Effective date: 1 May 2026 | Last updated: 28 April 2026
1. Introduction
This Privacy Policy explains how MYQR Corporate ("we", "us") collects, uses, stores, and protects personal information through the QR Boarding Engine backend service and the companion mobile application.
We are committed to complying with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all other applicable South African data-protection legislation.
2. Responsible Party
The responsible party, as defined in POPIA, is:
- TF Software
- Information Officer: paia@myqr.net.za
3. What Personal Information We Collect
| Category | Data Elements | Source |
|---|---|---|
| Identity | Full name | Admin enrolment |
| Rider events | Timestamp, validator device ID, sequence number, digital signature | Validator device at point of boarding |
4. Purpose of Processing
We process your personal information for the following purposes:
- Fare-free boarding verification — confirming that the person boarding a QR corporate bus is an authorised employee.
- Security and fraud prevention — detecting duplicate, expired, or forged QR codes through cryptographic signature verification and replay prevention.
5. Legal Basis for Processing
Processing is carried out under POPIA section 11, primarily:
- Legitimate interest (s 11(1)(f)) — to operate and secure the employee boarding benefit.
- Contractual / employment obligation (s 11(1)(b)) — the boarding benefit forms part of the employment relationship.
6. Data Sharing
Your personal information is not sold or shared with third parties unless required by law, regulation, or court order.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Rider events | 36 months from event date |
| Audit log entries | 60 months |
| Revoked cryptographic keys | Retained for verification history; private key material is destroyed on revocation |
| Staff records | Duration of employment plus 12 months |
After the applicable retention period, records are securely deleted or anonymised.
8. Security Measures
- All communications between your device, validator hardware, and the backend are encrypted in transit (TLS 1.2+).
- Private cryptographic keys are encrypted at rest using AES-128 (Fernet) and are never stored in plaintext.
- PINs are stored as salted hashes and are never retrievable in cleartext.
- Access to the administration interface is restricted to authorised personnel using scoped authentication tokens.
9. Your Rights Under POPIA
You have the right to:
- Access — request confirmation of what personal information we hold about you.
- Correction — request that inaccurate or incomplete information be updated.
- Deletion — request deletion of your personal information where retention is no longer necessary (subject to legal retention requirements).
- Objection — to object is to choose not to use the app under these conditions.
- Complaint — lodge a complaint with the Information Regulator: inforegulator.org.za
To exercise any of these rights, contact the Information Officer at paia@myqr.net.za.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the mobile application or staff notice. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
For questions about this Privacy Policy or data practices, contact:
- Information Officer — paia@myqr.net.za