Privacy Policy
Effective date: 29 May 2026 · Last updated: 29 May 2026
1. Who we are
BizTrack Tuckshop is a school tuckshop ordering platform operated by BZ Tracking Solution (Pty) Ltd (registration number 2014/231948/07), referred to in this policy as "we", "us", or "BizTrack".
The platform enables school students to place food orders in advance, parents to pay for those orders, and kitchen staff to manage and fulfil orders. It is available as a mobile app (Android, iOS, Huawei AppGallery) and a parent/admin web app. (A prepaid wallet feature is currently disabled and not available; orders are paid for directly per transaction.)
2. Scope and applicable law
This policy applies to all personal information we process in connection with BizTrack Tuckshop. We are bound by the Protection of Personal Information Act, 4 of 2013 (POPIA) and comply with its eight conditions for lawful processing.
By using the app or registering a student account, you acknowledge that you have read and understood this policy. Where the student is a minor, the parent or guardian provides consent on the student's behalf as part of the WhatsApp OTP verification flow.
3. Personal information we collect
| Category | Information collected | Source |
|---|---|---|
| Student identity | First name, last name, grade, class name, school tuckshop | Entered by parent at registration |
| Parent / guardian contact | WhatsApp mobile number (used as account identity and OTP delivery channel) | Entered by parent at registration |
| Orders | Items ordered, quantities, prices, order status, timestamps, scheduled pickup time | Generated when student places an order |
| Payments | Payment card tokenisation reference from PayFast (we never store card numbers, expiry dates, or CVVs). Wallet balance and wallet transaction history apply only when the prepaid wallet is enabled — it is currently disabled. | Automatically generated; PayFast processes card data |
| Device and session | Anonymous authentication identifier (Supabase), push notification token (OneSignal), app session data | Automatically generated by the app |
| Usage analytics | In-app event names, tuckshop identifiers, timestamps. No third-party analytics SDKs are used; all data is stored on our own infrastructure. | Automatically recorded in-app |
| Crash and error reports | Technical error messages and stack traces sent to Sentry. Error messages are sanitised and never contain names, phone numbers, or financial details. | Automatically collected on app error |
4. Why we collect this information
- To create and manage student accounts and link them to the correct school tuckshop.
- To verify parent or guardian consent via a one-time password sent to the provided WhatsApp number.
- To process food orders, including sending them to the kitchen and issuing receipts.
- To facilitate PayFast card payments for orders.
- (When the prepaid wallet is enabled — currently disabled:) to operate and display the wallet balance and transaction history to the student and linked parents, and to facilitate wallet top-ups.
- To send push notifications about order status (e.g. "ready for collection").
- To provide tuckshop operators and school administrators with order and sales data for their tuckshop.
- To diagnose and fix technical errors and improve the app.
- To comply with legal and regulatory obligations.
We do not use personal information for advertising, profiling, or any purpose unrelated to the operation of the tuckshop ordering service.
5. Lawful basis for processing
We process personal information on the following grounds under POPIA:
- Performance of a contract — to deliver the ordering service the user registered for.
- Consent — parent or guardian consent is obtained via WhatsApp OTP at registration for student accounts.
- Legitimate interests — for security monitoring, error diagnosis, and platform improvement, where these interests do not override the data subject's rights.
- Legal obligation — where required by South African law.
6. Who we share information with
School tuckshop operators
Tuckshop staff see the student's name, grade, class, and the items in each order. They do not see the student's wallet balance, payment card details, or the parent's contact information.
PayFast (payment processor)
Card payment data is processed by PayFast (Pty) Ltd under their own privacy policy. We only receive a tokenised reference, not the card details.
Meta (WhatsApp Business Cloud API)
We use Meta's WhatsApp Business Cloud API to deliver one-time passwords. The parent's phone number is transmitted to Meta solely for message delivery.
OneSignal (push notifications)
Order status push notifications are delivered via OneSignal. We share a device push token and the relevant order status message. No personal details are included in the notification payload beyond what is necessary for delivery.
Sentry (crash reporting)
Technical error reports are sent to Sentry. Reports are sanitised and contain no personal identifiers.
Supabase (infrastructure)
All application data is hosted on Supabase (AWS Frankfurt region) under a data processing agreement. Data is stored within the European Economic Area.
We do not sell, rent, or trade personal information with any third party.
7. How long we keep information
We retain personal information for 36 months from the date of last activity on the associated account, unless a longer period is required by law or is necessary to resolve a dispute.
After the retention period, account data is deleted or anonymised such that it can no longer be linked to an individual.
You may request earlier deletion of your account at any time — see section 9.
8. How we protect your information
- All data in transit is encrypted using TLS.
- Data at rest is encrypted using AES-256 by our hosting provider.
- Access to production data is restricted to authorised personnel only, and all privileged access is logged for audit.
- Row-level security policies in the database ensure that each student, parent, and tuckshop can only access their own data.
- Payment card data is never stored on our systems — it is processed and tokenised entirely by PayFast.
- One-time passwords expire after 10 minutes and are single-use only.
9. Your rights under POPIA
As a data subject, you have the right to:
- Access — request a copy of the personal information we hold about you.
- Correction — request that inaccurate or incomplete information be corrected.
- Deletion — request that your account and associated personal information be deleted. The app provides an in-app account deletion option under your profile settings.
- Objection — object to the processing of your personal information in certain circumstances.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
To exercise any of these rights, contact our Information Officer at tuckshop@biztrack.co.za. We will respond within 30 days.
10. Complaints
If you believe we have not handled your personal information lawfully, you may lodge a complaint with the Information Regulator (South Africa):
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated through the app or by email before they take effect. The "Last updated" date at the top of this page always reflects the most recent version.
12. Contact us
BZ Tracking Solution (Pty) Ltd
Registration number: 2014/231948/07
Information Officer: Gustaff Pain