Legal
Privacy Policy
Last updated: May 2026
1. Introduction
Lymra (Pty) Ltd ("Lymra", "we", "us", or "our") collects and processes personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) of the Republic of South Africa.
This Privacy Policy explains what personal information we collect, how we use it, and what rights you have in relation to it. By using Lymra, you acknowledge that you have read and understood this policy.
2. Information Officer
In line with sections 55 and 56 of POPIA, Lymra (Pty) Ltd has designated an Information Officer responsible for compliance with the Act. The Information Officer is the first point of contact for any questions about this policy, requests by data subjects to exercise their POPIA rights, or notifications of suspected security compromises.
Owen Mostert — Information Officer, Lymra (Pty) Ltd
Email: privacy@lymra.co.za
Statutory response window: 30 days. Urgent security notifications acknowledged within one business day.
If you remain unsatisfied after engaging the Information Officer you may lodge a complaint directly with the Information Regulator of South Africa.
3. Information we collect
We collect the following categories of personal information:
- Account registration data — name, email address, phone number, company name, and role within the organisation.
- Cleaning evidence — photographs captured through the Lymra mobile application, including associated GPS coordinates and timestamps.
- Employee data — names, contact details, and work records of cleaning staff added to the platform by their employer.
- Usage analytics — information about how you interact with the platform, including pages visited, features used, and device information.
4. How we use your information
We use personal information for the following purposes:
- Service delivery — to operate the Lymra platform and provide proof-of-service functionality.
- Quality monitoring — to enable cleaning companies and their clients to verify service quality.
- Reporting — to generate proof reports, dashboards, and analytics for authorised users.
- Platform improvement — to improve the reliability, performance, and features of the platform.
5. Legal basis for processing
We process personal information on the following legal grounds under POPIA:
- Consent — provided at account registration and when using the platform.
- Legitimate interest — for service delivery, platform security, and fraud prevention.
- Legal obligation — where required for compliance with applicable South African law.
- Contractual necessity — to fulfil our obligations under the terms of service.
6. Data retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected. The following windows are enforced automatically by a daily retention job (any record older than its window is hard-deleted):
- Active account data — retained for the duration the account remains active.
- Evidence photos — retained for 12 months as standard. Retention periods are configurable per subscription plan.
- Tenant audit logs — 12 months.
- Cross-tenant access trail — 12 months. (Internal-admin reads of tenant data.)
- Outbound email log — 6 months. (Provider message-id and delivery status only; bodies are not stored.)
- Operational telemetry (cron run history, CSP violation reports) — 90 days.
- Marketing-funnel events — 12 months.
- Soft-deleted records — 90 days, then hard-deleted from the database.
7. Data sharing
We do not sell personal information. We do not share personal information with third parties for marketing purposes.
We share personal information only with:
- Cloud infrastructure providers — for data processing and storage, under strict data processing agreements. See Section 8 for the specific providers, their hosting regions, and the lawful basis for cross-border processing.
- Law enforcement or regulatory bodies — as required by South African law.
8. Cross-border data transfers
Lymra is a South African company serving South African cleaning operators. Your personal information is collected in South Africa and stored on cloud infrastructure located in the European Union. We rely on POPIA s72(1)(a) as the lawful basis for this transfer: the European Union has been recognised as providing an adequate level of personal-information protection under the General Data Protection Regulation (GDPR), which is substantively aligned with POPIA.
The cloud providers we use for hosting, storage, email delivery, and rate limiting are listed below with their primary processing regions. Where a provider is incorporated outside the EU (typically in the United States), data is still physically stored in the EU under contract, and is not routinely transferred to the provider’s country of incorporation:
- Application hosting (Vercel) — serverless functions execute in Frankfurt, Germany (eu-central-1). Static assets are served from a global edge network.
- Primary database (Turso) — Dublin, Ireland (AWS eu-west-1).
- Evidence and document storage (Cloudflare R2) — Eastern Europe (EEUR jurisdiction).
- Transactional email (Resend) — European Union region.
- Rate limiter (Upstash Redis) — Dublin, Ireland (AWS eu-west-1).
Material changes to this list — for example, adding a new sub-processor or changing a processing region — are announced to existing tenants by email at least 14 days in advance, except where a shorter window is required to address a security risk. The most current list is also published at /security.
If you would like a copy of any of the data processing agreements we have in place with these providers for your own compliance review, contact the Information Officer at privacy@lymra.co.za.
9. Your rights under POPIA
As a data subject under POPIA, you have the right to:
- Access — request confirmation of whether we hold your personal information and obtain a copy.
- Correction — request correction or updating of inaccurate personal information.
- Deletion — request deletion of your personal information where it is no longer necessary.
- Objection — object to the processing of your personal information on reasonable grounds.
- Data portability — request your data in a structured, commonly used format.
Logged-in tenant users can lodge an access, correction, deletion, or objection request directly from their account settings. Anyone may also submit a request by email to privacy@lymra.co.za. We will respond within 30 days.
10. Data security
We implement appropriate technical and organisational measures to protect personal information, including:
- Encryption in transit using TLS (Transport Layer Security).
- Encryption at rest for stored data.
- Role-based access controls limiting data access to authorised personnel.
- Regular security reviews and vulnerability assessments.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact
If you have questions about this Privacy Policy or our data practices, contact us at: