Privacy Policy
Last updated: 9 July 2026
1. Who is responsible for your information
Loft Control (South Africa) is the "responsible party" under the Protection of Personal Information Act, 4 of 2013 (POPIA). The Information Officer can be reached at jonrae1@gmail.com.
2. What we collect and why
| Information | Why we process it |
|---|---|
| Name, email, password (stored as a one-way hash) | Creating and securing your account; sending account emails (verification, password reset, trial notices) |
| Loft names, GPS coordinates, addresses | Automatic race-distance calculation and weather features — the core service you signed up for |
| Bird, race, feeding and medication records | Providing the service; this is your operational data |
| Subscription status and payment references | Billing via Paystack. We never see or store card numbers |
| Technical logs (IP address, request timing) | Security (rate limiting, abuse prevention) and keeping the service reliable |
We collect this directly from you, process it only for the purposes above, and do not sell personal information or share it for third-party marketing. Lawful basis under POPIA: performing our contract with you, and our legitimate interest in securing the service.
3. Operators (third parties that process data for us)
| Operator | Purpose | Where |
|---|---|---|
| Railway | Application and database hosting | United States |
| Paystack | Payment processing (ZAR) | South Africa / Nigeria |
| Resend | Sending transactional email | United States |
| Open-Meteo | Weather forecasts (receives only coordinates, never your identity) | European Union |
Some of these operators are outside South Africa. POPIA section 72 permits such transfers where the recipient is bound by adequate protection; our operators are bound by their own data-processing agreements and industry-standard safeguards.
4. Security
All traffic is encrypted in transit (HTTPS). Passwords are stored as bcrypt hashes and reset tokens as one-way hashes — we cannot read them. Access to your data is scoped to your own organisation throughout the system, and requests are rate-limited and logged for abuse prevention.
5. Retention
Your organisation's data is kept while your account exists — including through lapsed trials and cancelled subscriptions, so you can return. If you ask us to delete your account, we delete your organisation's data from the live database promptly; it may persist in encrypted backups for up to 90 days before those cycle out. Technical logs are retained for a short operational window.
6. Your rights as a data subject
Under POPIA you may: request access to the personal information we hold about you; ask us to correct or delete it; object to processing; and complain to the Information Regulator (South Africa) — inforegulator.org.za. To exercise any of these, email us at jonrae1@gmail.com — no special form needed, and we respond within a reasonable time as POPIA requires.
7. Cookies and local storage
We use no advertising or analytics cookies. The app stores a session token in your browser's local storage so you stay logged in, and one small cookie that only tells the server "this browser uses the app" so returning users skip the marketing page. That's the full list.
8. Children
The service is intended for adults running pigeon lofts. We do not knowingly process children's personal information.
9. Changes to this policy
If we change this policy materially we will email account holders and show a notice in the app before the change takes effect.