting on our behalf are required to process Personal Information only on our instructions, to maintain confidentiality and to apply appropriate security safeguards.

Personal Information processed through AutoGuard is hosted in the Republic of South Africa by default, on infrastructure that supports POPIA compliance.

Where Personal Information is transferred outside the Republic of South Africa (for example to cloud regions in the European Union or to support providers in another country), such transfers are made only in accordance with section 72 of POPIA, including:

• To countries that provide an adequate level of protection through legislation; or
• Under binding agreements with the recipient that uphold POPIA-equivalent protection; or
• With the data subject's consent; or
• Where the transfer is necessary for the performance of a contract with the data subject.

We retain Personal Information only for as long as is reasonably necessary to fulfil the purposes for which it was collected, or as required by law. Retention periods include:

• Sales and marketing enquiries: 24 months from the last interaction, unless an active customer relationship exists.
• Customer account and billing records: for the duration of the customer relationship, plus 5 (five) years thereafter for tax and audit purposes (in line with the Tax Administration Act, 2011).
• Operational data processed on behalf of Customers (shifts, incidents, occurrence book entries, evidence): retained for the duration of the Customer's licence and in accordance with the Customer's retention instructions. Customers may configure retention periods within the platform.
• Audit logs and security logs: 12 months from creation, save where extended retention is required for ongoing investigations.
• Marketing consents: retained until withdrawn, plus a reasonable period to evidence the consent.

On termination or expiry of a Customer's licence, Customer Data will be made available for export for a period of 30 (thirty) days, after which it will be deleted or de-identified, unless retention is required by law or for the establishment, exercise or defence of legal claims.

We apply appropriate, reasonable technical and organisational measures to secure Personal Information against loss, damage, unauthorised access, alteration or disclosure, as required by section 19 of POPIA. These measures include:

• Encryption of Personal Information in transit (TLS 1.2 or higher) and at rest.
• Role-based access control, principle of least privilege, and multi-factor authentication for administrator accounts.
• Network segmentation, firewalls, intrusion detection and continuous vulnerability monitoring.
• Daily encrypted backups with periodic restore testing.
• Audit logging of administrative actions on the platform.
• Staff training on POPIA, information security and confidentiality, and contractual non-disclosure obligations.
• Documented incident response procedures.

No security measure can guarantee absolute protection. In the unlikely event of a security compromise that creates a reasonable belief that the Personal Information of a data subject has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and the affected data subjects as soon as reasonably possible, in line with section 22 of POPIA.

Our website uses cookies and similar technologies to operate properly, remember preferences, measure performance and (where you consent) deliver marketing. The categories of cookies we use are:

• Strictly necessary cookies: required for the website to function, including session management and security. These are set without consent.
• Functional cookies: remember settings such as theme preference (light / dark mode) and language.
• Analytics cookies: help us understand how visitors use the site so that we can improve it. Set only with your consent.
• Marketing cookies: used to deliver relevant advertising and measure campaign effectiveness. Set only with your consent.

You can control cookies through your browser settings and through any cookie consent banner we provide on the site. Blocking strictly necessary cookies may affect site functionality.

We comply with section 69 of POPIA, the Consumer Protection Act, 2008, and the ECT Act in relation to direct marketing. We will only send electronic direct marketing where:

• You are an existing customer and the marketing relates to similar products, with an option to opt out in every message; or
• You have given prior, voluntary, specific and informed consent to receive such communications.

You can opt out of marketing communications at any time by using the “unsubscribe” link in any email, by replying STOP to an SMS, or by contacting info@leogroup.co.za.

You have the following rights in respect of your Personal Information, in line with sections 23 to 25 of POPIA:

• Right to be notified: to be informed that Personal Information about you is being collected, or that it has been accessed without authorisation.
• Right of access: to request confirmation of whether we hold Personal Information about you and to request a record or description of that information.
• Right to correction or deletion: to request that we correct or delete Personal Information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained.
• Right to object: on reasonable grounds, to the processing of your Personal Information, including for the purposes of direct marketing.
• Right to withdraw consent: where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: with the Information Regulator (see clause 17 below).

To exercise any of these rights, please contact our Information Officer at info@leogroup.co.za. We may need to verify your identity before responding. Requests will be processed using the prescribed POPIA Form 2 where applicable.

If your Personal Information is processed through AutoGuard by a Customer (for example, by your employer), you should direct your request to that Customer in the first instance, as they are the responsible party for that processing.

You have the right to lodge a complaint with the Information Regulator (South Africa) if you believe we have not complied with POPIA. The Regulator's contact details are:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email (general): inforeg@justice.gov.za
Email (complaints): complaints.IR@justice.gov.za
Website: inforegulator.org.za

The AutoGuard website may contain links to third-party websites. We are not responsible for the content or privacy practices of those sites, and we encourage you to review their privacy policies before providing any Personal Information.

We may update this Policy from time to time. Material changes will be communicated via the website or by direct notice to active Customers at least 30 (thirty) days before they take effect. The “Last updated” date at the top of this page reflects the latest version.

If you have questions about this Policy or how we process Personal Information, please contact:

AutoGuard App (Pty) Ltd
Attention: The Information Officer
Waterford Court Office Park, Block I, Unit I43
236 Glover Avenue, Die Hoewes, Centurion, 0163
Email: info@leogroup.co.za
Phone: +27 12 111 9164