Privacy Policy

Last updated: 30 April 2026 · Effective date: 30 April 2026

Applicable law: This policy complies with the South African Protection of Personal Information Act 4 of 2013 (POPIA) and the Zimbabwean Data Protection Act [Chapter 11:22] (2021). Where the two Acts differ, the stricter requirement applies.

1. Identity of Responsible Party

The responsible party (as defined in POPIA Section 1) for the processing of your personal information is:

Field	Detail
Legal name	[Imbazo (Pty) Ltd / Trading name — to be registered]
Registration number	[To be assigned on incorporation]
Registered address	[Physical address — to be confirmed]
Contact email	privacy@imbazoca.com

2. Information Officer

In terms of POPIA Section 55, our designated Information Officer is:

Field	Detail
Name	[Information Officer name — to be appointed]
Email	privacy@imbazoca.com
Phone	[To be confirmed]

For Zimbabwean data subjects, enquiries may also be directed to the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) at www.potraz.gov.zw.

3. Purpose of Collection (POPIA Section 13)

We collect and process personal information for the following specific, explicitly defined purposes:

3.1 Participant Data

Data category	Purpose	Legal basis (POPIA s11)
Name, phone, email	Identity verification, communication	Consent (s11(1)(a))
Date of birth, gender	Task matching (demographic criteria)	Consent (s11(1)(a))
Country, city, province	Geographic task targeting	Consent (s11(1)(a))
Education, employment, income	Socio-economic task matching	Consent (s11(1)(a))
Languages, ethnicity	Linguistic/cultural task matching	Consent (s11(1)(a)); ethnicity is special personal information processed only with explicit consent per s26-s33
Internet access type	Task feasibility assessment	Consent (s11(1)(a))
Payment details	Disbursing task participation payments	Contract performance (s11(1)(b))
Field of study, technical skills	Task matching (skill-based criteria)	Consent (s11(1)(a))
Device type	Task feasibility assessment (mobile vs desktop)	Consent (s11(1)(a))
Task responses and outputs (survey answers, image labels, voice recordings, AI ratings)	Delivery to commissioning client for their stated purpose	Consent (s11(1)(a)) + Contract performance (s11(1)(b))

3.2 Client Data

Data category	Purpose	Legal basis
Name, email, organisation	Account creation, communication	Contract performance (s11(1)(b))
Payment information	Billing for task services	Contract performance (s11(1)(b))
Task content/criteria	Service delivery	Contract performance (s11(1)(b))

3.3 Task Output Data

When you complete tasks on Imbazo — including surveys, image labelling, voice recordings, AI response ratings, and content reviews — your responses and outputs are delivered to the client who commissioned the task. This is the core service that Imbazo provides.

Task outputs may be used by clients for:

Market research and consumer insights
Artificial intelligence and machine learning model training (e.g., RLHF, data labelling, NLP, computer vision)
Product development and user experience research
Academic and scientific research
Content moderation and trust & safety

By completing a task and receiving payment, you consent to your task output being delivered to and used by the commissioning client for the purpose stated in the task description. Task outputs are considered work product — once delivered and paid for, the intellectual property in the output transfers to the client.

4. How We Share Data with Clients

Imbazo is a marketplace that connects participants with clients who need human input. Sharing your data with clients is fundamental to the service. Here is exactly what we share and when:

4.1 Profile Matching (Pseudonymised)

To match you with relevant tasks, we share your demographic profile with clients in pseudonymised form — using your Imbazo participant ID, not your real name or phone number. Clients may see your age range, gender, country, education level, field of study, technical skills, languages, and device type. They do not see your name, phone number, email, or exact date of birth.

4.2 Task Outputs (Delivered to Client)

When you complete a task, your responses are delivered to the commissioning client. Task outputs may include text responses, voice recordings, image labels, AI ratings, or other work product. Once delivered, the client becomes an independent data controller for that output data and is responsible for their own compliance with applicable data protection laws.

4.3 Identity Data (Only with Explicit Consent)

Your name, phone number, or email are never shared with clients unless: (a) the specific task requires it, and (b) you provide explicit, informed consent for that particular task before participating. You will always be clearly informed before any identity data is shared.

4.4 Aggregated and Anonymised Data

We may use anonymised, aggregated data about our participant panel (e.g., demographic distributions, task completion rates, regional availability) for:

Internal platform analytics and service improvement
Providing prospective clients with aggregated panel statistics (no individual is identifiable)
Ensuring diversity and representativeness in AI training datasets
Academic research and industry benchmarking

Anonymised, aggregated data is not personal information and may be retained and used indefinitely.

4.5 We Do Not Sell Your Personal Data

Imbazo does not sell, rent, or trade your personal information to third parties for their own marketing or advertising purposes. Data sharing is limited to the purposes described in this policy: task matching, task output delivery, and platform operations.

5. Use of Data for AI and Machine Learning

Some tasks on Imbazo involve creating training data for artificial intelligence systems. This includes but is not limited to:

Rating or ranking AI-generated responses (Reinforcement Learning from Human Feedback / RLHF)
Labelling images, text, or audio for machine learning models
Recording your voice in local languages for speech recognition training
Reviewing content for safety classification and trust & safety systems
Evaluating and comparing outputs from different AI models

By completing AI-related tasks, you consent to your task outputs being used to train, evaluate, or improve artificial intelligence systems operated by the commissioning client. Your personal identity data (name, phone number, email) is not included in AI training datasets — only your pseudonymised task outputs.

Your demographic profile may be used in anonymised, aggregated form to ensure AI training data is diverse and representative of different populations, languages, and perspectives.

6. Our Role in Data Processing

Imbazo acts in two distinct roles depending on the type of data:

Role	Data type	What this means
Data Controller	Participant profile data (name, demographics, contact details, platform usage)	Imbazo decides how this data is collected, stored, and used for platform operations, task matching, and communication. We are directly responsible for protecting this data.
Data Processor	Task data commissioned by clients (survey questions, labelling instructions, collected responses)	The client determines what data is collected through their task. We process and deliver this data on the client's behalf per their instructions. The client is responsible for their own data protection compliance when using data received from Imbazo.

Where Imbazo acts as a data processor, we process task data only in accordance with the client's instructions and applicable law. We do not use client task data for our own purposes except as necessary to operate the platform (e.g., quality assurance, fraud detection, payment processing).

7. Data Minimisation & Adequacy (POPIA Section 10)

We collect only data that is adequate, relevant, and not excessive for the stated purposes. Participants may decline to provide optional fields (education, income, ethnicity) without affecting core panel membership.

8. Consent (POPIA Section 11)

Participant consent is obtained via our WhatsApp onboarding flow. Consent is:

Voluntary — participants can decline at any step
Specific — we explain each data category and its use
Informed — this policy is linked during onboarding
Recorded — timestamp and evidence stored per participant

Consent can be withdrawn at any time by messaging "STOP" to our WhatsApp number or emailing privacy@imbazoca.com.

9. Information Quality (POPIA Section 16)

We take reasonable steps to ensure personal information is complete, accurate, and not misleading. Participants can review and correct their information at any time via WhatsApp or by contacting us.

10. Data Retention (POPIA Section 14)

Data type	Retention period	Justification
Active participant profiles	While participant is active + 2 years after deactivation	Service delivery + legal compliance
Completed task/study data	5 years from task/study completion	Research audit trail, tax records
Task output data delivered to clients	Retained by Imbazo for 2 years from delivery; client retention governed by client's own policy	Service records, dispute resolution, quality assurance
Consent records	Indefinite (anonymised after 7 years)	Legal compliance proof
Audit logs	7 years	Legal and regulatory compliance
Payment records	7 years	Financial regulatory requirements
Client accounts	While active + 2 years after last login	Service delivery

On deletion request, personal data is erased from active systems within 30 days. Anonymised aggregates may be retained for platform analytics.

11. Cross-Border Transfers (POPIA Section 72)

Your personal data may be transferred to, and processed in, countries outside South Africa and Zimbabwe. We ensure adequate safeguards per POPIA s72.

Sub-processor	Location	Purpose	Safeguard
Supabase Inc.	United States	Database hosting (Postgres)	SOC 2 Type II compliant; contractual data processing terms
Twilio Inc.	United States	WhatsApp messaging via Twilio API	SOC 2 Type II compliant; DPA with standard contractual clauses
Clerk Inc.	United States	Client authentication	SOC 2 compliant; contractual safeguards
Vercel Inc.	United States / Global edge	Web application hosting	SOC 2 Type II; DPA with standard contractual clauses
Memgraph Ltd.	United Kingdom	Graph database — participant matching and platform operations	Contractual data processing terms
Stripe Inc. (future)	United States	Payment processing	PCI DSS Level 1; GDPR-compliant DPA

All sub-processors are bound by data processing agreements that require them to process your data only for specified purposes and to implement appropriate security measures.

12. Security Safeguards (POPIA Section 19)

We implement appropriate technical and organisational measures to protect personal information, including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Row-level security policies in our database — clients cannot access other clients' data or raw participant PII
Access control via Clerk authentication with session management
Audit logging of all data access events
Principle of least privilege for system components
Regular security reviews and dependency updates

13. Your Rights (POPIA Section 23–25)

As a data subject, you have the right to:

Access — Request a copy of all personal information we hold about you (s23)
Correction — Request correction of inaccurate or incomplete personal information (s24)
Deletion — Request deletion of your personal information where no legal basis for retention exists (s24)
Objection — Object to the processing of your personal information on reasonable grounds (s11(3))
Restriction — Request that we limit processing in certain circumstances
Data portability — Receive your data in a structured, machine-readable format
Withdraw consent — Withdraw consent at any time without affecting prior lawful processing
Lodge a complaint — With the Information Regulator of South Africa or POTRAZ (Zimbabwe)

Limitation on deletion of delivered task outputs: Where your task outputs have already been delivered to a client and payment processed, we may not be able to recall that data from the client. You may contact the client directly to exercise your rights over data they hold. We will provide you with the client's contact details upon request.

To exercise any right, contact us at privacy@imbazoca.com or message "PRIVACY" to our WhatsApp number. We will respond within 30 days.

14. POPIA Section 18 Notification

In compliance with POPIA Section 18, we notify you at the time of collection that:

The information is being collected by Imbazo (see Section 1 above)
Collection is for the purposes described in Sections 3–6 above, including delivery of task outputs to clients and use in AI/ML training
Provision of information is voluntary; however, failure to provide required fields may prevent panel membership or task participation
We will not use your information for direct marketing unless you opt in
You have the right to lodge a complaint with the Information Regulator at:
The Information Regulator (South Africa)
33 Hoofd Street, Forum III, Braampark, Braamfontein
Email: complaints.IR@justice.gov.za
Tel: 012 406 4818
Your information may be transferred outside South Africa as described in Section 11
We do not engage in automated decision-making or profiling that produces legal effects, except for demographic matching which you consent to during onboarding

15. Children's Data

Imbazo does not knowingly collect personal information from persons under the age of 18. Our onboarding flow includes age verification. If we discover we hold data of a minor, it will be deleted immediately.

16. Cookies & Analytics

Our web application uses only essential cookies for session management (authentication). We do not use advertising or tracking cookies. Vercel Analytics may collect anonymised performance metrics (page load times, country-level geographic data).

17. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email (clients) or WhatsApp (participants) at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

18. Contact

For any privacy-related enquiries:

Email: privacy@imbazoca.com
WhatsApp: Message "PRIVACY" to [WhatsApp number]
Post: [Physical address — to be confirmed]