SKWADDY PRIVACY POLICY

SKWADDY PRIVACY POLICY

Last Updated: January 2026

1. INTRODUCTION

Blue Pentagon Consulting (Pty) Ltd, trading as Skwaddy ("Skwaddy", "we", "us", or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Skwaddy platform (the "Service").

Privacy-First Design: Skwaddy is built on privacy-by-design principles. We implement enhanced security measures including cryptographic hashing of phone numbers, database-level security controls, and minimal data collection to protect your information and the information of your dependents.

This Privacy Policy complies with the Protection of Personal Information Act (POPIA) of South Africa and applies to all users of the Service.

By using the Service, you acknowledge and understand the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

Account Information:

  • Name (first name and surname)

  • Phone number (cryptographically hashed - see Section 4)

  • Email address (optional)

  • Profile photo (optional)

  • Authentication credentials (if using Google Sign-In)

Dependent Information:

  • First names and surname initials (for privacy protection)

  • Age or date of birth

  • Photos (optional)

  • Relationship to you (child, pet, adult requiring care)

  • Dietary restrictions and allergies (optional)

Connection Information:

  • Information about other users you connect with

  • Child friendship pairings

  • Connection preferences and notes

Event and Activity Information:

  • Playdate details (date, time, location, activities)

  • Party and event information (invitations, RSVPs, guest lists)

  • Location data (addresses for playdates and events)

  • Event preferences and notes

Communications:

  • Messages and notifications sent through the Service

  • Support requests and correspondence with Skwaddy

2.2 Information We Collect Automatically

Usage Information:

  • Features you use and actions you take

  • Pages and content you view

  • Business Partner listings you view or click

  • Time, frequency, and duration of your activities

  • Error logs and diagnostic data

Device Information:

  • Device type, model, and operating system

  • Browser type and version

  • IP address (anonymized)

  • Device identifiers

  • Screen resolution and display settings

Location Information:

  • Location data you provide when creating events or playdates

  • Location autocomplete data from Google Places API

  • We do not track your real-time location

2.3 Information from Third-Party Services

When you use third-party authentication or services:

  • Google Sign-In: Basic profile information (name, email)

  • Google Places API: Location suggestions and address validation

  • Google Maps API: Map display for event locations

3. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

3.1 Service Provision

  • Create and manage your account

  • Facilitate connections between users

  • Coordinate playdates, parties, and events

  • Send invitations and manage RSVPs

  • Enable QR code connection features

  • Process and display user content

3.2 Communication

  • Send you service-related notifications

  • Respond to your inquiries and support requests

  • Send important updates about the Service

  • Communicate changes to our Terms or Privacy Policy

3.3 Safety and Security

  • Verify user identities through phone number verification

  • Detect and prevent fraud, abuse, and security incidents

  • Enforce our Terms of Service

  • Protect the rights, property, and safety of Skwaddy, users, and dependents

3.4 Service Improvement

  • Analyze usage patterns and trends (anonymized data only)

  • Develop new features and functionality

  • Improve user experience and Service performance

  • Conduct research and analytics

  • Test and optimize Service features

3.5 Advertising and Business Recommendations

  • Display relevant venue and service recommendations based on your location and event type

  • Show nearby family-friendly businesses when planning activities

  • Provide appropriate venue suggestions when creating playdates or parties

  • Deliver location-based content from Business Partners

  • Provide Business Partners with aggregate, anonymized analytics (impression counts, general area statistics) to measure campaign effectiveness

We do NOT share your personal information with Business Partners. All data provided to advertisers is aggregated and anonymized. Business Partners never see individual user identities, contact information, or personal profiles.

3.6 Legal Compliance

  • Comply with applicable laws and regulations

  • Respond to legal requests and prevent harm

  • Enforce our legal rights and agreements

3.6 Automated Decision-Making

Skwaddy does not make automated decisions that produce legal or similarly significant effects on users or dependents. All significant decisions regarding your account, connections, or Service access involve human review.

4. PHONE NUMBER SECURITY - ENHANCED PRIVACY PROTECTION

Skwaddy implements industry-leading phone number security measures:

4.1 Cryptographic Hashing

Your phone number is cryptographically hashed using one-way hash functions before storage. This means:

  • Your phone number is never stored in plaintext in our database

  • Phone numbers may be briefly processed in memory during verification but are not retained

  • The original number cannot be reverse-engineered from the stored hash

  • Hash-based matching allows connection discovery without exposing actual numbers

  • Even in the event of a data breach, your phone number remains significantly protected against unauthorized disclosure

4.2 Why This Matters

  • Enhanced Privacy: We do not retain access to your actual phone number after initial verification

  • Breach Protection: Stolen database data cannot reveal phone numbers

  • Minimal Data: We only store what is mathematically necessary for functionality

  • Security Design: Our approach is designed to exceed common industry security practices for consumer applications

4.3 Phone Number Usage

We use phone number hashes solely to:

  • Verify your identity during account creation

  • Enable connection discovery (find users you may know)

  • Prevent duplicate accounts

  • Enhance account security

We do not use your phone number for marketing, spam, or unsolicited communications.

5. DATA SHARING AND DISCLOSURE

5.1 Information Shared with Other Users

Within the Service, other users may see:

  • Your first name and surname initial

  • Your profile photo (if provided)

  • Information about your dependents (first names and surname initials only)

  • Event and playdate details you create or participate in

  • Connection status (if you are connected)

We Never Share:

  • Your phone number (stored as hash only)

  • Your full address (only location names you choose to share in events)

  • Private messages or notes

  • Sensitive dependent information beyond what you choose to display

5.2 Third-Party Service Providers

We share information with trusted third-party service providers who assist in operating the Service:

Google LLC:

  • Google Places API: Location autocomplete and address validation

  • Google Sign-In: Authentication services

  • Google Maps API: Map display for event locations

  • Subject to Google's Privacy Policy: https://policies.google.com/privacy

Supabase Inc.:

  • Cloud hosting and database infrastructure

  • Data storage and processing

  • Subject to Supabase's Privacy Policy: https://supabase.com/privacy

These service providers are contractually obligated to protect your information and may only use it to provide services to Skwaddy.

5.3 Legal Requirements and Safety

We may disclose your information if required to:

  • Comply with applicable laws, regulations, or legal processes

  • Respond to lawful requests from government authorities

  • Enforce our Terms of Service or other agreements

  • Protect the rights, property, or safety of Skwaddy, users, or the public

  • Prevent fraud, security breaches, or illegal activity

  • Investigate potential violations of our policies

5.4 Business Transfers

If Skwaddy is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

5.5 Aggregated and Anonymized Data

We may share aggregated and anonymized data that does not identify you personally for:

  • Industry analysis and benchmarking

  • Research and analytics

  • Service improvement

  • Business development

  • Providing campaign performance analytics to Business Partners

Aggregated data combines information across multiple users into statistical summaries. Anonymized data has been processed so that it cannot reasonably be re-identified to any individual user or dependent.

Business Partners receive only this type of aggregated, anonymized data (such as "your venue listing received 100 impressions in the Sandton area this week"). They never receive information that identifies you individually.

5.6 Business Partners and Advertising

The Service displays venue listings, recommendations, and advertisements from third-party Business Partners.This section explains how your information is used for advertising purposes and what protections are in place.

How Advertising Works:

  • When you plan activities, create playdates, or browse the Service, we may display relevant venue and service recommendations from Business Partners

  • Recommendations are based on location data (venues near your event location or general area) and event type(party venues when planning parties, activity centers when planning playdates)

  • Targeting uses only necessary context (location, event type) to show relevant options

What Business Partners Receive: Business Partners who advertise on Skwaddy receive only aggregate, anonymized analytics, including:

  • Total impressions (how many times their listing was viewed)

  • Total clicks (how many users clicked for more information)

  • General geographic area statistics (e.g., "50 views from Johannesburg area")

  • Event type statistics (e.g., "20 clicks from users planning birthday parties")

What Business Partners Do NOT Receive:

  • Your name, email, phone number, or any personal contact information

  • Individual user profiles or account information

  • Information about specific users who viewed their listings

  • Personal information about your dependents

  • Your precise location or address

  • Any personally identifiable information

Privacy Protections:

  • All analytics provided to Business Partners are aggregated across multiple users

  • Data is anonymized so individual users cannot be identified

  • Business Partners cannot contact you directly through the Service

  • You control what location information to share when creating events

  • Business Partners have no access to the Skwaddy user database

User Interactions with Business Partners:

  • If you click on a Business Partner listing, you may be directed to their external website

  • Any information you provide directly to a Business Partner (on their website or in person) is governed by that Business Partner's privacy policy, not Skwaddy's

  • We do not control or monitor your interactions with Business Partners outside the Service

  • We are not responsible for Business Partner data practices

Opting Out: While we cannot completely disable venue recommendations (as they are part of the Service's core functionality), you can:

  • Choose not to click on Business Partner listings

  • Limit location sharing by using general areas rather than specific addresses

  • Report inappropriate or unwanted advertisements to privacy@skwaddy.com

Business Partner Vetting: While we aim to partner with quality, family-friendly businesses, we do not conduct comprehensive background checks or guarantee the safety, quality, or suitability of Business Partners. Always use your own judgment when interacting with any business.

5.7 With Your Consent

We may share your information for other purposes with your explicit consent.

We may share your information for other purposes with your explicit consent.

6. DATA RETENTION

6.1 Active Accounts

We retain your information while your account is active and as necessary to provide the Service.

6.2 Account Deletion

When you delete your account:

  • Your data is marked for deletion within 30 days

  • This 30-day period allows for account recovery in case of accidental deletion

  • After 30 days, your data is permanently deleted from production systems

  • Backup systems may retain data for an additional 90 days for disaster recovery purposes

6.3 Inactive Accounts

If your account is inactive for 24 consecutive months, we may:

  • Send you a notification warning of potential deletion

  • Delete your account and data after an additional 30-day notice period

  • Exempt accounts with active connections or upcoming events from automatic deletion

6.4 Legal Holds

We may retain information longer if required by law, regulation, legal process, or to protect our legal rights.

6.5 Event History

After events conclude:

  • Event details are retained for 12 months for reference and planning future events

  • You may manually delete past events at any time through the Service

7. YOUR RIGHTS UNDER POPIA

Under the Protection of Personal Information Act (POPIA), you have the following rights:

7.1 Right to Access

You may request access to the personal information we hold about you. Contact us at privacy@skwaddy.com to submit a request.

7.2 Right to Correction

You may update or correct your personal information at any time through your account settings or by contacting us.

7.3 Right to Deletion

You may request deletion of your personal information by:

  • Using the account deletion feature in the Service

  • Contacting us at privacy@skwaddy.com

Note: We may retain certain information as required by law or for legitimate business purposes (fraud prevention, legal compliance).

7.4 Right to Object

You may object to our processing of your personal information for certain purposes. Contact us to exercise this right.

7.5 Right to Data Portability

You may request a copy of your personal information in a structured, commonly used format. Contact us at privacy@skwaddy.com.

7.6 Right to Withdraw Consent

Where we rely on your consent to process personal information, you may withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

7.7 Right to Lodge a Complaint

If you believe we have violated your privacy rights under POPIA, you may lodge a complaint with:

Information Regulator (South Africa)
Email: inforeg@justice.gov.za
Website: https://www.justice.gov.za/inforeg/

You may also contact us directly at privacy@skwaddy.com to resolve concerns.

8. CHILDREN'S PRIVACY

8.1 Age Restriction

The Service is intended for users aged 16 and older. Accounts may only be created by parents, legal guardians, or caregivers aged 16 or older. Dependents do not create independent accounts or interact with the Service directly.

We do not knowingly collect personal information from children under 16 without parental consent.

8.2 Dependent Information

The Service allows guardians (parents and caregivers) to add information about their dependents, including children. By adding a dependent to your account, you represent and warrant that:

  • You are the parent, legal guardian, or authorized caregiver of the dependent

  • You have the legal right to share the dependent's information

  • You have obtained any necessary consents to share photos and information about the dependent

8.3 Guardian Control

Guardians maintain full control over dependent information:

  • You decide what information to share about your dependents

  • You control who can see dependent information through connection management

  • You may update or delete dependent information at any time

  • Dependent profiles are displayed with first names and surname initials only for privacy

8.4 Privacy Protection for Dependents

We implement enhanced privacy protections for dependent information:

  • Limited data collection (only what is necessary for coordination)

  • Display restrictions (first name and surname initial only)

  • Secure storage with database-level access controls

  • No direct marketing or profiling of dependents

8.5 Parental Rights

Parents and guardians may:

  • Review all information about their dependents

  • Request corrections or updates

  • Delete dependent profiles at any time

  • Control visibility settings for dependent information

If you believe we have inadvertently collected information from a child under 16 without proper parental consent, please contact us immediately at privacy@skwaddy.com and we will delete such information promptly.

9. DATA SECURITY

9.1 Security Measures

Skwaddy implements comprehensive security measures to protect your information:

Database-Level Security:

  • Row Level Security (RLS) policies ensure users can only access their own data

  • Private database tables for sensitive information

  • Encryption of data in transit (HTTPS/TLS)

  • Encryption of data at rest

Access Controls:

  • Multi-factor authentication support

  • Secure password hashing

  • Account verification requirements

  • Session management and timeout controls

Phone Number Protection:

  • Cryptographic hashing (no plaintext storage)

  • One-way hash functions prevent reverse engineering

  • Hash-based matching for connection discovery

Application Security:

  • Regular security audits and testing

  • Secure coding practices

  • Protection against common vulnerabilities (SQL injection, XSS, CSRF)

  • API security and rate limiting

Infrastructure Security:

  • Secure cloud hosting with Supabase

  • Regular backups and disaster recovery

  • Network security and monitoring

  • Physical security of data centers (managed by hosting provider)

9.2 Security Limitations

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your information. You acknowledge and accept the inherent risks of transmitting information over the internet.

9.3 Your Security Responsibilities

You are responsible for:

  • Maintaining the confidentiality of your account credentials

  • Using a strong, unique password

  • Not sharing your account access with others

  • Promptly notifying us of any suspected security breach

  • Securing your devices and internet connection

9.4 Security Breach Notification

In the event of a data breach that compromises your personal information, we will:

  • Notify you within 72 hours of becoming aware of the breach (as required by POPIA)

  • Provide details about the nature of the breach

  • Inform you of steps we are taking to address the breach

  • Advise you on steps you can take to protect yourself

  • Notify the Information Regulator as required by law

10. INTERNATIONAL DATA TRANSFERS

10.1 Data Storage Location

Your data is primarily stored and processed in servers located in:

  • South Africa (primary hosting)

  • European Union (backup and redundancy through Supabase infrastructure)

  • United States (third-party service providers like Google)

10.2 Cross-Border Transfers

When your data is transferred outside South Africa, we ensure appropriate safeguards are in place:

  • Service providers comply with recognized international privacy frameworks

  • Contractual obligations requiring data protection

  • Technical and organizational security measures

  • Compliance with POPIA requirements for cross-border data flows

10.3 Your Rights

Cross-border data transfers do not diminish your rights under POPIA. You retain all rights described in Section 7 regardless of where your data is processed.

11. COOKIES AND TRACKING TECHNOLOGIES

11.1 Cookies We Use

Skwaddy uses essential cookies and similar technologies to:

  • Maintain your session and keep you logged in

  • Remember your preferences and settings

  • Provide security features

  • Analyze Service performance and usage (anonymized)

Note for Mobile Users: When using mobile applications, the Service may use device-level storage and identifiers instead of traditional browser cookies to provide similar functionality.

11.2 Types of Cookies

Essential Cookies (Required):

  • Authentication and session management

  • Security and fraud prevention

  • Load balancing and performance

Functional Cookies (Optional):

  • User preferences and settings

  • Language selection

  • Display customization

Analytics Cookies (Optional):

  • Anonymized usage statistics

  • Service performance monitoring

  • Feature usage analysis

11.3 Cookie Management

You may control cookie preferences through:

  • Your browser settings (most browsers allow you to refuse cookies)

  • Our cookie consent banner (when implemented)

Note: Disabling essential cookies may impair Service functionality.

11.4 Third-Party Cookies

Third-party services integrated into Skwaddy (Google services) may set their own cookies subject to their respective privacy policies.

12. DO NOT TRACK SIGNALS

Some browsers support "Do Not Track" (DNT) signals. Skwaddy does not currently respond to DNT signals as there is no industry standard for compliance. We do not track users across third-party websites.

13. DATA MINIMIZATION

Skwaddy adheres to the principle of data minimization:

  • We collect only information necessary to provide the Service

  • We limit data retention to what is legally required or operationally necessary

  • We implement privacy-by-design in all features

  • We regularly review and delete unnecessary data

14. YOUR PRIVACY CHOICES

14.1 Account Information

  • Update your profile information at any time through account settings

  • Choose what information to display to other users

  • Control visibility of dependent information

14.2 Communications

  • Manage notification preferences in your account settings

  • Opt out of non-essential communications

  • Essential service communications cannot be disabled (security alerts, terms updates)

14.3 Location Sharing

  • You control when and where you share location information

  • Location data is only collected when you create events or playdates

  • You may delete location data by deleting associated events

14.4 Connections

  • Control who can connect with you

  • Block or remove connections at any time

  • Manage child friendship pairings

14.5 Account Deletion

  • Delete your account and associated data at any time

  • Export your data before deletion if desired

  • Request data deletion assistance at privacy@skwaddy.com

15. CHANGES TO THIS PRIVACY POLICY

15.1 Updates

We may update this Privacy Policy from time to time to reflect changes in:

  • Our data practices

  • Legal requirements

  • Service features and functionality

  • Industry best practices

15.2 Notification

When we make material changes to this Privacy Policy, we will:

  • Update the "Last Updated" date at the top of this policy

  • Notify you through the Service (in-app notification)

  • Send you an email notification (if you have provided an email address)

  • Provide prominent notice for significant changes

15.3 Your Acceptance

Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Service and may delete your account.

15.4 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

16. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Officer
Blue Pentagon Consulting (Pty) Ltd (trading as Skwaddy)
Email: privacy@skwaddy.com
Support: support@skwaddy.com
General Inquiries: info@skwaddy.com
Website: www.skwaddy.com

Mailing Address:
Cedarwood House, Ballywoods Office Park
33 Ballyclare Drive, Bryanston
Gauteng, 2191, South Africa

Response Time:
We will respond to privacy inquiries within 30 days of receipt.

Data Subject Access Requests:
For requests to access, correct, or delete your personal information, please email privacy@skwaddy.com with "Data Subject Request" in the subject line. Include:

  • Your full name

  • Phone number associated with your account

  • Specific request details

  • Proof of identity (if required)

17. POPIA COMPLIANCE STATEMENT

This Privacy Policy and Skwaddy's data practices comply with the Protection of Personal Information Act 4 of 2013 (POPIA) and its regulations.

Responsible Party:
Blue Pentagon Consulting (Pty) Ltd (trading as Skwaddy)
Information Officer: A. Dlamini
Email: privacy@skwaddy.com

Business Address:
Cedarwood House, Ballywoods Office Park
33 Ballyclare Drive, Bryanston
Gauteng, 2191, South Africa

Lawful Basis for Processing:
We process your personal information based on different legal grounds depending on the purpose:

  • Contractual necessity: To provide core Service functionality you requested (account management, connections, event coordination, invitations, RSVP management)

  • Consent: For optional features and communications (profile photos, event photos, non-essential notifications, optional location sharing, dietary restriction information)

  • Legitimate interests: For service improvement, security, fraud prevention, analytics, technical operations, and displaying relevant venue recommendations from Business Partners (where these interests are balanced against your privacy rights and do not involve sharing your personal information with third parties)

  • Legal obligations: To comply with applicable laws, respond to legal requests, and fulfill regulatory requirements

Processing Principles:
Skwaddy adheres to POPIA's processing principles:

  • Accountability: We are responsible for complying with POPIA

  • Processing limitation: We process information only for specified, lawful purposes

  • Purpose specification: We clearly communicate why we collect information

  • Further processing limitation: We don't use information for incompatible purposes

  • Information quality: We maintain accurate and up-to-date information

  • Openness: We are transparent about our data practices

  • Security safeguards: We implement appropriate security measures

  • Data subject participation: We respect your rights under POPIA

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO OUR COLLECTION, USE, AND DISCLOSURE OF YOUR PERSONAL INFORMATION AS DESCRIBED HEREIN.