Privacy Policy
Tallyd (Pty) Ltd Effective Date: [To be confirmed before launch] Last Updated: 3 April 2026
This Privacy Policy explains how Tallyd (Pty) Ltd ("Tallyd", "we", "us", or "our") collects, uses, stores, and protects information through our website at tallyd.co.za, our dashboard application at app.tallyd.co.za, and our field-deployed traffic monitoring devices (together, the "Services").
Tallyd is a traffic analytics platform for the Out-of-Home (OOH) advertising industry. We use on-device computer vision to count and classify vehicles near billboard sites, then deliver those analytics through a web dashboard to media owners, agencies, and advertisers.
This policy is drafted in compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and applies to all users of our Services within the Republic of South Africa.
1. Important Definitions
Under POPIA:
- Personal information means information relating to an identifiable, living, natural person or an identifiable, existing juristic person. This includes names, email addresses, and online identifiers.
- Responsible party means the person who determines the purpose of and means for processing personal information. Tallyd is the responsible party for the personal information described in this policy.
- Operator means a person who processes personal information on behalf of a responsible party under a contract or mandate.
- Data subject means the person to whom personal information relates.
- Processing means any operation performed on personal information, including collection, storage, use, modification, dissemination, and destruction.
2. Information Officer
Tallyd has designated the following contact for all privacy-related enquiries and data subject requests:
- Information Officer: [Name to be confirmed]
- Email: info@tallyd.co.za
- Postal Address: [To be confirmed — Gauteng, South Africa]
You may also lodge a complaint with the Information Regulator (South Africa):
- Website: https://inforegulator.org.za
- Email: complaints.IR@justice.gov.za
- Tel: 012 406 4818
3. What Information We Collect
Tallyd operates in two distinct data contexts. We describe each separately because they involve fundamentally different types of information.
3.1 Traffic Monitoring Data (No Personal Information)
Our field devices (Raspberry Pi units mounted near billboard sites) use computer vision to count and classify vehicles passing the billboard. This processing is designed from the ground up to avoid capturing any personal information.
What the device does:
- Captures video frames from a fixed CCTV camera pointed at the roadway.
- Runs a vehicle detection model (YOLOX-Tiny) and tracker (ByteTrack) entirely on the device itself. No video frames are ever transmitted to the cloud or stored on the device beyond the instant of processing.
- Counts vehicles by class (car, truck, bus, motorcycle) and direction of travel (toward or away from the billboard).
- Aggregates counts into 15-minute summary windows before transmitting them to our cloud database.
What we collect and store:
| Data Type | Description | Contains Personal Information? |
|---|---|---|
| Traffic summaries | Vehicle counts per class, per direction, per 15-minute window | No |
| Vehicle crops | Tightly-bounded images of vehicles where the model had low confidence, used to improve accuracy | No — crops contain only the vehicle body, not faces, licence plates, or pedestrians |
| Proof-of-posting photos | Daily timestamped photos of the billboard face, confirming the advertisement is displayed | No — the camera captures only the billboard, not the road or passers-by |
| Device health telemetry | CPU temperature, battery voltage, LTE signal strength, processing speed, uptime | No |
What we do NOT collect:
- Raw video footage (frames are processed in memory and immediately discarded)
- Licence plate numbers or characters
- Facial images or biometric data
- Pedestrian or cyclist data (the person detection class is explicitly filtered out)
- Audio of any kind
- Mobile device identifiers, Bluetooth beacons, or Wi-Fi probe data
Because traffic monitoring data does not relate to an identifiable natural person, it does not constitute personal information under POPIA. We nonetheless apply strong security measures to this data as described in Section 8.
3.2 Dashboard User Data (Personal Information)
When you create an account on our dashboard at app.tallyd.co.za, or when your organisation administrator invites you, we collect personal information necessary to provide you with access to our Services.
Information we collect from dashboard users:
| Data Type | Purpose | Legal Basis (POPIA) |
|---|---|---|
| Email address | Account creation, authentication, service communications | Necessary for contract performance (s11(1)(b)) |
| Display name | Identifying you within your organisation's dashboard | Necessary for contract performance (s11(1)(b)) |
| Organisation membership | Associating you with your company's data and controlling your access scope | Necessary for contract performance (s11(1)(b)) |
| Role (e.g. admin, member, viewer) | Determining what features and data you can access | Necessary for contract performance (s11(1)(b)) |
| Password (hashed) | Authenticating your identity | Necessary for contract performance (s11(1)(b)) |
| Session tokens | Maintaining your logged-in session | Legitimate interest in service delivery (s11(1)(f)) |
Information we do NOT collect from dashboard users:
- Physical address or phone number
- Identity or passport numbers
- Financial information (billing is handled manually in the current version; when payment processing is added, it will be handled by a PCI-compliant third-party provider and we will update this policy)
- Location data from your device
- Usage tracking or behavioural analytics (we do not use Google Analytics, tracking pixels, or similar tools on our dashboard)
4. How We Use Your Information
We use dashboard user personal information for the following purposes only:
- Providing the Services: Authenticating you, displaying the correct organisation's traffic data, enforcing role-based access controls, and delivering analytics reports.
- Account management: Processing invitations, managing user roles, and handling account changes or deletions.
- Service communications: Sending essential account-related emails such as magic link sign-in emails, password reset requests, and invitation notifications. We do not send marketing emails.
- Security and integrity: Detecting and preventing unauthorised access, monitoring for abuse, and maintaining audit logs.
- Improving the Services: Using aggregated, non-identifiable usage patterns (such as which dashboard pages are visited most) to improve product design. We do not profile individual users.
We do not use your personal information for automated decision-making or profiling as defined under POPIA.
5. Legal Basis for Processing
Under POPIA, we process personal information on the following grounds:
| Processing Activity | Legal Basis |
|---|---|
| Dashboard account data (email, name, role) | Contract performance (s11(1)(b)) — necessary to deliver the SaaS service you or your organisation subscribed to |
| Session cookies and authentication tokens | Legitimate interest (s11(1)(f)) — necessary to maintain secure, authenticated sessions |
| Audit logging of account actions | Legitimate interest (s11(1)(f)) — necessary to maintain security and comply with POPIA's security safeguard obligation (s19) |
| Traffic monitoring data | Not personal information — POPIA does not apply, but we process this data under our contractual obligations to client organisations |
6. Data Retention
We retain different categories of data for different periods, based on their purpose:
| Data Category | Retention Period | Reason |
|---|---|---|
| Traffic detection records | 90 days | Provides sufficient granular data for client reporting; older records are replaced by permanent summaries |
| Traffic summaries (aggregated) | Indefinite | Required for long-term trend analysis, year-over-year comparisons, and historical reporting |
| Vehicle crops | Until reviewed + 30 days | Retained only for model accuracy improvement; deleted once reviewed by a human analyst |
| Proof-of-posting photos | Contract duration + 90 days | Required for advertising verification during the contract period |
| Device health telemetry | Indefinite | Required for long-term device performance monitoring and maintenance planning |
| User account data | Until account deletion | Retained while your account is active; deleted upon your request or when your organisation removes you |
| Invitation records | 7 days (pending) / 90 days (expired or revoked) | Pending invitations expire after 7 days; expired or revoked records are cleaned up after 90 days |
| Audit logs | 1 year | Required for security monitoring and POPIA compliance |
When data reaches the end of its retention period, it is permanently deleted through automated processes. We do not archive personal information beyond the periods stated above.
7. Who We Share Data With
We do not sell, rent, or trade your personal information. We share data only with the following categories of recipients, and only to the extent necessary to deliver the Services:
7.1 Infrastructure Service Providers (Operators under POPIA)
| Provider | Role | Data Accessed | Location |
|---|---|---|---|
| Supabase (via AWS) | Database hosting, user authentication, file storage, and serverless functions | All dashboard user data and traffic data | EU (London, eu-west-2) |
| Vercel | Frontend application hosting | Serves the dashboard application; may process request metadata (IP addresses, user agents) in server logs | Global CDN with origin in the US |
| Vodacom / MTN IoT | LTE connectivity for field devices | Transmits encrypted traffic summaries and device health data from field devices to our cloud infrastructure | South Africa |
Each of these providers acts as an operator under POPIA and processes data only on our instructions. We have satisfied ourselves that each provider maintains appropriate security measures. Supabase and Vercel both publish Data Processing Agreements and maintain SOC 2 Type II compliance.
7.2 Your Organisation
If you access Tallyd through an organisation account, your organisation's administrators can see your name, email address, and role within the organisation. They can also invite you, change your role, or remove you from the organisation.
7.3 Law Enforcement and Legal Obligations
We may disclose personal information if required to do so by South African law, a court order, or a lawful request from a government authority. We will notify you of such a request unless prohibited by law from doing so.
8. Cross-Border Data Transfers
Our primary database is hosted by Supabase on AWS infrastructure in the EU (London, eu-west-2 region). This means that personal information collected from South African users is transferred to and stored in the United Kingdom.
Under POPIA section 72, cross-border transfers of personal information are permitted where the recipient country has adequate data protection legislation. The United Kingdom maintains data protection legislation (UK GDPR and Data Protection Act 2018) that the Information Regulator has recognised as providing an adequate level of protection.
Vercel's global CDN may route requests through servers in multiple countries, but the dashboard application does not store personal information in Vercel's infrastructure beyond transient server logs.
No personal information is transferred to countries without adequate data protection legislation.
9. Security Measures
We take the security of your information seriously and have implemented the following technical and organisational measures:
In transit:
- All data transmitted between your browser and our servers is encrypted using TLS 1.3.
- All data transmitted from field devices to our cloud infrastructure is encrypted using TLS 1.3 over LTE.
- Field devices connect to our management network via Tailscale, an encrypted mesh VPN.
At rest:
- All data stored in our database and file storage is encrypted using AES-256 encryption (managed by AWS).
- User passwords are hashed using bcrypt and are never stored in plain text.
- Device authentication keys are hashed using bcrypt (cost factor 10) and the plain text key is displayed only once during provisioning.
Access controls:
- Multi-tenant data isolation is enforced at the database level through Row-Level Security (RLS) policies. Every data record carries an organisation identifier, and the database enforces that users can only query their own organisation's data.
- Dashboard access is controlled through four role levels (super_admin, org_admin, org_member, org_viewer), each with specific permissions.
- Access tokens expire after 1 hour and refresh tokens after 7 days. Refresh token reuse is detected and triggers automatic revocation of the entire token family.
Operational:
- Audit logging is maintained for security-relevant account actions and retained for 1 year.
- Automated data cleanup processes enforce retention periods as described in Section 6.
10. Cookies and Session Storage
Our dashboard application uses cookies and browser storage for authentication and functionality. We do not use cookies for advertising, tracking, or analytics.
| Cookie / Storage Item | Purpose | Type | Lifespan |
|---|---|---|---|
| Supabase access token | Authenticates your session with our API | Strictly necessary | 1 hour |
| Supabase refresh token | Renews your session without requiring re-login | Strictly necessary | 7 days |
| Theme preference | Remembers your dark/light mode selection | Functional | Persistent (until cleared) |
Strictly necessary cookies are required for the dashboard to function and cannot be disabled. Without them, you would be unable to log in or maintain a session.
Functional cookies remember your preferences to improve your experience. They do not collect personal information beyond your stated preference.
We do not use any third-party analytics, advertising, or social media cookies. If this changes in the future, we will update this policy and our Cookie Policy before deploying any such cookies.
For full details, see our Cookie Policy.
11. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights in relation to your personal information:
Right of Access (s23)
You may request confirmation of whether we hold personal information about you, and request a copy of that information. We will respond within 30 days.
Right to Correction (s24)
If your personal information is inaccurate, incomplete, or misleading, you may request that we correct or update it. You can also update your display name and email address directly through the dashboard settings.
Right to Deletion (s24)
You may request that we delete your personal information. Upon receiving a valid deletion request:
- We will delete your user profile and authentication records.
- Your organisation administrator can also remove you, which triggers deletion of your user data.
- Traffic data associated with your organisation is not personal information and is not affected by individual deletion requests.
Right to Object (s11(3))
You may object to the processing of your personal information on grounds of legitimate interest. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Restrict Processing
You may request that we restrict the processing of your personal information while a complaint or objection is being resolved.
Right to Lodge a Complaint
If you believe we have violated your privacy rights, you have the right to lodge a complaint with the Information Regulator (contact details in Section 2 above). We encourage you to contact us first so we can attempt to resolve your concern.
How to Exercise Your Rights
To exercise any of these rights, contact our Information Officer at info@tallyd.co.za with the subject line "POPIA Data Subject Request". Please include:
- Your full name and the email address associated with your Tallyd account
- A description of the right you wish to exercise
- Any supporting information that will help us identify the relevant data
We will verify your identity before processing any request and will respond within 30 days as required by POPIA. There is no fee for exercising your rights.
12. Children's Information
Our Services are not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe that a child has provided us with personal information, please contact our Information Officer and we will take steps to delete that information.
13. Third-Party Links
Our website and dashboard may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with any personal information.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or business practices. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy.
- Post a notice on our dashboard for logged-in users.
- Where required by POPIA, notify affected data subjects by email.
We encourage you to review this policy periodically. Your continued use of the Services after a change has been posted constitutes your acknowledgement of the updated policy.
15. Governing Law
This Privacy Policy is governed by the laws of the Republic of South Africa. Any disputes arising from this policy will be subject to the jurisdiction of the High Court of South Africa, Gauteng Division.
16. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- Email: info@tallyd.co.za
- Entity: Tallyd (Pty) Ltd
- Jurisdiction: Gauteng, South Africa
This Privacy Policy is specific to Tallyd's traffic analytics platform and the data processing activities described herein. It should be read together with our Terms of Service and Cookie Policy.