Privacy Policy

TribeBoard is a family coordination, scheduling, communication, school integration and journey management platform operated by Data Envy (Pty) Ltd. This Privacy Policy explains how personal information is collected, used, disclosed, transferred, stored and protected when you use TribeBoard.

By registering an account or using TribeBoard, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy applies to the TribeBoard website, mobile applications (iOS and Android), subscriptions, support services, school integrations and future platform features. It applies to all users regardless of the device or platform used to access TribeBoard.

Data Envy (Pty) Ltd

Registration Number: 2020/208976/07

15 Lottering Street, Bendor Park, Polokwane, Limpopo, South Africa, 0699

Information Officer: Tafadzwa Mawere

Email: privacy@tribeboard.app

For the purposes of this Privacy Policy:

• "Account" means a registered TribeBoard user account.

"Child" means any person under the age of 18.

"Child Profile" means a profile created within TribeBoard to represent a child member of a household.

"Personal Information" means any information relating to an identified or identifiable natural person.

"Location Data" means GPS coordinates or other data indicating the geographic position of a device or user.

"Organisation" means a school, childcare centre or other institution using TribeBoard.

"Services" means all features, products and services offered under the TribeBoard brand.

"User" means any person who accesses or uses the Services.

"Processing" means any operation performed on personal information.

"Subprocessor" means a third-party service provider that processes personal information on behalf of Data Envy.

TribeBoard may collect the following categories of information:

We process personal information on the following legal bases:

• Contractual necessity — to provide and maintain the Services you have subscribed to.

Consent — for optional features such as location sharing, marketing communications and child profile creation.

Legal obligation — to comply with applicable laws including POPIA, GDPR and tax regulations.

Legitimate interests — to improve the Services, maintain security and prevent fraud, where those interests are not overridden by your rights.

Protection of vital interests — where necessary to protect the safety of a child or other person.

Information collected is used for:

• Account registration, authentication and management.

Family and household coordination features.

Journey tracking and school run management.

School and organisation integrations.

Subscription billing and account management.

Customer support and service communications.

App analytics and product improvement (anonymised where possible).

Security monitoring, fraud prevention and incident response.

Delivering push notifications relevant to your household activity.

Future AI-assisted features (subject to the disclosures in Section 12).

✦ NEW IN v4.1 — This section has been substantially expanded to comply with Apple App Store Review Guidelines §4.1, COPPA (where applicable), and POPIA Chapter 6.

When creating a Child Profile, the account holder is presented with a consent confirmation screen requiring them to affirm that they are the child's parent or legal guardian, or have been granted explicit permission by the parent or guardian to manage the child's profile. This consent record is logged with a timestamp and associated with the account.

Organisations creating Child Profiles for enrolled children must confirm, prior to setup, that they have obtained requisite parental consents under applicable law, and that TribeBoard may rely on those confirmations.

✦ NEW IN v4.1 — Apple App Store Review Guidelines §5.1.1 require that apps providing account creation also offer an in-app mechanism for account deletion.

✦ NEW IN v4.1 — This section addresses Apple's App Tracking Transparency framework requirements.

TribeBoard does not track users across third-party apps or websites owned by other companies for advertising purposes. Specifically, TribeBoard:

• Does not use the Identifier for Advertisers (IDFA).

Does not share user data with data brokers.

Does not engage in cross-company data linking for advertising or ad measurement.

Does not use device fingerprinting techniques.

Accordingly, TribeBoard does not present an ATT permission prompt, as the app does not engage in tracking as defined by Apple's guidelines. If this position changes in a future release, this section will be updated and the appropriate ATT prompt will be implemented before any tracking occurs.

First-party analytics (usage data collected within TribeBoard and processed solely by Data Envy and its authorised subprocessors) do not constitute tracking under the ATT framework.

✦ UPDATED IN v4.1 — This section has been updated to comply with Apple App Store Review Guidelines §5.1.2(i) as revised in November 2025, requiring explicit disclosure of personal data sharing with third-party AI services.

Schools and organisations that integrate with TribeBoard remain independently responsible for:

• Obtaining parental consent for the creation and management of child profiles.

Managing staff and administrator access permissions.

Maintaining the accuracy of information uploaded to TribeBoard.

Complying with applicable data protection laws, including POPIA, GDPR and any sector-specific legislation.

TribeBoard acts as a technology platform and data processor on behalf of organisations in relation to data uploaded by those organisations. A data processing agreement is available on request.

✦ UPDATED IN v4.1 — Distinguishes between precise and coarse location, and clarifies background location collection.

✦ NEW IN v4.1 — Discloses how push notification tokens are collected and used.

TribeBoard uses Apple Push Notification service (APNs) to deliver alerts relevant to your household, including school run updates, reminders, family event notifications and account activity alerts.

To enable push notifications, TribeBoard obtains a device push notification token from APNs. This token:

• Is stored on Supabase (our database provider) linked to your account.

Is used solely to route notifications to your device.

Is never used for advertising targeting.

Is never shared with advertising networks or data brokers.

You may disable push notifications at any time in your device system Settings. Disabling notifications will not affect your ability to use TribeBoard, but you will not receive real-time alerts.

TribeBoard does not use any third-party push notification SDK beyond APNs directly. Notification delivery is handled through our Supabase backend infrastructure.

✦ UPDATED IN v4.1 — All third-party services are named individually. This list is aligned with the App Privacy labels declared in App Store Connect.

Data Envy uses the following third-party subprocessors and SDKs, each bound by appropriate data processing terms:

• Supabase, Inc.

Purpose: Database hosting, authentication, storage and real-time functionality. Data processed: all user account, family, location and household data. Hosting region: AWS us-east-1. Supabase acts as a data processor under a Data Processing Agreement.

Stripe, Inc.

Purpose: Payment processing for web-based subscriptions. Data processed: billing name, email address, subscription status. No payment card data is stored by TribeBoard. Stripe is PCI-DSS compliant.

Apple, Inc. — App Store & APNs

Purpose: In-app purchase billing and push notification delivery. Data processed: subscription receipts, device push notification tokens. Governed by Apple's own privacy policy and developer agreements.

Resend (transactional email)

Purpose: Transactional email delivery (sign-up confirmation, password reset, account alerts). Data processed: email address and message content. No marketing emails are sent without separate consent.

Expo (React Native runtime — build only)

Purpose: Cross-platform mobile application framework used during development and build compilation. No user data is transmitted to Expo servers at runtime in the production app.

TribeBoard does not include advertising SDKs, third-party analytics SDKs that transmit data externally, or social media SDKs. If this changes, this section and the App Store Connect nutrition labels will be updated prior to release.

✦ NEW IN v4.1 — Addresses Apple's PrivacyInfo.xcprivacy requirement introduced for iOS apps in 2024.

Apple requires iOS apps using certain APIs to declare the reason for that use in a PrivacyInfo.xcprivacy manifest file included in the app bundle. TribeBoard's iOS application includes a privacy manifest declaring:

• Location API — used for journey tracking and school run features as described in Section 14.

UserDefaults API — used for storing user preferences and session state locally on the device.

File Timestamp API — used as required by standard iOS framework operations.

All third-party SDKs integrated into TribeBoard (including the Supabase iOS SDK and Stripe iOS SDK) are required to provide their own privacy manifests. TribeBoard verifies SDK privacy manifest compliance before each App Store submission.

TribeBoard implements the following safeguards to protect personal information:

• Encryption in transit — all data transmitted between the app and our servers uses TLS 1.2 or higher.

Encryption at rest — database-level encryption for stored personal information via Supabase.

Access controls — role-based access controls limiting employee access to personal data.

Authentication — secure password hashing; multi-factor authentication available for accounts.

Monitoring — infrastructure monitoring and alerting for anomalous activity.

Backups — regular automated backups with access-controlled restoration procedures.

Incident response — a documented data breach response procedure as described in Section 28.

No security measure can guarantee absolute protection. Users are encouraged to use strong, unique passwords and to report suspected security issues to privacy@tribeboard.app.

Personal information may be processed outside your country of residence. TribeBoard's primary database infrastructure is hosted on AWS in the us-east-1 region (Northern Virginia, USA) via Supabase. Stripe processes billing data in the United States.

Where personal information is transferred outside South Africa, Data Envy will ensure that appropriate safeguards are in place, including contractual protections consistent with POPIA's transfer conditions. Where personal information of EU/EEA residents is transferred outside the EEA, transfers are conducted under Standard Contractual Clauses or equivalent mechanisms as required by GDPR.

TribeBoard retains personal information as follows:

• Account records — retained for the duration the account is active. Following deletion, queued for permanent removal within 30 days, subject to the exceptions below.
• Billing records — retained for up to 7 years as required by South African tax law.

Security and audit logs — retained for up to 24 months.

Backup data — backup snapshots retained for up to 90 days.

Child profile data — deleted immediately upon account deletion or upon receipt of a verified parental deletion request, subject only to legal retention requirements.

Subject to applicable law, you may have rights in relation to your personal information. See Sections 22 and 23 for GDPR and POPIA specific rights respectively. To exercise any right, contact privacy@tribeboard.app.

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation:

• Right of access — to request a copy of personal information we hold about you.

Right to rectification — to request correction of inaccurate or incomplete information.

Right to erasure — to request deletion of your personal information.

Right to restriction — to request that we limit processing in certain circumstances.

Right to data portability — to receive your personal information in a structured, machine-readable format.

Right to object — to object to processing based on legitimate interests or for direct marketing.

Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

South African users have the following rights under the Protection of Personal Information Act 4 of 2013 (POPIA):

• Right of access — to request confirmation of whether we hold your personal information and to obtain a copy.

Right to correction or deletion — to request that we correct or delete inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or unlawfully obtained information.

Right to object — to object to processing of your personal information on reasonable grounds.

Right to complain — to lodge a complaint with the Information Regulator of South Africa (inforeg.org.za).

To submit a POPIA request, contact privacy@tribeboard.app or write to our Information Officer at the address in Section 3.

Requests to exercise your data subject rights may be submitted by:

• Email to privacy@tribeboard.app from your registered email address.

Using the in-app Settings > Privacy > Data Requests feature (where available).

We may require identity verification before processing requests that disclose personal information. We will acknowledge receipt within 5 business days and respond substantively within 30 days. Where a request is complex, we may extend this period by a further 30 days with notice.

✦ NEW IN v4.1 — Addresses Apple's 2026 subscription transparency requirements.

TribeBoard's website and web-based services may use the following types of cookies and similar tracking technologies:

• Essential cookies — required for authentication and core website functionality.

Functional cookies — used to remember your preferences and settings.

Analytics cookies — used to understand how users interact with the website (anonymised where possible).

Security cookies — used to detect and prevent fraudulent activity.

The TribeBoard mobile application does not use browser cookies. Device-local storage may be used for session state and user preferences on the device.

TribeBoard does not guarantee or warrant the following:

• The accuracy, completeness or timeliness of GPS location data.

The accuracy of school attendance records or school-provided information.

The reliability or availability of AI-generated recommendations.

Uninterrupted or error-free service availability.

To the maximum extent permitted by applicable law, Data Envy's liability in connection with the Services is limited as set out in the TribeBoard Terms of Service.

In the event of a personal information breach, TribeBoard will:

• Promptly investigate and contain the breach upon discovery.

Notify affected users and relevant regulators (including the Information Regulator under POPIA and relevant GDPR supervisory authorities) within the timeframes required by applicable law.

Provide affected users with sufficient information to understand the nature of the breach and steps they can take to protect themselves.

The TribeBoard application is distributed through the Apple App Store and the Google Play Store. Apple Inc. and Google LLC are not parties to this Privacy Policy and are not responsible for:

• Maintenance or support of the TribeBoard application.

Any warranty claims relating to the application.

Any privacy or data protection claims relating to the collection and use of personal information by TribeBoard.

Any legal claims relating to the application.

By downloading TribeBoard from the App Store, you acknowledge that Apple's standard end user licence agreement applies. Apple has no obligation to provide maintenance or support services with respect to TribeBoard.

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of South Africa, including POPIA. Where mandatory rights under other applicable laws (such as GDPR for EU/EEA residents) apply to you, those rights are not diminished by this clause.

For any privacy-related enquiries, requests or complaints:

• Data Envy (Pty) Ltd

Information Officer: Tafadzwa Mawere

15 Lottering Street, Bendor Park, Polokwane, Limpopo, South Africa, 0699

Privacy enquiries: privacy@tribeboard.app

Legal matters: legal@tribeboard.app

Support: support@tribeboard.app

TribeBoard Privacy Policy v4.1 | © 2026 Data Envy (Pty) Ltd. All rights reserved.