Fold Privacy Policy and POPIA Compliance Statement
1. Introduction
Fold is a loyalty card wallet for South African independent businesses. Customers add loyalty cards to a digital wallet on their phone. Businesses (we call them vendors) scan those cards to stamp them.
Fold is built privacy-first. That is not marketing language. It is a technical constraint that shapes every decision we make. We do not sell your data. We do not share it with advertisers. We do not track you across other apps or websites. We collect the minimum we need to make the product work, and nothing more.
This document is both our Privacy Policy and our statement of compliance with the Protection of Personal Information Act 4 of 2013 (POPIA). We have combined them so there is one source of truth instead of two that can drift apart.
2. Who we are (Responsible Party / Data Controller)
The responsible party for processing your personal information under POPIA is:
- Legal entity: Isaac Anthony (sole proprietor, South Africa), trading as Fold
- Physical address: Cape Town, Western Cape, South Africa (full postal address available on written request to the email below)
- Email: privacy@getfold.co.za
- Privacy policy URL: https://getfold.co.za/privacy
For any privacy-related request, write to us at the email above. We respond within 30 days.
3. What Fold is (and what it is not)
Fold is: a wallet app where customers store digital loyalty cards, and a vendor dashboard where small businesses run loyalty programmes.
Fold is not: an advertising network, a data broker, a credit scoring service, or a marketing analytics platform. We do not build profiles on customers to sell. We do not sell, broker, or share customer behavioural data with third parties. Our revenue comes from vendor subscriptions, not customer data.
4. What data we collect
We describe this separately for the two kinds of users.
4.1 End users (customers using the Fold app)
When you install the Fold app and use it, we collect:
- A pseudonymous Fold identifier in the format
FOLD-XXXXXX. This is 6 characters long, generated on your device. Fold does not know your name, email address, phone number, or any other identity attribute — we never ask for them, and there is no field to store them in. The identifier persists on your device; it cannot be recovered if you lose or change devices, because we hold nothing that could identify you to restore it. - The loyalty cards you have added to your wallet (which vendors you have subscribed to).
- Your stamp progress for each card you hold (for example, 4 out of 10 stamps).
- Device push notification token (only if you opt in to notifications; not currently in use).
We do not collect:
- Your name, email, phone number, or date of birth
- Your location (we never request location permission)
- Your contacts, photos, calendar, microphone, or camera (except when you deliberately use the card-stamping camera view on a vendor device)
- Advertising identifiers (IDFA, GAID)
- App usage analytics, crash analytics, or behavioural tracking
4.2 Vendors (businesses using the Fold dashboard)
When you sign up as a vendor at getfold.co.za, we collect:
- Account data: email address, password (stored only as a bcrypt hash with salt factor 12, never in plain text)
- Business profile: business name, category, logo (stored in Supabase Storage), brand colours, location name and address, and latitude/longitude coordinates for your location(s)
- Staff accounts you create: name, email, password hash, role, and assigned location
- Messages you send to your customers through Fold
- Audit log of security-relevant events (login attempts, password changes, stamp events) including IP address, user-agent, and timestamp, kept for 90 days
4.3 Vendor applications
When you apply to join Fold as a vendor, we collect:
- Business name, business type, city, and tier you're applying for
- Why you want to use Fold (your free-text answer)
- Optionally: website, how you heard about us, number of locations
- Contact name, email address, and optionally phone number
- Your explicit consent (a tickbox confirming you've read this policy)
- For Enterprise applications: additional context about your business (group size, region, integration needs, etc.) — provided by you only if you self-identify as Enterprise tier
We also use anti-abuse mechanisms on the application form — a hidden field that bots tend to fill in, and a Cloudflare bot check — to filter automated submissions. Fold does not retain data from either; the Cloudflare check is performed by Cloudflare to confirm you are not a bot.
Application records are retained as follows:
- Pending applications: held while under review. If you have not received a decision within 7 days, the application is automatically declined and we email you to let you know.
- Approved applications: retained for as long as your vendor account is active, as an audit trail of how you joined.
- Rejected applications: retained for 90 days as a cooldown record. During this window, re-application from the same email is declined automatically. After 90 days, you may re-apply.
If you want your application data deleted before these windows expire, email privacy@getfold.co.za.
4.4 Anonymous scan events
When a stamp or redeem occurs, Fold logs an anonymous scan event containing: vendor, approximate location, GPS accuracy, and timestamp. No user, device, session, or card identifier is linked to this data. We use it to operate, secure, and improve Fold's location-based features. We do not sell, share, or use it for advertising.
Because scan events contain no personal identifier, they are not personal information under POPIA. They are retained indefinitely in this anonymous form.
5. Why we collect it (lawful basis)
Under POPIA (sections 9–11) and in line with GDPR-equivalent principles, we process personal information only where we have a lawful basis:
| Data | Purpose | Lawful basis |
|---|---|---|
| Fold identifier | Identify your wallet to vendors when you claim stamps | Performance of contract (POPIA s11(1)(b)) |
| Cards and stamps | Deliver the loyalty service you signed up for | Performance of contract |
| Vendor email and password | Authenticate you to the dashboard | Performance of contract |
| Business profile and logo | Display your brand to customers who add your card | Performance of contract |
| Audit log (IP, user-agent) | Detect abuse and protect accounts | Legitimate interest (POPIA s11(1)(f)) |
| Push token (future) | Send notifications you have asked for | Consent (POPIA s11(1)(a)) |
We do not process personal information for direct marketing, profiling, or automated decision-making that produces legal effects.
6. How and where we store your data
Your data is stored on the following infrastructure:
- Application servers: Vercel (United States). Vercel receives and processes API requests but does not independently store personal information.
- Database: Supabase (PostgreSQL), hosted on AWS in the
eu-west-1(Ireland) region. - File storage: Supabase Storage (vendor logos only).
- Authentication: session-based authentication with industry-standard secure cookie handling. We do not use third-party auth providers.
6.1 Cross-border transfer disclosure (POPIA section 72)
Some of your personal information is processed outside South Africa, specifically on servers operated by Vercel (United States) and AWS (region: eu-west-1, Ireland). POPIA section 72 permits this transfer because:
- The recipients are subject to binding corporate rules or contractual obligations that uphold data protection principles substantially similar to POPIA, and
- The transfer is necessary to perform the contract you have with us (operating the Fold service).
We keep the list of processors under review. If we change providers or regions, we will update this policy.
7. Who we share your data with
Short version: nobody, except the vendor whose card you deliberately added.
Customer to vendor: When you add a vendor's card to your wallet, that vendor can see your FOLD-XXXXXX identifier and your stamp progress on their card. That is required for stamping to work.
Vendors interact with our system through their dashboard, which is scoped to their own customer base. Our system is designed so that the dashboard a vendor uses to run their loyalty programme does not surface activity from other vendors. We do not aggregate cardholder activity across vendors into any vendor-facing surface.
Fold, as the operator of the platform, does hold the underlying records of all customer activity across all vendors. This is unavoidable: the loyalty mechanic requires us to count stamps. We do not act on that data commercially — see Section 3 — and we do not aggregate it into any vendor-facing surface.
We never contact you outside the app — no push notifications, no email, no SMS — because we don't have those details and don't send them. A vendor can post a single general notice that appears on your card when you open it; it's the same notice for everyone holding their card and is never targeted to you individually. Fold does not currently provide vendors a way to message individual customers or specific groups of customers.
Multi tier (paid): Unlocks multi-location operational tooling (locations, staff per location, scanners) and aggregate, shop-level analytics. It does not provide access to individual customer data or any customer-contact capability.
- Vendor to customer: Customers who add a vendor's card see the vendor's public brand details (name, logo, colours, location).
- Third parties: We do not share data with advertisers, data brokers, analytics companies, or any other third party. We have no third-party SDKs that collect data.
- Payments: Paid vendor tiers are not currently processed in-app. If you upgrade to a paid tier today, we arrange the transaction with you directly. We will update this policy before enabling in-app payments.
- Law enforcement: We will only disclose information where compelled by a valid South African court order or law, and will notify you unless legally prohibited.
8. How long we keep your data
| Data | Retention |
|---|---|
| Active end-user account (Fold identifier, cards, stamps) | For as long as the app is installed and the account is active |
| Active vendor account | For as long as the account is active |
| Audit log (login events, IP, user-agent) | 90 days, then automatically deleted |
| Deleted end-user account | Immediately purged from active systems. Residual copies in operational backups are purged according to our backup rotation schedule. |
| Deleted vendor account | Immediately purged from active systems. Residual copies in operational backups are purged according to our backup rotation schedule. |
9. Security measures
We take appropriate, reasonable technical and organisational measures (POPIA s19). Among them:
- We cannot read your password — not even internally.
- Rate limiting on login and signup to prevent brute-force and abuse.
- Secure session handling that rotates on password change.
- Audit logging of security-relevant events.
- All connections encrypted end-to-end.
- No third-party trackers, analytics SDKs, or ad networks in the app or dashboard.
- Least privilege — staff accounts only see data for the locations they are assigned to.
9.1 Breach notification
If we ever learn of a data breach that creates a real risk to you, we will notify the Information Regulator and affected data subjects without undue delay, in line with POPIA section 22.
10. Your rights
Under POPIA (sections 23–26) and as a matter of policy, you have the right to:
- Access the personal information we hold about you (section 23)
- Correct or update information that is inaccurate (section 24)
- Delete your account and associated data (section 25)
- Object to the processing of your information (section 26)
- Withdraw consent at any time where we rely on consent
- Port a copy of your data to another service, in a common format
- Complain to the Information Regulator
10.1 How to exercise these rights
End users: In the Fold app, go to Settings → Delete All Data. This removes your Fold identifier from your device's secure storage and deletes your customer records, cards, and transactions from our servers. For access, correction, or objection, email privacy@getfold.co.za with your Fold identifier.
Vendors: In the vendor dashboard, go to Settings → Delete account. This cascades to all your vendor data, cards, staff accounts, and messages. For access, correction, or objection, email privacy@getfold.co.za from the email on your account.
We respond to requests within 30 days.
10.2 Complaints to the Information Regulator
If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:
- Email: enquiries@inforegulator.org.za
- Complaints email: POPIAComplaints@inforegulator.org.za
- Telephone: +27 12 406 4818
- Website: https://inforegulator.org.za
11. Children
Fold is not directed at children under 18. We do not knowingly collect personal information from children. Vendors using Fold agree not to knowingly process information of a child without appropriate parental consent as required by POPIA section 35. If you believe we have received information about a child, email privacy@getfold.co.za and we will delete it.
12. Tracking and advertising
Fold does not track you. We do not use advertising identifiers, we do not participate in cross-app or cross-site tracking, and we do not sell data to advertisers. This is a deliberate product stance, not an oversight.
If you are on iOS, the App Tracking Transparency prompt will not appear because we do not track. If it ever does, we will update this policy first.
13. Changes to this policy
We will update this policy when the product changes (for example, when we enable push notifications or paid tiers). The "Last updated" date at the top reflects the latest change. Material changes will be announced in-app or by email to vendors before taking effect.
14. Contact us
- Email: privacy@getfold.co.za
- Post: Isaac Anthony (Fold), Cape Town, Western Cape, South Africa (full postal address on written request)
- Information Officer: Isaac Anthony (required under POPIA s55 — as the sole proprietor of Fold, Isaac Anthony serves as the designated Information Officer until delegated and registered with the Information Regulator)