Privacy Policy
Effective date: [TO CONFIRM: launch date] Last updated: 2026-05-05
This Privacy Policy describes how Humanitas (Pty) Ltd (“Humanitas”, “we”, “us”) collects, uses, and protects information in connection with BlueBerry by Humanitas (the “Service”). It is written to comply with the Protection of Personal Information Act, 4 of 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR).
If you have any questions about this policy, contact our Information Officer at support@humanitas.co.za.
1. Who is responsible for your information
For the practitioner account you create with us, Humanitas is the responsible party / data controller.
For information you record about your clients in BlueBerry (for example, screening responses or notes), you, the practitioner, are the responsible party / data controller, and Humanitas is the operator / data processor acting on your instructions, subject to the Terms of Service.
Information Officer: [TO CONFIRM: name], Humanitas (Pty) Ltd, [TO CONFIRM: registered office address], Cape Town, South Africa. Email: support@humanitas.co.za.
2. What we collect
| Category | Examples | Purpose | Linked to identity? |
|---|---|---|---|
| Account data | Name, email, password hash, professional role | Operate your account, sign-in, communicate with you about the Service | Yes |
| Practice data (yours) | Notes, preferences, toolkit selections | Provide the Service across your devices | Yes |
| Client-related data (entered by you) | Screening responses, scores, notes about a client | Provide the Service to you for your clients (you are the controller) | Indirectly — via your account |
| Device & technical data | Device model, OS version, app version, language, time zone, IP address (for sign-in only) | Operate the app, secure the Service, diagnose crashes | Yes |
| Diagnostic data | Crash logs, error reports | Detect and fix faults | Pseudonymised |
| Support correspondence | Emails you send us | Respond to your enquiry | Yes |
We do not collect: precise location, contacts, photos, microphone or camera data, advertising identifiers, browsing history outside the app, or biometric data. We do not use the Service to track you across other companies’ apps or websites.
3. How we use information
We use the information we collect to:
- Authenticate users and operate the Service;
- Sync your practice data securely across your devices;
- Detect, investigate, and prevent fraud, abuse, or security incidents;
- Respond to your support requests and important Service notices;
- Comply with legal and regulatory obligations.
The lawful basis for processing under GDPR (where applicable) is:
- Performance of a contract with you (operating the Service);
- Legitimate interests in keeping the Service secure and improving it (we balance this against your rights);
- Legal obligation where applicable (e.g. tax, fraud prevention);
- Consent, where we explicitly request it (e.g. optional analytics, if introduced).
Under POPIA, we process personal information in line with the eight conditions for lawful processing, including accountability, processing limitation, purpose specification, and security safeguards.
4. Sharing — who else processes your information
We do not sell personal information. We do not share it with third parties for advertising.
We share information with the following service providers (“operators”), bound by written agreements that limit them to processing the data only for us:
| Operator | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt) |
| GitHub Container Registry / Amazon Lightsail | Hosting backend and admin services | [TO CONFIRM: region] |
| [TO CONFIRM: email/transactional sender] | Sending account and support emails | [TO CONFIRM: region] |
| [TO CONFIRM: error/crash reporter — e.g. Sentry, or “none at launch”] | Diagnostic data | [TO CONFIRM: region] |
| [TO CONFIRM: analytics — or state “no analytics”] | Aggregate product usage | [TO CONFIRM] |
We will update this list when subprocessors change. We do not transfer information to operators in other regions without ensuring adequate safeguards (Standard Contractual Clauses, the operator’s binding corporate rules, or an equivalent mechanism recognised under POPIA s.72 and GDPR Chapter V).
We may also disclose information when required by law, to protect our rights or those of our users, or as part of a merger, acquisition, or sale of assets — in which case you will be notified.
5. Where your information is stored
Your information is stored primarily in the European Union (Supabase Frankfurt). Some operational metadata may be processed elsewhere as listed above. By using the Service from outside the EU, you understand that your information will be transferred to and stored in the regions listed.
6. How long we keep your information
| Type | Retention |
|---|---|
| Account data | While your account is active, then deleted on request or after [TO CONFIRM: inactivity period — typical 24 months] of inactivity |
| Practice data | While your account is active; deleted on account deletion |
| Diagnostic and crash logs | [TO CONFIRM: 30–90 days] |
| Support correspondence | [TO CONFIRM: 24 months] for service-quality and legal-defence purposes |
| Backups | Rotated within [TO CONFIRM: 30–90 days] |
| Deletion records (timestamp + hashed identifier) | [TO CONFIRM: 12–24 months] for fraud prevention |
See Account deletion for the deletion process and timeline.
7. How we protect your information
We use technical and organisational safeguards including:
- TLS encryption in transit;
- Encryption at rest in our database and storage;
- Row-level security so users only access their own records;
- Role-based access controls for our staff, with audit logging;
- Regular dependency and vulnerability scanning;
- Principle-of-least-privilege for credentials and operator access.
No system is perfectly secure. If a personal-information breach occurs that is likely to result in harm, we will notify the Information Regulator (South Africa) and affected users as soon as reasonably possible in line with POPIA s.22 (and, where applicable, within 72 hours of becoming aware in line with GDPR Art.33).
8. Your rights
Subject to applicable law, you have the right to:
- Access the personal information we hold about you;
- Correct information that is inaccurate;
- Delete your information (see Account deletion);
- Object to or restrict certain processing;
- Portability — receive a copy of your data in a structured, machine-readable format;
- Withdraw consent at any time, where processing is based on consent;
- Lodge a complaint with a supervisory authority — in South Africa, the Information Regulator; in the EU, your local Data Protection Authority.
To exercise any of these rights, email support@humanitas.co.za. We will respond within [TO CONFIRM: 30 days] and may ask for verification of your identity.
9. Cookies and similar technologies
The BlueBerry mobile app does not use cookies. The marketing website (this site) uses only essential functionality and does not set tracking or advertising cookies. [TO CONFIRM: confirm whether self-hosted analytics will be added.]
10. Children
BlueBerry is intended for licensed or training wellness practitioners aged 18 or older and is not directed at children. We do not knowingly collect personal information from children. If you believe a child has provided us with information, please contact us so we can delete it.
Information that practitioners record about clients who are minors is governed by the practitioner’s own consent and disclosure obligations. The practitioner is the controller of that information.
11. Automated decision-making
BlueBerry computes screening scores using published, validated algorithms (e.g. PHQ-9 scoring). These are not automated decisions about you; they are tools to support a practitioner’s clinical judgment. We do not use solely automated processing that produces legal or similarly significant effects.
12. Changes to this policy
We may update this Privacy Policy. If we make material changes, we will notify you through the app or by email at least [TO CONFIRM: 14–30] days before the changes take effect. The “Last updated” date at the top of this page reflects the latest revision.
13. Contact
For privacy questions, data requests, or to reach the Information Officer:
Humanitas (Pty) Ltd [TO CONFIRM: registered office address] Cape Town, South Africa
Email: support@humanitas.co.za