Privacy Policy

Introduction

This Privacy Policy governs the collection, use, storage, and protection of personal information by ACM Technology CC trading as ACM Track (“we,” “us,” “our”) through the ACM Destiny platform, including:

• ACM Destiny web application (www.acmdestiny.net)
• ACM Destiny mobile applications (iOS and Android)
• Client Zone portal (clientzone.acmtrack.com)
• Related telematics and fleet management services

By using ACM Destiny you agree to this Privacy Policy. If you do not agree, please discontinue use of the platform immediately and contact us to arrange deletion of any personal information we hold.

1. Legal Framework & Compliance

1.1 Protection of Personal Information Act (POPIA)

We comply with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) and its amendments. POPIA regulates how we collect, process, store, and share your personal information in South Africa.

1.2 Other Applicable South African Laws

• RICA — Regulation of Interception of Communications and Provision of Communication-Related Information Act, for telecommunications data
• ECTA — Electronic Communications and Transactions Act, for electronic transactions and online commerce
• CPA — Consumer Protection Act, for consumer rights and data subject protections
• National Road Traffic Act — for vehicle tracking, monitoring, and reporting obligations

1.3 International Compliance

• GDPR (EU): We adhere to GDPR principles for European Union users, including lawful basis for processing and data subject rights
• CalOPPA (USA): California Online Privacy Protection Act compliance for US-based users
• COPPA (USA): We do not knowingly collect personal information from children under 13

2. Lawful Basis for Processing (POPIA Condition 1)

We process your personal information only where a lawful basis exists under POPIA. The following bases apply depending on the processing activity:

2.1 Consent (POPIA Section 11)

• You provide explicit consent when creating an ACM Destiny account
• You consent when enabling location tracking, push notifications, and camera uploads
• Consent can be withdrawn at any time via account settings or by contacting our Information Officer

2.2 Contractual Necessity (POPIA Section 9(d))

• To fulfil our service agreement with you or your organisation
• To provide vehicle tracking, fleet management, and MDVR services as contracted
• To process payments and manage subscription billing

2.3 Legitimate Interest (POPIA Section 11(1)(f))

• To improve our services and troubleshoot technical issues
• To detect and prevent fraud, abuse, and security threats
• To conduct aggregate analytics and platform optimisation

2.4 Legal Obligation (POPIA Section 9(e))

• To comply with RICA telecommunications data regulations
• To respond to lawful law enforcement requests supported by valid legal process
• To maintain financial records for tax and accounting purposes

3. Information We Collect

3.1 Personal Information (POPIA Definition)

Account Information

• Full name, email address, and phone number
• Company or organisation name (for business accounts)
• Username and securely hashed password
• Billing address and payment information (processed by PayFast)

Vehicle & Asset Information

• Vehicle registration numbers and VIN numbers
• Make, model, year, and vehicle specifications
• Driver names and contact details
• Licence and permit information where provided

Location Data (GPS)

• Real-time GPS coordinates of tracked vehicles and assets
• Historical location data and complete trip routes
• Geofence and safe-zone entry and exit events
• Speed, direction, and movement patterns

Usage & Technical Data

• Login timestamps, session duration, and feature usage statistics
• Device type, operating system, and browser version
• IP addresses, device identifiers (IMEI, device ID)
• App crash reports, error logs, and performance diagnostics

Camera / MDVR Data

• Video footage from installed cameras and MDVR systems
• Event-triggered recordings (harsh braking, speeding, collisions)
• Still images captured by camera systems
• Driver behaviour analytics where DMS (Driver Monitoring System) is enabled

Communication Data

• Support tickets, help desk interactions, and email correspondence
• Chat messages submitted within the platform
• Feedback responses and survey data

3.2 Automatically Collected Information

• Session cookies — to keep you logged in and maintain session state
• Preference cookies — for saved settings (theme, language, units, dashboard layout)
• Analytics cookies — Google Analytics with anonymised IP addresses
• Push notification tokens — if you enable push notifications on mobile devices
• Authentication tokens — for secure API access and session management

3.3 Third-Party Data Sources

• Vehicle tracking hardware manufacturers (Teltonika, Howen, and other OEMs)
• Mapping providers (Google Maps, Mapbox) for map rendering and routing
• Payment processors (PayFast) for payment status and billing confirmation
• Your organisation's administrators (for managed fleet accounts)

4. How We Use Your Information

4.1 Service Delivery (Primary Purpose)

• Display real-time vehicle location on live maps
• Generate trip history, route playback, and location reports
• Send alerts for geofence violations, speeding, and harsh driving events
• Monitor vehicle status including ignition, battery, and sensor data
• Store, retrieve, and analyse video footage from MDVR and camera systems
• Track driver assignments, performance scores, and safety events
• Provide fuel consumption analytics, maintenance scheduling, and cost reporting

4.2 Service Improvement

• Analyse usage patterns to identify and prioritise feature improvements
• Identify and resolve bugs, crashes, and performance bottlenecks
• Develop new features based on usage data and customer feedback
• Optimise platform speed, reliability, and scalability

4.3 Communication

• Send service notifications (system status updates, planned maintenance)
• Respond to support requests and technical issues
• Send account updates (password resets, subscription changes, invoice delivery)
• Send optional marketing communications — you may opt out at any time

4.4 Security & Fraud Prevention

• Detect and prevent unauthorised access and account takeover attempts
• Monitor for suspicious activity, abuse, and policy violations
• Investigate and respond to security incidents
• Comply with lawful law enforcement requests supported by valid legal process

4.5 Legal & Compliance

• Maintain records for tax, accounting, and SARS compliance purposes
• Comply with RICA telecommunications data obligations
• Respond to court orders, subpoenas, and regulatory requirements
• Enforce our Terms of Use and service agreements

5. Data Sharing & Disclosure (POPIA Condition 6)

5.2 Service Providers (Data Processors)

We share data with trusted third-party service providers who process data strictly on our behalf and under binding data processing agreements. All service providers are contractually required to: process data only as instructed by us; implement appropriate security measures; not use data for their own purposes; and delete data when no longer required.

Hosting & Infrastructure

• Cloud hosting providers — servers located in South Africa where possible
• Content delivery networks (CDNs) for platform performance
• Database providers for secure data storage

Mapping & Location Services

• Google Maps — map rendering and routing (map display only, not stored by Google)
• Mapbox — alternative mapping provider
• Geocoding services — address lookup and reverse geocoding

Payment Processing

• PayFast — secure payment gateway. See PayFast Privacy Policy for their data practices
• Bank payment processors for EFT and debit order processing

Analytics & Monitoring

• Google Analytics — anonymised and aggregated data only; no personal identifiers shared
• Crash reporting services (Sentry, Firebase Crashlytics) for app stability
• Performance monitoring tools for uptime and response time tracking

5.3 Legal Requirements

• Law enforcement agencies — only with a valid warrant, court order, or subpoena
• Courts and regulatory authorities — under legal obligation
• South African Revenue Service (SARS) — for tax compliance
• Information Regulator — where required by POPIA

5.4 Business Transfers

In the event of a merger, acquisition, or sale of ACM Track assets, your personal information may be transferred to the successor entity. We will notify affected users at least 30 days before any such transfer. Privacy protections in this policy will remain in effect. You will have the right to object to the transfer or request account deletion.

5.5 Your Organisation (Managed Accounts)

If your ACM Destiny account is managed by your employer or organisation, please note that your organisation's administrators may access your tracking data, trip history, location data, and driver behaviour records. Your organisation controls data retention policies and access permissions for managed accounts. We act as a data processor on behalf of your organisation for this data.

6. Cross-Border Data Transfers (POPIA Section 72)

6.1 Data Storage Locations

• Primary servers: South Africa (preferred for all primary data storage)
• Backup servers: May be located outside South Africa for disaster recovery purposes
• Third-party services: Some providers (Google, AWS) have servers outside South Africa

6.2 Safeguards for International Transfers

When personal information is transferred outside South Africa, we ensure at least one of the following protections is in place in compliance with POPIA Section 72:

• The destination country provides substantially similar protection to POPIA (POPIA Section 72(1)(a))
• The data processor is subject to binding contractual safeguards equivalent to POPIA (POPIA Section 72(1)(b))
• You have consented to the transfer — by using our services you consent to transfers necessary for service delivery

6.3 EU Users (GDPR)

• Standard Contractual Clauses (SCCs) implemented with EU-based data processors
• GDPR-compliant data processing agreements in place with all EU processors
• Right to lodge complaints with your EU supervisory authority is preserved

7. Your Rights Under POPIA (Chapter 3)

7.1 Right of Access (POPIA Section 23)

You may request confirmation of whether we hold personal information about you, a copy of that information in a commonly used format, and details of how we use and share it.

7.2 Right to Correction (POPIA Section 24)

You may correct inaccurate or outdated personal information, update your profile and contact details, and request correction of vehicle and asset information. Most corrections can be made directly in ACM Destiny → Account Settings → Edit Profile. Alternatively, email privacy@acmtrack.co.za.

7.3 Right to Deletion (POPIA Section 16)

You may request deletion of your personal information where:

• Data is no longer necessary for the original purpose of collection
• You withdraw consent where processing is consent-based
• You object to processing and no overriding legal basis exists
• Data was processed unlawfully
• A legal obligation requires deletion

Limitations: We must retain data required by law (tax, RICA, financial records), data needed for active legal claims or disputes, and encrypted backup data (purged within 90 days of deletion request).

7.4 Right to Object (POPIA Section 11(3))

• Object to direct marketing communications — opt out at any time via unsubscribe link or account settings
• Object to processing based on legitimate interest where your interests override ours
• Object to automated decision-making where applicable

7.5 Right to Data Portability

You may request an export of your personal data in a structured, machine-readable format (CSV or JSON) and request transfer to another service provider where technically feasible. Email privacy@acmtrack.co.za with subject “Data Portability Request”.

7.6 Right to Lodge a Complaint

If you believe we have violated POPIA, contact our Information Officer first. If unresolved, lodge a complaint with the Information Regulator:

1. 1.Email our Information Officer: privacy@acmtrack.co.za
2. 2.If unresolved within 30 days, escalate to the Information Regulator (details below)

8. Data Retention (POPIA Condition 2)

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. After any retention period expires, data is securely deleted or irreversibly anonymised.

8.1 Active Account Data

8.2 After Account Deletion

8.3 Legal Retention Requirements

• Tax and financial records: 7 years (Income Tax Act and Companies Act)
• Telecommunications data: as prescribed by RICA
• Evidence for active disputes or litigation: retained for duration + 1 year after resolution

9. Security Measures (POPIA Condition 7)

9.1 Technical Safeguards

• Transit encryption: All data in transit protected by HTTPS / TLS 1.3 with certificate pinning
• Storage encryption: AES-256 encryption for all databases and backup stores
• Password storage: Bcrypt hashing — plain text passwords are never stored
• Multi-factor authentication: MFA available for all user accounts
• Role-based access control: RBAC ensures minimum necessary access for each user
• Session management: Automatic session timeouts and forced logout on inactivity
• Network security: Firewalls, intrusion detection, DDoS protection, and rate limiting
• Security testing: Regular penetration testing, vulnerability scanning, and security audits

9.2 Organisational Safeguards

• Strict confidentiality agreements for all staff and contractors with data access
• Background checks for employees handling personal information
• Regular privacy and information security training for all personnel
• Documented data breach response procedures aligned with POPIA requirements
• Least-privilege access principle — minimum necessary access enforced for all roles
• Access logs maintained and regularly audited for anomalies

9.3 Data Breach Notification

In the event of a data breach that materially affects your rights:

• We will notify affected users within 72 hours of becoming aware of the breach
• Notification will describe the nature of the breach, data categories affected, and mitigation steps taken
• We will notify the Information Regulator as required under POPIA Section 22
• We will take immediate steps to contain, remediate, and prevent recurrence of the breach

10. Cookies & Tracking Technologies

10.1 Types of Cookies We Use

10.2 Managing Cookies

• You can block or delete cookies via your browser settings at any time
• Blocking strictly necessary cookies will break login and core platform functionality
• On first visit you can choose which optional cookie categories to accept
• You can update your preferences at any time in Account Settings → Privacy

11. Location Data (GPS Tracking)

11.1 How We Collect Location Data

• GPS coordinates from tracking devices professionally installed in vehicles and assets
• Cellular tower triangulation as a fallback when GPS signal is unavailable
• Accelerometer data for speed, direction, and harsh driving event detection
• Mobile app background location (with explicit device permission — can be disabled in device settings)

11.2 How Location Data Is Used

• Display vehicle position on the live map in ACM Destiny
• Generate trip history, route playback, and mileage reporting
• Trigger geofence alerts when vehicles enter or exit defined zones
• Generate speeding, harsh braking, and harsh driving event alerts
• Shared with your organisation's fleet administrators for management purposes
• Shared with mapping providers (Google Maps, Mapbox) solely for map rendering — not stored by them
• Shared with emergency services if you activate an SOS or panic button

11.3 Location Data Retention

• Live location data: visible in real time; raw data retained for 24 hours in live buffers
• Historical location: retained per subscription plan (90 days to 12 months)
• Deleted accounts: all location data purged within 7 days of account closure

12. Children's Privacy

12.1 Age Restrictions

ACM Destiny is a professional telematics platform intended exclusively for users aged 18 and over. We do not knowingly collect, process, or store personal information from children under the age of 18. If we discover that we have inadvertently collected data from a minor, we will delete the account and all associated data immediately.

12.2 Parental Contact

If you are a parent or guardian and believe your child has created an ACM Destiny account or submitted personal information through the platform, please contact us immediately at privacy@acmtrack.co.za with the subject “Minor Account Report”. We will investigate and delete the account within 7 business days.

13. Direct Marketing (POPIA Section 69)

13.1 Marketing Communications

Where you have given consent, we may send marketing communications including:

• Product updates and new feature announcements for ACM Destiny
• Service tips, best-practice guides, and platform tutorials
• Special offers, promotions, and fleet management events
• Industry news, regulatory updates, and telematics insights

13.2 Opt-Out Rights

You can opt out of marketing at any time through any of these channels:

• Click “Unsubscribe” in any marketing email
• Email privacy@acmtrack.co.za with subject “Opt-Out Request”
• Disable marketing notifications in ACM Destiny → Account Settings → Notifications

14. Automated Decision-Making

14.1 Limited Automated Processing

ACM Destiny uses automated processing in a limited number of contexts:

• Fraud detection — flagging suspicious login attempts and anomalous account activity
• Safety alerts — automatic notifications for speeding, harsh braking, and harsh cornering events
• Maintenance reminders — triggered by mileage thresholds or engine hour counters
• Driver behaviour scoring — calculated automatically from telematics data (where enabled)

14.2 Right to Human Review

You have the right to request human review of any automated decision that significantly affects you. This includes the right to challenge the outcome, request an explanation of the logic applied, and appeal the decision. To exercise this right, contact privacy@acmtrack.co.za with subject “Human Review Request” and describe the automated decision you are challenging.

15. Third-Party Links

ACM Destiny may contain links to or integrations with third-party websites and services, including Google Maps for routing, PayFast for payment processing, and social media platforms. We are not responsible for the privacy practices, content, or security of any third-party site. Links do not imply endorsement, affiliation, or responsibility.

Always review the privacy policy of any third-party service before providing personal information to it. If you access third-party services through ACM Destiny, the relevant third party becomes the responsible party for your data under their own policy.

16. Updates to This Policy

16.1 How We Notify You

• Material changes: Email notification to all active users, prominent notice on the login screen, and at least 30 days' notice before changes take effect
• Minor changes: Updated “Last Updated” date at the top of this policy; the change history below will be updated accordingly

16.2 Continued Use

By continuing to use ACM Destiny after the effective date of any policy change, you accept the updated Privacy Policy. If you do not agree to the changes, you must discontinue use and contact us to arrange deletion of your account.

16.3 Change History

• April 2025 — Policy first published
• Future updates will be documented here with date and summary of changes

17. Contact Us

17.3 Data Subject Requests

For access, correction, deletion, or portability requests, email privacy@acmtrack.co.za using the appropriate subject line and include your full name, account email address, and a clear description of your request.

• Subject: "Data Access Request" — to receive a copy of your data
• Subject: "Data Correction Request" — to correct inaccurate information
• Subject: "Account Deletion Request" — to permanently delete your account
• Subject: "Data Portability Request" — to receive your data in a portable format
• Subject: "Human Review Request" — to challenge an automated decision

17.4 Information Regulator (Escalated Complaints)

If you are not satisfied with our response to a privacy complaint, you have the right to escalate to the South African Information Regulator: