1. Introduction

Vision Africa Research Services (Pty) Ltd (“Vision Africa”, “we”, “us”, or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our market research platform and services.

As a market research organization operating across Southern Africa (Namibia, Zimbabwe, Zambia, Angola, Mozambique, Botswana, and Malawi), we handle sensitive demographic, survey response, and client data. We are committed to compliance with applicable data protection laws including GDPR and POPIA (Protection of Personal Information Act).

2. Information We Collect

• 2.1 Personal Information
  
  
• When you register or use our services, we may collect:
• Account Information: Email address, password (encrypted), full name, phone number
• Demographic Information: Age/birth year, gender, marital status, education level, employment status, occupation, income bracket
• Location Data: Country, region, city, metropolitan/rural classification, residential address
• Living Standards Measure (LSM) Data: Household items, home amenities (water, electricity, internet), vehicle ownership details
• Client Information: Company name, industry, contact person details, billing information
• Survey Responses: Answers to survey questions, feedback, opinions, preferences
• Mystery Shopping Data: Visit reports, service evaluations, photographs, location check-ins
  
  
• 2.2 Technical Information
  
  
• Device Information: IP address, browser type and version, device type, operating system
• Usage Data: Pages visited, time spent on platform, click patterns, feature usage
• Authentication Tokens: JWT tokens for session management
• Cookies and Tracking: Session cookies, authentication cookies, analytics cookies
• Log Files: Access logs, error logs, security event logs
  
  
• 2.3 File Uploads
  
  
• We collect files you upload including survey materials, mystery shopping photos, company logos, and supporting documents (maximum 10MB per file).

3. How We Use Your Information

• 3.1 Service Provision
  
  
• Creating and managing user accounts with role-based access (Admin, Client, Respondent, Researcher)
• Distributing surveys to targeted respondent groups based on demographics and LSM scores
• Processing survey responses and generating analytics reports
• Managing mystery shopping projects and visit assignments
• Calculating Living Standards Measure (LSM) scores for market segmentation
• Providing real-time notifications via WebSocket connections
• Facilitating reward transactions for survey participation
  
  
• 3.2 Research and Analytics
  
  
• Conducting demographic analysis and statistical modeling
• Creating aggregate reports and market insights for clients
• Performing trend analysis across multiple markets
• Quality control and data validation
• Improving our research methodologies (CAPI, CATI, CAWI, focus groups, in-depth interviews)
  
  
• 3.3 Communication
  
  
• Sending survey invitations and project notifications
• Providing customer support and responding to inquiries
• Sending password reset emails and account security alerts
• Sharing project updates and research opportunities
  
  
• 3.4 Security and Compliance
  
  
• Authenticating users and preventing unauthorized access
• Detecting and preventing fraud, spam, and abuse
• Monitoring for security threats and suspicious activity
• Maintaining audit logs for compliance purposes
• Rate limiting to prevent API abuse (5 login attempts per 15 minutes, 100 API requests per 15 minutes)

4. Data Sharing and Disclosure

• 4.1 Client Reporting
  
  
• We share aggregated, anonymized research data with our clients. Individual respondent identities are never disclosed to clients unless explicitly consented to for follow-up research purposes.
  
  
• 4.2 Service Providers
  
  
• We may share data with trusted third-party service providers who assist in:
• Cloud hosting and database management
• Email delivery services (SMTP providers)
• File storage (AWS S3 or similar)
• Payment processing for client billing
• Analytics and performance monitoring
• All service providers are contractually bound to protect your data and use it only for specified purposes.
  
  
• 4.3 Legal Requirements
  
  
• We may disclose your information when required by law, court order, or government regulation, or when necessary to:
• Comply with legal processes and law enforcement requests
• Protect our rights, property, or safety
• Prevent fraud or illegal activity
• Enforce our Terms and Conditions
  
  
• 4.4 Business Transfers
  
  
• In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.
  
  
• 4.5 No Sale of Personal Data
  
  
• We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Data Security Measures

• We implement industry-standard security measures to protect your data:
• Encryption: Password hashing using bcryptjs with salt rounds; HTTPS/TLS for data in transit
• Authentication: JWT-based authentication with 15-minute access token expiration and 7-day refresh tokens
• Access Controls: Role-based access control (RBAC) limiting data access based on user roles
• Input Validation: Express-validator preventing SQL injection and XSS attacks
• Rate Limiting: Protection against brute force attacks and API abuse
• Security Headers: Helmet.js implementation for HTTP security headers
• Database Security: Prisma ORM with parameterized queries preventing SQL injection
• File Upload Security: Type validation, size limits (10MB), and secure storage
• Account Lockout: Automatic lockout after failed login attempts
• Audit Logging: Comprehensive activity tracking for security monitoring
• Regular Security Updates: Timely patching of security vulnerabilities

6. Data Retention

• We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy:
• Active Accounts: Data retained while account is active
• Survey Responses: Retained for the duration of the research project plus 3 years for potential follow-up research
• Client Data: Retained for contract duration plus 7 years for legal and tax compliance
• Inactive Accounts: Accounts inactive for 2+ years may be archived or deleted with 30 days notice
• Legal Holds: Data subject to legal proceedings retained until resolution
• Aggregated Data: Anonymized, aggregated research data may be retained indefinitely

7. Your Data Protection Rights

• Under GDPR, POPIA, and other applicable data protection laws, you have the following rights:
  
  
• 7.1 Right to Access
  
  
• You have the right to request a copy of all personal data we hold about you.
  
  
• 7.2 Right to Rectification
  
  
• You can update or correct inaccurate personal information through your account settings or by contacting us.
  
  
• 7.3 Right to Erasure (“Right to be Forgotten”)
  
  
• You can request deletion of your personal data, subject to legal retention requirements and contractual obligations.
  
  
• 7.4 Right to Restrict Processing
  
  
• You can request that we limit how we use your data in certain circumstances.
  
  
• 7.5 Right to Data Portability
  
  
• You can request your data in a structured, machine-readable format (CSV, JSON, Excel).
  
  
• 7.6 Right to Object
  
  
• You can object to processing of your data for marketing or research purposes.
  
  
• 7.7 Right to Withdraw Consent
  
  
• Where we rely on consent, you can withdraw it at any time by contacting us at .
  
  
• 7.8 Right to Lodge a Complaint
  
  
• You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

8. International Data Transfers

• As we operate across 7 countries in Southern Africa, your data may be transferred and processed in jurisdictions outside your country of residence. We ensure appropriate safeguards are in place:
• Standard contractual clauses approved by data protection authorities
• Adequacy decisions where applicable
• Binding corporate rules for intra-company transfers
• Explicit consent for transfers where required

9. Children’s Privacy

• Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately at .

10. Cookies and Tracking Technologies

• We use cookies and similar tracking technologies. For detailed information, please see our Cookie Policy.

11. Changes to This Privacy Policy

• We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. We will:
• Update the “Last Updated” date at the top of this policy
• Notify registered users via email for material changes
• Display a prominent notice on our platform for 30 days after significant changes
• Seek fresh consent where required by law

12. Contact Information

• For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
• Data Protection Officer
• Vision Africa Research Services (Pty) Ltd
• Klein Windhoek, Namibia
• Email:
• Phone: +264 61 244 660
• General Inquiries:
• We will respond to all requests within 30 days in accordance with applicable data protection laws.

13. Applicable Law

• This Privacy Policy is governed by the laws of Namibia and applicable international data protection regulations including:
• General Data Protection Regulation (GDPR) for EU residents
• Protection of Personal Information Act (POPIA) for South African residents
• Data Protection laws of Namibia, Zimbabwe, Zambia, Angola, Mozambique, Botswana, and Malawi