Legal & Privacy

Privacy Policy

EWARP is built on a foundation of anonymity. This policy explains exactly what we collect, what we don't, and why.

Effective date: 15 April 2026

Introduction

EWARP (Employee Workplace and Relationship Platform) is an anonymous employee grievance platform built for South African businesses. We help employees raise workplace concerns safely — without revealing who they are.

This Privacy Policy applies to:

Employees who submit anonymous complaints via EWARP
Managers and company administrators who use the EWARP dashboard
Visitors to ewarp.org

Our role under data protection law

For manager and administrator data, EWARP acts as the data controller — we decide how and why that information is processed.

For complaint data submitted by employees, EWARP acts as a data processor — we process that data on behalf of the employing company (the data controller). The company is responsible for its employees' data under their own data protection obligations.

A Data Processing Addendum (DPA) is available to companies using EWARP. Contact privacy@ewarp.org to request a copy.

Who we are

EWARP is an anonymous employee grievance platform built for South African businesses. We help employees raise workplace concerns safely — without revealing who they are.

If you have any questions about this policy, contact us at privacy@ewarp.org

What data we collect

Employees (complaint submitters)

When you submit a complaint, we collect:

The complaint category (e.g. harassment, safety, unfair treatment)
Your department (as selected — not linked to your identity)
A written description of your concern
Any file attachment you choose to include (optional)
A tracking token — a random code generated for your complaint so you can follow up anonymously

That's it. Nothing else.

Managers (company accounts)

When a manager registers and logs in, we collect:

Email address — used for login via Supabase Auth
Company name — to link your account to your organisation

Technical data

Our hosting providers (Vercel and Supabase) generate standard server and access logs. These may include IP addresses and request timestamps. These logs are temporary, automatically rotated, used only for infrastructure health and security monitoring, and never linked to complaint submissions.

What we do NOT collect

This is fundamental to how EWARP works.

When you submit a complaint, we do NOT collect:

❌Your name
❌Your email address
❌Your employee ID or staff number
❌Your IP address (not stored or logged in connection with complaints)
❌Any device identifiers
❌Any information that could identify you as an individual

We cannot tell who submitted a complaint. That's by design.

The only link between you and your complaint is the tracking token you receive at submission. We don't hold it. You do.

How we use your data

Complaint data

Complaints are shared with your company's designated managers only. We do not sell complaint data, share it with third parties beyond your company's managers, or use it for marketing, profiling, or analysis.

Manager data

Your email address is used solely for authentication. We don't use it for marketing without your consent.

Legal basis for processing

POPIA (South Africa)

Under the Protection of Personal Information Act, 4 of 2013 (POPIA), EWARP processes personal information on the following grounds:

Processing activity	Lawful ground (POPIA)
Manager account creation and authentication	Contractual necessity (Section 11(1)(b))
Complaint processing on behalf of companies	Legitimate interest / contractual necessity
Security monitoring and infrastructure logs	Legitimate interest (Section 11(1)(f))
Legal compliance	Legal obligation (Section 11(1)(c))

GDPR (European Economic Area & United Kingdom)

For data subjects located in the EEA or UK, EWARP relies on the following lawful bases under the General Data Protection Regulation (GDPR):

Processing activity	Lawful basis (GDPR Article 6)
Manager account and authentication	Article 6(1)(b) — performance of a contract
Complaint processing (as processor)	Article 6(1)(b) — contract with the employing company
Security monitoring and logs	Article 6(1)(f) — legitimate interests
Legal compliance	Article 6(1)(c) — legal obligation

Where EWARP processes complaint data as a data processor, the lawful basis is determined by the company as data controller.

How we share information

Within your company

Complaint data is shared exclusively with the managers and administrators registered to your company's EWARP account. Access is enforced at the database level using row-level security (RLS) — it is technically impossible for one company to access another company's complaint data.

Sub-processors

EWARP uses the following third-party sub-processors to deliver the platform:

Provider	Role	Location	Privacy Policy
Supabase	Database and authentication hosting	London, EU West	supabase.com/privacy
Vercel	Application hosting and global delivery	US / Global Edge	vercel.com/legal/privacy-policy

Both providers are bound by data processing agreements and are contractually required to process data only as instructed.

Legal disclosure

EWARP may disclose personal information to South African authorities (including SAPS, the Information Regulator, or a court of law) where required by law. We will, where legally permitted, notify affected parties of such disclosure.

Business transfers

In the event of a merger, acquisition, or sale of EWARP or its assets, personal information may be transferred to the acquiring entity. We will notify managers by email prior to any such transfer and will ensure equivalent privacy protections.

What we never do

❌We do not sell personal information
❌We do not rent or trade personal information
❌We do not share personal information with third parties for marketing or advertising purposes
❌We do not use complaint content for training AI models or any form of profiling

Data storage and security

All data is stored on Supabase infrastructure hosted in London (EU West).

We protect your data with:

TLS encryption in transit
Encryption at rest
Row-level security (RLS) — managers can only access complaints submitted to their own company

Your rights

Rights under POPIA (South Africa)

Right	Description
Access	Request a copy of the personal information EWARP holds about you
Correction	Ask us to correct inaccurate or incomplete personal information
Deletion	Request that we delete your personal information
Objection	Object to the processing of your personal information
Complaints	Lodge a complaint with the South African Information Regulator at inforeg.org.za

Rights under GDPR (EEA & United Kingdom)

Right	Description
Access	Request a copy of personal data we hold about you (Article 15)
Rectification	Request correction of inaccurate data (Article 16)
Erasure	Request deletion of your data — right to be forgotten (Article 17)
Restriction	Request that we restrict processing of your data (Article 18)
Portability	Receive your data in a structured, machine-readable format (Article 20)
Objection	Object to processing based on legitimate interests (Article 21)
Supervisory authority	Lodge a complaint with your national data protection authority

Note on employee anonymity

Because EWARP does not collect identifying information from employees, we are unable to retrieve, correct, or delete complaint data on behalf of a specific individual — because we genuinely cannot link a complaint to a person. This is a feature, not a limitation. If you submitted a complaint and wish to withdraw it, use your tracking token to follow up with your company's management directly.

To exercise any rights, contact us at privacy@ewarp.org. We respond within 30 days.

Data retention

Data type	Retention period
Complaint data (content, category, department, attachments)	Retained while the company’s EWARP account is active; deleted within 30 days of account closure
Tracking tokens	Tied to complaint lifecycle; deleted with complaint data
Manager account data	Retained while account is active; deleted within 30 days of account deletion request
Authentication session data	Expires at logout or session timeout (default 8 hours)
Server/access logs	Automatically rotated per Vercel and Supabase policies (typically 30–90 days)

When a company account is closed, EWARP will delete all associated complaint data, manager accounts, department configuration, and related records within 30 days.

International data transfers

Data stored in the EEA

EWARP's primary data store — Supabase — is hosted in London (EU West), which is within the European Economic Area. For GDPR and POPIA purposes, this is considered an adequate destination for personal data originating from South Africa or the EEA.

Vercel (United States)

Vercel operates a global edge network and may process request-level metadata (including IP addresses from server logs) on infrastructure located in the United States. Vercel is covered by a Data Processing Addendum and relies on Standard Contractual Clauses (SCCs) for transatlantic data transfers in accordance with GDPR requirements.

South African data subjects — POPIA Section 72

For South African data subjects, EWARP ensures that any cross-border transfers of personal information comply with Section 72 of POPIA, which requires that the receiving party is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection.

Cookies & tracking

What cookies we use

Cookie	Purpose	Duration	Who sets it
Supabase Auth session (JWT)	Keeps managers logged in	Session / configurable	Supabase Auth

That is the complete list of cookies used on EWARP.

What we do not use

❌No analytics cookies (no Google Analytics, Mixpanel, or similar)
❌No advertising or retargeting cookies
❌No third-party tracking pixels
❌No social media tracking (no Facebook Pixel, etc.)
❌No cookies on the anonymous employee submission flow

Because EWARP does not use non-essential cookies, no cookie consent banner is required for the anonymous employee submission flow. The single session cookie used for manager authentication is strictly necessary for the platform to function.

Children's privacy

EWARP is designed for use in workplace environments. Users of the platform must be of legal working age under South African law (generally 15 years or older for non-hazardous work; 18 years for certain categories).

We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has submitted information through EWARP, please contact us at privacy@ewarp.org and we will investigate and take appropriate action.

Third-party processors

Provider	Role	Privacy Policy
Supabase	Database and authentication hosting (London, EU West)	supabase.com/privacy
Vercel	Application hosting and deployment	vercel.com/legal/privacy-policy

Data Processing Addendum

Companies that use EWARP to process employee complaint data are acting as data controllers in respect of their employees' complaint submissions. In that context, EWARP acts as a data processor — processing the data only as instructed by the company and in accordance with this policy and our DPA.

Our Data Processing Addendum sets out:

The subject matter and duration of processing
The nature and purpose of processing
The type of personal data processed
The categories of data subjects
EWARP’s obligations as a processor (security, sub-processors, breach notification, deletion)

To request a copy of the EWARP DPA, contact privacy@ewarp.org.

Changes to this policy

Managers will be notified by email. Employees (who are anonymous) will be notified via a notice on the platform at the point of complaint submission. We will always display the effective date at the top of this page.

Contact & complaints

Privacy contact

Questions, concerns, or requests related to this policy:

privacy@ewarp.org

We aim to respond to general queries within 5 business days and formal rights requests within 30 days.

South African Information Regulator

If you are not satisfied with how EWARP has handled your privacy concern, you have the right to lodge a complaint with the South African Information Regulator:

Website: inforeg.org.za
Email: inforeg@justice.gov.za
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

EEA / UK supervisory authorities

If you are located in the EEA or UK, you may lodge a complaint with your national data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu .