Privacy Policy

How Tecspec (Pty) Ltd t/a Baobab Technologies collects, uses, and protects your information.

Last Updated: 27 February 2025

1. Introduction

This Privacy Policy explains how Tecspec (Pty) Ltd t/a Baobab Technologies ("Baobab Technologies", "we", "us", or "our") collects, uses, stores, shares, and protects personal information when you:

  • Use our website at https://baobabtech.co.za
  • Use any of our cloud-based software solutions and platforms
  • Communicate or interact with us in any way

We are committed to protecting your privacy in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable South African data protection laws. By using our website or services, you agree to the terms of this Privacy Policy.

2. Who We Are

Responsible Party: Tecspec (Pty) Ltd t/a Baobab Technologies

Registered and operating in the Republic of South Africa.

This Privacy Policy applies to all processing of personal information carried out by us as a responsible party and, where applicable, as an operator on behalf of our clients.

3. Scope of This Policy

This Policy applies to:

  • Visitors to our website
  • Existing and prospective clients and their authorised users
  • End-users who access our systems as part of our clients’ workforce or operations
  • Any person who contacts us via email, phone, or other channels
4. Information We Collect

We may collect and process the following categories of personal information:

4.1 Identity and Contact Information
  • Name and surname
  • Business or employer details
  • Job title or role
  • Contact details (email address, mobile/telephone number)
4.2 Account and Usage Information
  • Username and login credentials (stored in encrypted form)
  • Profile settings and preferences
  • Actions taken within our systems (audit logs, access history)
  • Support requests, enquiries, and communication history
4.3 Technical and Device Information
  • IP address and approximate location
  • Browser type and version
  • Device type, operating system, and similar technical data
  • Usage data such as pages viewed, features used, and time spent
4.4 FireCloud T&A (Time & Attendance) Data

FireCloud T&A processes personal information for workforce time and attendance purposes, including:

  • Employee identification and profile information
  • Clock-in and clock-out times
  • Shift, schedule, and attendance records
  • Location data associated with time and attendance events (where enabled)
  • ID or employee numbers
  • Biometric information (for example fingerprint templates or similar biometric identifiers) where biometric devices are used and integrated with our systems.

Biometric information is recognised as special personal information under POPIA and is subject to enhanced safeguards, as set out in this Policy.

4.5 Ecliq e-Learning Data

Ecliq e-Learning processes personal information related to training and learning, including:

  • Enrolment information and training assignments
  • Course progress, completion status, and assessment results
  • Scores, feedback, and remarks on learning activities
  • Certificates issued and historical training records
4.6 DocuCliq Document Management Data

DocuCliq is a document management solution that stores and organises documents used by our clients in the course of their business. The categories of documents and personal information processed depend on how each client uses the system, and may include:

  • HR and employee documents
  • Client and supplier contracts and correspondence
  • Operational forms, reports, and records
  • Other business documents uploaded or created by the client

When we host or process such documents on behalf of a client, we generally act as an operator under POPIA and process the information strictly according to our client’s instructions and applicable agreements.

4.7 Billing and Financial Information
  • Billing contact information
  • Invoicing details and transaction records
  • Payment confirmations and related financial references

Payment card details, where applicable, are processed via secure third-party payment providers and are not stored by us in plain form.

4.8 Cookies and Similar Technologies

Our website uses cookies and similar technologies to improve functionality, enhance user experience, and analyse usage patterns. Cookies are small text files placed on your device when you visit our site.

We may use, among others:

  • Essential cookies: required for basic site operation and security.
  • Preference cookies: to remember your preferences and settings.
  • Analytics cookies: to help us understand how visitors use our website.

You can control or disable cookies through your browser settings. However, some features of the website may not function correctly if certain cookies are disabled.

5. How We Collect Personal Information

We collect personal information in the following ways:

  • Directly from you when you complete forms, register an account, or contact us
  • From your employer or organisation when they onboard you as a user of our systems
  • Automatically through your use of our website and platforms (e.g. logs and analytics)
  • From third parties where legally permitted and relevant to our services
6. How We Use Personal Information

We use personal information for the following purposes:

  • To provide, operate, and maintain our software, platforms, and services
  • To create, manage, and secure user accounts and profiles
  • To process time & attendance, training, and document management activities as configured by our clients
  • To respond to enquiries, provide customer support, and manage our relationship with you
  • To send service-related notifications, alerts, and updates
  • To improve and optimise the performance, security, and usability of our systems
  • To generate anonymised or aggregated statistics for internal reporting and service improvement
  • To comply with legal and regulatory requirements and to exercise or defend legal rights

Where we use personal information for direct marketing, this will be done in accordance with POPIA and you will always have the option to opt out of such communications.

7. Legal Basis for Processing

We process personal information on one or more of the following legal bases:

  • Your consent, where you have given it
  • The performance of a contract with you or with your employer/organisation
  • Compliance with applicable legal and regulatory obligations
  • Our legitimate interests or those of a third party, provided such interests are not overridden by your rights and interests (for example to secure our systems, improve our services, or prevent misuse)
8. Special Personal Information and Biometric Data

Certain categories of personal information are classified as special personal information under POPIA, including biometric information. Where FireCloud T&A or integrated solutions use biometric data for identification or verification, we:

  • Process biometric information only where it is necessary and lawful for time & attendance or access control
  • Store biometric information in secure, encrypted form as templates, not as raw images where technically possible
  • Restrict access to biometric data to authorised personnel on a strict need-to-know basis
  • Do not use biometric information for purposes unrelated to identification, verification, or attendance
9. Sharing of Personal Information

We may share personal information with the following categories of recipients:

  • Service providers and operators who assist us with hosting, infrastructure, support, communications, and related functions.
  • Professional advisors such as legal, accounting, or consulting firms, under appropriate confidentiality obligations.
  • Clients (employers or organisations) who are the responsible parties for their users’ data in the context of our platforms.
  • Regulators, law enforcement, or other competent authorities where required by law or reasonably necessary to protect our rights or the rights of others.

We do not sell your personal information. Any third party with whom we share personal information is required to handle it in accordance with applicable data protection laws and appropriate contractual safeguards.

10. Cross-Border Transfers

Our primary cloud infrastructure is hosted in South Africa. In limited cases, certain service providers or backup services may store or process personal information in other jurisdictions.

Where personal information is transferred outside South Africa, we take reasonable steps to ensure that the recipient is subject to laws, binding corporate rules, or contractual obligations that provide an adequate level of protection in line with POPIA requirements.

11. Data Security

We implement appropriate and reasonable technical and organisational measures to protect personal information against unauthorised access, loss, misuse, alteration, or destruction. These measures include, where appropriate:

  • Use of secure, encrypted connections (such as HTTPS/TLS)
  • Access controls, authentication, and role-based permissions
  • Segregation of environments and data where appropriate
  • Regular monitoring, logging, and security reviews
  • Backups and disaster recovery processes

Despite these measures, no system can be guaranteed as completely secure. You are responsible for keeping your password and account details confidential and for notifying us promptly of any suspected unauthorised access to your account.

12. Data Retention

We retain personal information only for as long as is reasonably necessary for the purposes set out in this Policy, or as required by law or our contractual obligations. Retention periods may vary depending on the type of information and the context of processing. In general, we apply the following guidelines:

  • Customer account and contact data: retained for the duration of the contract and for up to 5 years thereafter for record-keeping, legal, and operational purposes.
  • FireCloud T&A records (time, attendance, and related logs): typically retained for up to 3 years, unless a longer period is required by law or agreed with the client.
  • Biometric templates: retained only while needed for attendance or access control and deleted or irreversibly de-identified when no longer required.
  • Ecliq e-Learning records and certificates: typically retained for up to 5 years to support training history and compliance evidence, unless otherwise agreed with the client.
  • DocuCliq documents: retained for as long as the client maintains such documents in the system. Following termination of a client’s contract, we will delete or return documents within a reasonable period (for example, within 90 days), subject to any legal retention obligations.
  • System and security logs: generally retained for up to 12 months, unless longer retention is required for security, legal, or compliance reasons.
  • Billing and financial records: retained for at least 5 years or such longer period as may be required under South African tax and financial legislation.

When personal information is no longer required, we will take reasonable steps to delete, destroy, or de-identify it in a secure manner.

13. Your Rights

Under POPIA and applicable laws, you may have the following rights in relation to your personal information:

  • The right to be informed about how your personal information is being processed
  • The right to request access to the personal information we hold about you
  • The right to request correction or updating of inaccurate, irrelevant, or incomplete information
  • The right to request deletion or destruction of personal information where legally permissible
  • The right to object to certain types of processing, including direct marketing
  • The right to withdraw consent where processing is based on your consent
  • The right to lodge a complaint with the Information Regulator if you believe your rights have been infringed

Some of these rights may be subject to limitations or conditions in terms of POPIA and other laws. Where we act as an operator on behalf of a client (for example, processing employee data for a client in FireCloud T&A), we may need to refer your request to the relevant client as the responsible party.

14. Direct Marketing

We may, from time to time, send you information about our services, new features, or events that we believe may be of interest to you, in accordance with POPIA.

You can opt out of direct marketing at any time by:

  • Clicking the "unsubscribe" link in any marketing email you receive from us; or
  • Contacting us using the details in the Contact Us section below.
15. Third-Party Websites and Services

Our website and platforms may contain links to third-party websites or services. We are not responsible for the content, security, or privacy practices of such third parties. We encourage you to review the privacy policies of any external websites or services you visit or use.

16. Information Officer and Contact Details

In terms of POPIA, we have appointed an Information Officer who is responsible for overseeing compliance with data protection obligations.

Information Officer: Information Officer, Tecspec (Pty) Ltd t/a Baobab Technologies

Postal/Physical Address:

12 Speldekussing Ave
Roodekrans, Gauteng, 1724
South Africa

Telephone: +27 87 135 0375

Email (general and POPIA enquiries): info@baobabtech.co.za

Website: https://baobabtech.co.za

17. Information Regulator

If you believe that we have not handled your personal information lawfully or in accordance with this Policy, you may lodge a complaint with the Information Regulator of South Africa. Details are available on the Information Regulator’s official website.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. The updated version will be posted on our website with an updated "Last Updated" date.

Your continued use of our website or services after any changes to this Privacy Policy will constitute your acceptance of the revised terms.