Privacy Policy
Last updated 2026-05-20. This policy explains what personal information MugShotter (Pty) Ltd ("we", "us") processes, on what lawful basis, how long we keep it, and how to exercise your rights.
1. Who we are
MugShotter (Pty) Ltd operates a cross-firm incident-lookup service for PSIRA-registered private security firms in South Africa. We are a Responsible Party under POPIA (Protection of Personal Information Act 4 of 2013) for the personal information described below. Each member firm is also a Responsible Party for the data they contribute; we are joint Responsible Parties under the Data Sharing Agreement they sign before use.
2. What we process
- Biometric data: face embeddings (numeric vectors derived from a face photograph) of individuals detained on a client site by a member firm's guard.
- Photographs: the original capture photograph and any subsequent annotations.
- Incident records: date/time, site name, charges, items recovered, SAPS case reference (if applicable), guard identifier, contributing firm.
- Account information: member firm details (name, PSIRA number, contact info), user accounts (email, name, role), guard registrations (display name, WhatsApp/Telegram identifier).
- Operational logs: every read and write event — who accessed what, when, from where (IP, user-agent). Append-only.
3. Lawful basis (POPIA s.11)
We process under s.33(1)(b) — processing in accordance with a law (Trespass Act 6 of 1959 + common-law arrest powers) — and s.27(1)(b) — necessary for the establishment, exercise or defence of a right or obligation in law. Biometric data is "special personal information" under s.26; member firms warrant lawful detention before contributing.
Capture is post-detention only. No scan-before-detention. No mass surveillance. No use as a citizen/consumer app.
4. Retention (POPIA s.14)
Default retention is 730 days from incident date. Where a SAPS case reference is on record, retention extends to 5 years. Records with no case reference and no internal incident reference are retained 30 days only (and the contributor is warned at capture time).
Retention is enforced by a nightly automated process that redacts notes, deletes face embeddings and photographs, and writes a retention-purge audit row. Flagged-person records require admin re-confirmation at each retention window.
5. Sharing model
On a face-match query, member firms see incident summaries from other firms (date, charges, contributing firm name). Internal notes, site addresses, items-recovered details, and reporter identity are not shared cross-firm without an additional written request. We never sell or share data with marketing third parties.
6. Cross-border (POPIA s.72)
Data is hosted at Hetzner Online's Falkenstein, Germany facility. Germany is recognised as providing adequate protection under the EU Commission's adequacy regime; we rely on this for the cross-border transfer. This is disclosed on every capture-point notice posted at client sites.
7. Subject rights (POPIA s.23–25)
You have the right to:
- Confirm whether we hold any of your personal information;
- Request a record of the personal information held;
- Request correction of inaccurate information;
- Request deletion or destruction;
- Object to processing under s.11(3).
Lodge a Subject Access Request at /popia/sar. We respond within 30 days. Identity verification is mandatory before release of any records.
8. Information Officer
Our designated Information Officer is MugShotter Information Officer (Frederik Koen - pending registration) <io@mugshotter.example>. They handle all subject access requests, complaints, and Information Regulator correspondence.
9. Security
Access control by role; audit log on every read + write; hash-chained audit (HMAC-SHA256) for tamper-evidence; encrypted at rest and in transit (TLS via Let's Encrypt); rate limits on login + signup; brute-force protection (fail2ban); separate database role with INSERT-only grant on audit_log; signed-URL serving for photos with 60-second tokens; nightly backups with 7-day retention.
10. Complaints
If you believe your rights under POPIA have been violated and we have not resolved the matter to your satisfaction, you may lodge a complaint with the Information Regulator at inforegulator.org.za.
11. Changes
We will publish material changes here and email registered firm owners. Continued use after publication is acceptance.