Privacy Policy

1) Personal Information You Provide

Account Registration

• First Name, Last Name
• Email Address (authentication & communications)
• Password (encrypted; never stored in plain text)
• Organization/Affiliation (optional)
• User Code (assigned identifier)

Profile: user role/permissions, group memberships, station access permissions.

Water Monitoring Submissions

• Date & time of readings
• Station identification
• Gauge plate readings (m) and optional discharge
• Photographs (for verification)
• Location data (GPS in photo EXIF)

Station Access Applications: requested WMA(s)/station(s), justification, status, review notes.

2) Automatically Collected Information

Device: platform, OS version, app version, screen resolution.

Usage: features accessed, stations viewed, submission history/status, login/logout, app errors/crashes.

Location: GPS coordinates embedded in submission photos; used to verify station location.

Note: Location is only collected with photo-based submissions; we do not track in the background.

3) Camera & Photo Library Access

• Camera (required) and photo library (optional) for submissions
• EXIF metadata (GPS, date/time, device)
• Secure transmission to AWARD servers for moderation

FlowTracker for iOS requests the following permissions to provide its core functionality:

Camera Access

We request access to your device camera to allow you to capture photos of water monitoring points. Photos are used exclusively for documenting water flow readings and environmental conditions at monitoring sites.

Photo Library Access

We request access to your photo library so you can select existing photos to attach to your water monitoring submissions. Location data embedded in photo EXIF metadata may be extracted to associate readings with geographic coordinates.

Location Data

FlowTracker does not directly access your device’s location services. However, we may extract location information from EXIF metadata embedded in photos you submit. This location data is used solely to map water monitoring points and is essential to the app’s water management functionality.

Push Notifications (Optional)

If you enable push notifications, we may send you alerts about monitoring schedules, data submission reminders, or important updates related to your water monitoring activities. You can disable notifications at any time in your device settings.

All permissions are requested only when needed for specific features, and you can deny these permissions if you choose not to use related functionality.

Primary Purposes

1. Authentication & Account Management (OAuth2/Keycloak; permissions & station access)
2. Water Monitoring & Data Collection (processing, verification, history, visualizations)
3. Quality Control & Moderation (review, approve/reject, follow-ups)
4. Station Access Management (applications, grants/denials, WMA permissions)
5. Application Improvement (performance, UX, features)
6. Communication (account updates, access status, support)

Secondary Purposes

7. Research & Reporting (aggregated/anonymous data)
8. Legal Compliance (laws, requests, fraud prevention, safety)

1. Consent on registration and use
2. Legitimate Interests (environmental/public benefit)
3. Legal Obligations
4. Performance of Contract

AWARD & Partner Organizations

• AWARD staff and authorized water authorities
• Research partners (anonymized, aggregated data)

Authentication Services

Keycloak on auth.award.org.za using industry-standard security and POPIA-aligned practices.

No Third-Party Marketing

• We do not sell, rent, or trade personal information
• We do not share data with advertisers

Public Data

Only aggregated stats, station locations, and historical data; never names or emails.

FlowTracker uses the following third-party services to operate:

Firebase Crashlytics

We use Google Firebase Crashlytics to monitor app stability and identify crashes or technical issues. Firebase Crashlytics may collect:

• Crash logs and stack traces
• Device information (model, operating system version)
• App version information
• Anonymized usage data related to app stability

This data is collected automatically when a crash occurs and is used solely to improve app reliability and fix bugs. No personally identifiable information is intentionally included in crash reports.

Firebase Privacy Policy: https://firebase.google.com/support/privacy

Keycloak Authentication

We use Keycloak, an open-source identity and access management solution, to handle user authentication securely. Keycloak processes:

• Your email address
• Password (stored encrypted)
• Authentication tokens

Keycloak is self-hosted by AWARD and operates under our data protection policies. Your authentication credentials are never shared with third parties.

No Other Third-Party Tracking

FlowTracker does not use any third-party analytics services, advertising networks, or tracking tools beyond the services listed above.

FlowTracker does not track users across apps or websites owned by other companies.

We do not:

• Use your data for targeted advertising
• Share your data with data brokers
• Track your activity across third-party apps or websites
• Use device identifiers (IDFA) for tracking purposes

Any data collected is used exclusively for the operation of FlowTracker’s water monitoring features and improving app stability through crash reporting.

Technical Safeguards

• HTTPS/TLS encryption in transit
• Encrypted password storage
• OAuth 2.0 authentication
• Secure, authenticated API endpoints

Organizational Safeguards

• Role-based access
• Security audits and updates
• Staff training on POPIA
• Incident response procedures

App Security

Android: signed releases, no cleartext HTTP, secure token storage.
iOS: ATS enforced, Keychain tokens, sandboxing.

Local Data Storage

FlowTracker stores the following data locally on your device:

• Authentication tokens (encrypted)
• Cached monitoring data for improved performance
• User preferences and settings

This locally stored data is protected by your device’s security features, including device encryption and passcode protection.

Cloud Data Storage

Monitoring submissions (readings, photos, timestamps) are transmitted securely to AWARD’s servers using HTTPS/TLS encryption. All data transmitted between your device and our servers is encrypted in transit.

Server-side data storage complies with POPIA (Protection of Personal Information Act) requirements and is hosted within secure infrastructure.

Note: No method is 100% secure; we cannot guarantee absolute security.

• Active Accounts: retained while active
• Inactive Accounts: may be archived/deleted after 3 years
• Water Monitoring Data: retained indefinitely (historical record)
• Authentication Logs: 90 days
• Application Logs: 30 days

You may request deletion of your account (see “Your Rights”).

1. Access – request your personal data
2. Correction – update inaccuracies
3. Deletion – request account deletion (subject to legal/legitimate interests; anonymized data may be retained)
4. Object – to certain processing
5. Data Portability
6. Withdraw Consent – delete your account
7. Complain – Information Regulator: inforegulator.org.za • complaints.IR@justice.gov.za • 012 406 4818

FlowTracker is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

South Africa (POPIA)

This privacy policy complies with the Protection of Personal Information Act (POPIA), 2013. FlowTracker processes personal information in accordance with POPIA’s conditions for lawful processing.

Other Southern African Countries

Users in Botswana, Namibia, Zimbabwe, and Mozambique are covered by this privacy policy. We apply the same data protection standards to all users regardless of location.

Data is stored/processed in South Africa. If transferred internationally for research or technical purposes, appropriate safeguards are applied in line with POPIA.

• No cookies or third-party trackers
• Local storage for offline caching
• Session & OAuth tokens for authentication

External links (e.g., Keycloak, AWARD website) have their own privacy practices. Please review their policies.

• Notify affected users via email or in-app
• Update station permissions
• Maintain historical data with proper access controls

If FlowTracker requires additional mobile permissions in future updates, we will:

1. Request your consent before accessing new device features
2. Update this privacy policy to reflect new permissions
3. Notify you of significant changes through in-app notifications or email

1. Notify the Information Regulator within 72 hours
2. Notify affected users as soon as reasonably possible
3. Provide details and mitigation steps
4. Guidance for protecting your information

Association for Water and Rural Development (AWARD)
Attention: FlowTracker Support / Data Protection Officer

FlowTracker Support: flowtracker@award.org.za
Data Protection Officer: dpo@award.org.za
General Inquiries: info@award.org.za
Phone: +27 15 793 0503
Website: https://award.org.za
Address: 2 Maroela Park, Koedoe Street, Hoedspruit, 1380, South Africa
Postal: P.O. Box 1919, Hoedspruit, 1380, South Africa
Office Hours: Mon–Fri, 08:00–16:30 SAST

• POPIA (Act 4 of 2013)
• ECTA (Act 25 of 2002)
• PAIA (Act 2 of 2000)

1. You have read and understood this policy
2. You consent to the described processing
3. Your information is accurate and truthful

• “Last Updated” date will change when revised
• We may notify via email or in-app
• Continued use constitutes acceptance

You can view the current Privacy Policy in the app’s About section or on our website.