Privacy Policy

My Symbiosis Pty Ltd is the Responsible Party (data controller) for the personal information described below.

Information Officer: popia@mysymbiosis.co.za. You can write to this address for any access, correction, or deletion request, or to lodge a complaint.

Through the My Symbiosis driver portal we collect:

Your South African ID number is classified as a unique identifier under POPIA. We process it only for the lawful purposes set out below.

We process your personal information only for:

• Onboarding and verification — to confirm you are who you say you are and that your driving credentials are valid. Lawful ground: performance of the contract you enter into with us when applying (section 11(1)(b) POPIA).
• Matching with Client Companies — to share your verified profile with prospective employers / fleet operators. Lawful ground: your consent (section 11(1)(a) POPIA), withdrawable at any time.
• Compliance with law — to comply with the National Road Traffic Act, tax law, anti-money-laundering, and other obligations applicable to fleet operators. Lawful ground: legal obligation (section 11(1)(c) POPIA).
• Service improvement — anonymised analytics on how drivers use the platform. Lawful ground: our legitimate interest (section 11(1)(f) POPIA).

To save you typing, we send your uploaded ID and licence images to a generative AI service (currently Google Gemini 2.5 Flash, processed via Google's AI Studio API) which returns the structured fields for our app to display.

• Images are sent only at the moment of upload, are not used by the AI provider to train their models, and are not retained by them beyond the API call.
• You always see and confirm the extracted fields before submission.
• Our underlying decision to approve or reject you is taken by a human operator, never solely by automated processing.

We share personal information only with:

• Client Companies you are matched with, and only with your explicit consent for each match.
• Our infrastructure provider, Supabase (operated by Supabase Inc., with data hosted in compliant regions). They process data on our instructions only and are bound by a written Data Processing Agreement.
• Verification partners (e.g. the Department of Home Affairs, eNaTIS, accredited criminal-record verifiers) only as strictly required for the verifications listed above.
• Law-enforcement and regulators, where compelled by law (e.g. a court order, a SAPS subpoena under section 205 of the Criminal Procedure Act).

We do not sell your data, share it with advertising networks, or use it for cross-context behavioural targeting.

Where infrastructure providers store data outside of South Africa, we rely on the conditions in section 72 of POPIA — namely that the recipient is subject to a law, binding corporate rules or contract that provides an adequate level of protection. Supabase's standard contractual terms include EU SCCs and equivalent protections.

• Documents are stored in a private Supabase Storage bucket, isolated per user, and accessible only via short-lived (≤5 minute) signed URLs.
• All database tables enforce Row-Level Security: a driver can only read or modify their own row; admins are gated by a role-based policy.
• Passwords are stored as bcrypt hashes; we never see or store the plain-text password.
• Connections to and from the platform use TLS 1.2 or higher.
• Internal admin access is restricted to named individuals subject to confidentiality agreements.

You have the right to:

• Access a copy of the personal information we hold on you — the driver dashboard shows it all, or email us for a machine-readable export.
• Correct or update any of your information at any time from your dashboard.
• Object to processing for direct marketing or any other purpose based on legitimate interest.
• Withdraw your consent at any time, with effect for the future.
• Request deletion of your data, subject to the retention periods set out in section 7.
• Lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za or POPIAComplaints@inforegulator.org.za.

The platform is intended for adults aged 21 and over (the minimum age for a Professional Driving Permit). We do not knowingly collect information from minors. If you believe a minor has registered, contact us and we will delete the account.

We use cookies for two purposes only:

• Strictly necessary — the Supabase authentication session cookies. Without these, you cannot stay logged in.
• Attribution — short-lived UTM-source cookies used to understand which campaign brought you to the site (cookie life: 30 days). These contain no personal identifiers.

We may update this policy when our practices or applicable law change. The version number and effective date above will always reflect the current version. Material changes will be notified by email.

Information Officer: popia@mysymbiosis.co.za
General queries: hello@mysymbiosis.co.za

See also our POPIA notice and Driver Agreement.