Legal & Compliance
Official Document Effective 1 April 2025 · v1.0

Privacy Policy

How we collect, use, and protect your data

PRIVACY POLICY

Livi Lemphakatsi Citizen Engagement Platform

Effective Date: 1 April 2025
Version: 1.0

1. WHO WE ARE

1.1 Data Controller Identity

This privacy policy governs the collection, use, and protection of your personal information when you use the Livi Lemphakatsi citizen engagement platform ("Platform"), which includes:

  • Livi Lemphakatsi mobile application (available on iOS and Android)
  • Livi Lemphakatsi web portal (accessible via web browsers)

The Platform is operated by:

Mpumalanga Provincial Government
Department of Cooperative Governance, Human Settlements and Traditional Affairs (CoGHSTA)

Contact Details:

1.2 Information Officer

As required by the Protection of Personal Information Act, 2013 ("POPIA"), we have designated an Information Officer. To contact the Information Officer, please reach out via Primary Platform Support:

The Information Officer is responsible for:

  • Ensuring compliance with POPIA
  • Handling data subject requests
  • Managing data protection procedures
  • Liaison with the Information Regulator

2. WHAT PERSONAL INFORMATION WE COLLECT

2.1 Information You Provide Directly

2.1.1 Registration Information

  • Mobile phone number (MSISDN) - Used as your unique identifier
  • First name and surname - For account identification
  • Home address details (address lines, postal code, province, district, municipality, ward)
  • Work address details (optional)

2.1.2 Issue Reporting Information

  • Issue descriptions - Free-text descriptions of service delivery problems
  • Location information - GPS coordinates and physical addresses where issues occur
  • Photo attachments - Images you upload to document issues
  • Contact preferences - How you wish to receive updates

2.1.3 Disaster Management Information

  • Missing person reports - Names and details of missing persons
  • Emergency incident reports - Details of disasters or emergencies
  • Help requests - Assistance needed during disasters
  • Volunteer information - Details if you register as a disaster response volunteer

2.1.4 Feedback Information

  • Ratings - Quality ratings for resolved issues
  • Comments - Free-text feedback on service delivery
  • Suggestions - Improvement recommendations
  • Compliments - Positive feedback on government services

2.2 Information Collected Automatically

2.2.1 Location Data

  • GPS coordinates - Precise location when you use location-based features
  • Address data - Reverse geocoded addresses from GPS coordinates
  • Ward/municipality mapping - Administrative boundary assignments

2.2.2 Device and Technical Information

  • Device identifiers - Through Firebase SDK integration
  • App usage data - Last activity timestamps, feature usage
  • Push notification tokens - Firebase Cloud Messaging tokens
  • Session information - Login/logout times, session duration

2.2.3 Usage Analytics

  • API activity logs - System interactions for troubleshooting
  • Feature usage patterns - Which services you access
  • Performance data - App crashes, loading times (via Firebase)

3. WHY WE COLLECT YOUR INFORMATION (LAWFUL BASIS)

We process your personal information to fulfill our constitutional and legal mandate to deliver municipal services:

  • Issue tracking and resolution - To address service delivery problems
  • Geographic assignment - To route issues to correct municipal departments
  • Progress updates - To keep you informed of resolution status
  • Quality assurance - To ensure service delivery standards

3.2 Emergency Services (POPIA Section 11(1)(c) - Vital Interests)

During disasters and emergencies, we process information to protect life and safety:

  • Missing person coordination - To facilitate search and rescue
  • Emergency response - To coordinate disaster relief efforts
  • Public safety alerts - To warn of imminent dangers
  • Resource coordination - To allocate emergency resources effectively

3.3 Public Interest (POPIA Section 11(1)(e) - Public Interest)

We process information for broader public benefit:

  • Service planning - To improve service delivery based on demand patterns
  • Resource allocation - To prioritize infrastructure investments
  • Policy development - To inform government decision-making
  • Transparency reporting - To publish aggregate service delivery statistics

For optional features, we rely on your explicit consent:

  • Marketing communications - Non-essential government announcements
  • Advanced analytics - Detailed usage pattern analysis
  • Research participation - Voluntary surveys and studies
  • Enhanced notifications - Personalized notification preferences

4. HOW WE USE YOUR INFORMATION

4.1 Core Service Delivery

4.1.1 Issue Management

  • Creating and tracking service delivery issues
  • Routing issues to appropriate municipal departments
  • Providing status updates throughout the resolution process
  • Generating reference numbers for tracking
  • Maintaining complete audit trails

4.1.2 Geographic Services

  • Determining which municipality/ward has jurisdiction
  • Mapping issues to administrative boundaries
  • Providing location-based information (nearest clinic, school, etc.)
  • Emergency service coordination

4.2 Communication and Notifications

4.2.1 Essential Communications

  • Issue status updates and resolution notifications
  • Emergency alerts and public safety warnings
  • Service delivery interruption notices
  • Official government announcements
  • Newsletter subscriptions
  • Event notifications
  • Survey invitations
  • General government updates

4.3 Community Participation (Municipal Systems Act Section 16-19)

4.3.1 Facilitating Democratic Participation

  • Community input mechanisms - Enable citizen participation in municipal governance
  • Petition and complaint processing - Formal channels for community concerns
  • Public consultation - Facilitate community input on municipal policies
  • Ward committee support - Enable communication with ward committees
  • Participatory governance - Support democratic decision-making processes

4.3.2 Municipal Accountability

  • Performance monitoring - Track municipal service delivery performance
  • Transparency reporting - Publish service delivery statistics and outcomes
  • Citizen feedback integration - Incorporate community input into service improvement
  • Public information sharing - Communicate municipal decisions and policies

4.4 Platform Improvement

4.4.1 Service Enhancement

  • Analyzing service delivery patterns to improve response times
  • Identifying common issues for proactive addressing
  • Evaluating user satisfaction to enhance platform features
  • Planning infrastructure improvements based on demand

4.4.2 System Maintenance

  • Troubleshooting technical issues
  • Monitoring system performance and availability
  • Preventing fraud and abuse
  • Ensuring platform security

5. THIRD-PARTY DATA SHARING

5.1 Google Services

5.1.1 Google Maps Platform

Data Shared: GPS coordinates, address queries
Purpose: Location services, reverse geocoding
Legal Basis: Necessary for service delivery
Location: Google servers worldwide
Protection: Google Cloud Platform security measures

5.1.2 Firebase Services

Data Shared: Push tokens, app analytics, crash reports
Purpose: Notifications, app performance monitoring
Legal Basis: Consent (analytics), legal obligation (emergency notifications)
Location: Firebase servers worldwide
Protection: Firebase security infrastructure

5.2 Amazon Web Services (AWS)

5.2.1 S3 Storage

Data Shared: Photos, documents, media attachments
Purpose: Secure file storage and retrieval
Legal Basis: Necessary for service delivery
Location: AWS data centers (us-east-1 region)
Protection: AWS encryption and security controls

5.2.2 SQS and SES

Data Shared: Background task data, email communications
Purpose: System processing, automated notifications
Legal Basis: Necessary for service delivery
Location: AWS data centers
Protection: AWS security infrastructure

5.3 Municipal and Provincial Departments

Data Shared: Issue reports, user contact information, location data
Purpose: Service delivery, issue resolution
Legal Basis: Legal obligation (government service delivery)
Recipients: Relevant municipal departments, provincial disaster management
Protection: Government security protocols and access controls

5.4 Emergency Services

Data Shared: Emergency incident data, missing person information, location coordinates
Purpose: Emergency response, search and rescue operations
Legal Basis: Vital interests, legal obligation
Recipients: SAPS, Emergency Medical Services, Fire Services
Protection: Secure government communication channels

6. CROSS-BORDER DATA TRANSFERS

6.1 International Transfers

Some of your personal information may be transferred to and processed in countries outside South Africa:

6.1.1 United States (Google, AWS)

Adequacy Status: No adequacy decision by Information Regulator
Safeguards: Standard contractual clauses, corporate security policies
Data Types: Photos (AWS S3), location data (Google Maps), push tokens (Firebase)
Purposes: Technical service provision, cloud infrastructure

6.1.2 Protection Measures

We ensure appropriate safeguards for international transfers:

  • Contractual data protection obligations with service providers
  • Regular security and compliance audits
  • Data minimization (only transfer necessary data)
  • Encryption in transit and at rest
  • Right to request data localization where technically feasible

7. DATA RETENTION AND DELETION

7.1 Retention Periods

7.1.1 User Account Data

  • Active users: Retained while account is active plus 2 years after last login
  • Inactive users: Account data deleted after 5 years of inactivity
  • Deleted accounts: 30-day grace period, then permanent deletion

7.1.2 Issue Reports

  • Active issues: Retained until resolution plus 7 years for audit purposes
  • Resolved issues: Retained for 7 years after closure for quality assurance
  • Photos/attachments: Same retention period as associated issue

7.1.3 Emergency and Disaster Data

  • Missing person reports: Retained for 10 years after resolution
  • Incident reports: Retained for 10 years for emergency planning
  • Emergency communications: Retained for 3 years

7.1.4 Analytics and Log Data

  • Usage analytics: Aggregated for 3 years, then anonymized
  • System logs: Retained for 1 year for security and troubleshooting
  • Audit trails: Retained for 7 years as required by government audit requirements

7.2 Deletion Procedures

When retention periods expire or deletion is requested:

  • Data is permanently removed from production systems
  • Backups containing deleted data are securely destroyed
  • Third-party services are instructed to delete corresponding data
  • Deletion is logged for audit purposes

8. YOUR RIGHTS UNDER POPIA

8.1 Right of Access (Section 23)

You have the right to:

  • Know whether we are processing your personal information
  • Request a copy of your personal information
  • Understand how your information is being used

How to exercise: Email support@livilemphakatsi.co.za with proof of identity

8.2 Right to Correction (Section 24)

You have the right to:

  • Request correction of inaccurate personal information
  • Request completion of incomplete personal information
  • Request deletion of information unlawfully obtained

How to exercise: Submit correction request through the mobile app or contact Primary Platform Support

8.3 Right to Deletion

You have the right to request deletion of your personal information when:

  • It is no longer necessary for the purposes for which it was collected
  • You withdraw consent and no other legal basis exists
  • Your information has been unlawfully processed
  • Deletion is required for compliance with legal obligations

Limitations: We may retain information required for:

  • Government record-keeping obligations
  • Legal proceedings
  • Emergency response capabilities
  • Public health and safety

8.4 Right to Object (Section 25)

You may object to processing based on:

  • Direct marketing (we will stop immediately)
  • Legitimate interests (we will stop unless compelling legitimate grounds exist)
  • Automated decision-making (right to human review)

8.5 Right to Data Portability

You have the right to:

  • Receive your personal information in a structured, commonly used format
  • Transmit your information to another service provider
  • Request direct transmission where technically feasible

How to exercise: Contact Primary Platform Support with specific portability request

8.6 Community Participation Rights (Municipal Systems Act)

8.6.1 Democratic Participation Rights

Under the Municipal Systems Act 32 of 2000, you have specific rights regarding your participation data:

  • Access to participation history - View your submissions, petitions, and complaints
  • Correction of participation records - Ensure accurate representation of your community input
  • Anonymization options - Request anonymized inclusion in community participation statistics
  • Withdrawal from participation - Opt out of community participation features while maintaining essential services

8.6.2 Community Input Protection

Your community participation data is protected through:

  • Democratic process integrity - Ensuring genuine community representation
  • Non-retaliation protection - Preventing adverse action based on participation
  • Transparent processing - Clear communication about how community input is used
  • Aggregate reporting - Individual participation data included in statistical reports only with consent

9. CHILDREN'S PERSONAL INFORMATION

9.1 Minors Under 18

Special protections apply to users under 18 years:

  • Consent requirements: Parental/guardian consent required for users under 12
  • Limited data collection: Minimal data collection for educational services (schools)
  • Enhanced protection: Additional security measures for children's data
  • Retention limits: Shorter retention periods for children's information
  • Right to deletion: Enhanced deletion rights upon reaching majority

9.2 School Services

For school-related services (enrollment, information), we:

  • Collect only information necessary for educational administration
  • Require parental consent for children under 12
  • Limit data sharing to educational authorities only
  • Provide enhanced security protections
  • Delete data when children leave the school system

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 Web Portal Cookies

Our web portal uses cookies for:

  • Authentication cookies: To maintain your login session
  • Security cookies: To prevent unauthorized access
  • Preference cookies: To remember your language and accessibility settings
  • Analytics cookies: To understand platform usage patterns
  • Performance cookies: To optimize loading speeds
  • Feature cookies: To enable enhanced functionality

10.2 Mobile App Tracking

The mobile app may use:

  • Firebase Analytics - App usage patterns (consent-based)
  • Crash Reporting - Automatic crash data for bug fixes (essential)
  • Performance Monitoring - App performance data (consent-based)

10.3 Managing Cookies and Tracking

You can control cookies and tracking through:

  • Web browser settings - Block or delete cookies
  • Mobile app settings - Opt out of non-essential analytics
  • Privacy preferences - Granular control over data collection

11. DATA SECURITY MEASURES

11.1 Technical Safeguards

We protect your personal information through:

11.1.1 Encryption

  • Data in transit: TLS encryption for all data communications
  • Data at rest: AES encryption for stored data
  • Database encryption: PostgreSQL transparent data encryption
  • File storage: AWS S3 server-side encryption

11.1.2 Access Controls

  • Authentication: Multi-factor authentication for staff access
  • Authorization: Role-based access control with minimal necessary permissions
  • Audit logging: Complete logs of all data access and modifications
  • Regular reviews: Quarterly access permission reviews

11.1.3 Infrastructure Security

  • Network security: Firewalls and intrusion detection systems
  • Server hardening: Regular security updates and patches
  • Monitoring: 24/7 security monitoring and incident response
  • Backup security: Encrypted backups with restricted access

11.2 Organizational Safeguards

11.2.1 Staff Training

  • Regular POPIA compliance training for all staff
  • Data handling procedures and best practices
  • Security awareness and incident reporting
  • Confidentiality agreements for all personnel

11.2.2 Policies and Procedures

  • Data protection impact assessments for new features
  • Regular security audits and vulnerability assessments
  • Incident response procedures for data breaches
  • Vendor due diligence for third-party services

11.3 Data Breach Response

In the event of a data breach:

  • Immediate response: Secure the breach and assess impact within 24 hours
  • Regulator notification: Notify Information Regulator within 72 hours if required
  • User notification: Notify affected users without undue delay
  • Remedial action: Implement measures to prevent recurrence
  • Documentation: Maintain records of all breaches and responses

12. LAWFUL BASIS FOR PROCESSING

Most data processing is necessary for our legal obligation to deliver municipal services under:

  • Municipal Systems Act 32 of 2000 - Community participation (Section 16-19) and service delivery obligations (Section 73-81)
  • Municipal Structures Act 117 of 1998 - Ward committee functions (Section 72-74)
  • Municipal Finance Management Act, 2003 - Financial and administrative duties
  • Disaster Management Act, 2002 - Emergency response duties
  • Provincial and municipal by-laws - Specific service delivery requirements

Specific Municipal Systems Act Obligations:

  • Section 16: Develop mechanisms for community participation in municipal governance
  • Section 17: Establish processes for community input on municipal matters
  • Section 18: Communicate information to the local community
  • Section 19: Receive, process and consider petitions and complaints from community
  • Section 73: General duty to provide municipal services to local community
  • Section 78: Monitor and review municipal services delivery

12.2 Vital Interests (POPIA Section 11(1)(c))

Emergency and disaster-related processing protects vital interests:

  • Missing person coordination - Life and safety protection
  • Emergency response - Disaster relief coordination
  • Public safety alerts - Warning of imminent dangers
  • Medical emergency assistance - Health and safety protection

12.3 Public Interest (POPIA Section 11(1)(e))

Processing for broader public benefit:

  • Service delivery improvement - Enhancing government services
  • Resource planning - Optimizing infrastructure investments
  • Policy development - Evidence-based governance
  • Transparency reporting - Public accountability

Explicit consent for optional features:

  • Marketing communications - Non-essential announcements
  • Enhanced analytics - Detailed usage analysis
  • Research participation - Voluntary studies and surveys
  • Personalization - Customized user experience

You may withdraw consent at any time by:

  • Mobile app settings: Privacy preferences section
  • Web portal: Account settings and privacy controls
  • Email: Contact Primary Platform Support at support@livilemphakatsi.co.za
  • Written request: Submit formal request to our offices

13.2 Effects of Withdrawal

When you withdraw consent:

  • We will stop processing data for that purpose immediately
  • Previously collected data may be retained for legal obligations
  • Essential services will continue based on other lawful bases
  • You may lose access to certain optional features

14. SHARING YOUR INFORMATION

14.1 Within Government

We share your information with other government entities when necessary for:

14.1.1 Service Delivery

  • Municipal departments - Water, electricity, roads, waste management
  • Provincial departments - Health, education, disaster management
  • Emergency services - Police (SAPS), fire services, medical emergency services

14.1.2 Administrative Coordination

  • Statistics South Africa - For national statistical purposes (anonymized)
  • National Treasury - For government performance reporting (anonymized)
  • Provincial Treasury - For budget and planning purposes (anonymized)

14.2 Third-Party Service Providers

We share limited information with trusted service providers:

14.2.1 Technology Partners

  • AWS (Amazon Web Services) - Cloud hosting and storage
  • Google (Firebase, Maps) - App infrastructure and mapping services
  • Celery/Redis providers - Background task processing

14.2.2 Data Processing Agreements

All third-party providers must:

  • Sign comprehensive data processing agreements
  • Implement appropriate security measures
  • Process data only for specified purposes
  • Comply with South African data protection requirements
  • Submit to regular compliance audits

We may disclose information when legally required:

  • Court orders - Compliance with judicial proceedings
  • Law enforcement - Cooperation with lawful investigations
  • Regulatory compliance - Information Regulator requests
  • Public safety - Imminent threat prevention

15. INTERNATIONAL DATA TRANSFERS

15.1 Cross-Border Transfers

Some of your personal information is processed outside South Africa by:

15.1.1 Google Services (United States)

  • Firebase Cloud Messaging - Push notification infrastructure
  • Google Maps Platform - Location and mapping services
  • Firebase Analytics - App performance monitoring (if consented)

15.1.2 Amazon Web Services (United States)

  • S3 Storage - Secure file and photo storage
  • SQS/SES - Email and background processing services

15.2 Transfer Safeguards

For international transfers, we implement:

  • Standard contractual clauses - EU-approved data transfer mechanisms
  • Corporate security policies - Provider-level protection commitments
  • Regular audits - Verification of security and compliance measures
  • Data minimization - Transfer only essential data
  • Encryption requirements - All data encrypted in transit and storage

15.3 Data Localization Preference

Where technically and economically feasible, we prefer:

  • Local data centers - South African or African hosting
  • Regional providers - African technology partners
  • Government cloud - State-owned infrastructure where available

16. YOUR PRIVACY CONTROLS

16.1 Mobile App Privacy Settings

The mobile app provides granular privacy controls:

16.1.1 Location Settings

  • Precise location: Enable/disable GPS precision
  • Background location: Control location access when app is closed
  • Location history: View and delete stored location data

16.1.2 Communication Settings

  • Push notifications: Select notification types to receive
  • Email communications: Opt in/out of non-essential emails
  • SMS updates: Control text message preferences

16.1.3 Data Sharing Settings

  • Analytics: Opt in/out of usage analytics
  • Crash reporting: Control automatic crash report submission
  • Feature improvements: Participate in product improvement programs

16.2 Web Portal Privacy Controls

The web portal offers:

  • Account data management - View, edit, and download your data
  • Communication preferences - Detailed notification controls
  • Privacy dashboard - Overview of all privacy settings
  • Data deletion tools - Request deletion of specific data types

17. COMPLAINTS AND DISPUTES

17.1 Information Regulator

If you are unsatisfied with our handling of your personal information, you may lodge a complaint with the Information Regulator:

Information Regulator (South Africa)
Physical Address:
JD House
27 Stiemens Street
Braamfontein, Johannesburg, 2001

Postal Address:
P.O Box 31533
Braamfontein, Johannesburg, 2017

Contact Details:

17.2 Internal Complaints Process

Before approaching the Information Regulator, please contact us:

  1. Contact Primary Platform Support: support@livilemphakatsi.co.za or +27 76 549 5763
  2. Provide details: Nature of complaint, relevant information, desired resolution
  3. Response timeframe: We will respond within 30 days
  4. Escalation: If unsatisfied, you may escalate to the Information Regulator

18. UPDATES TO THIS POLICY

18.1 Policy Changes

We may update this privacy policy:

  • Legal compliance: To reflect changes in privacy laws
  • Service changes: When we introduce new features or services
  • Best practices: To adopt improved privacy protection measures

18.2 Notification of Changes

We will notify you of significant changes through:

  • Mobile app notifications - Push notifications for major updates
  • Email communications - Direct notification to registered users
  • Website notice - Prominent notice on web portal
  • Version tracking - Clear version numbers and effective dates

18.3 Your Continued Use

Continued use of the Platform after notification constitutes acceptance of the updated policy. If you do not agree with changes, you may:

  • Withdraw consent for optional features
  • Request account deletion if you no longer wish to use the Platform
  • Contact us to discuss specific concerns about changes

19. CONTACT INFORMATION

19.1 Primary Platform Support

For questions about this privacy policy, data protection, or general Platform support:

19.2 National Emergency Lines

  • Police: 10111
  • Medical Emergency: 10177
  • General Emergency: 112

19.3 Online Resources

20.1 Governing Law

This privacy policy is governed by:

  • Protection of Personal Information Act 4 of 2013 (POPIA)
  • Municipal Systems Act 32 of 2000 (Community participation and service delivery)
  • Municipal Structures Act 117 of 1998 (Municipal governance structures)
  • Constitution of South Africa, 1996 (Section 14 - Privacy, Section 152-153 - Municipal mandate)
  • Electronic Communications and Transactions Act 25 of 2002 (ECTA)
  • Promotion of Access to Information Act 2 of 2000 (PAIA)
  • Disaster Management Act 57 of 2002 (Emergency response obligations)

20.2 Jurisdiction

Any disputes arising from this privacy policy shall be subject to the exclusive jurisdiction of the South African courts.

20.3 Language

This policy is available in English. Translations may be provided for accessibility, but the English version shall prevail in case of discrepancies.

21. DEFINITIONS

Data Subject: An individual whose personal information is processed
Information Officer: The person designated to ensure POPIA compliance
Information Regulator: The regulatory body established under POPIA
Personal Information: Information that identifies or could identify an individual
Processing: Any operation performed on personal information
Responsible Party: The entity determining the purpose and means of processing

Document Version: 1.0
Effective Date: 1 April 2025
Last Updated: 1 April 2025
Review Date: 1 April 2026

This privacy policy has been prepared to comply with the Protection of Personal Information Act, 2013 and represents the Mpumalanga Provincial Government's commitment to protecting citizen privacy while delivering essential government services.

Back to top
Contents
{{tocItems}}