Legal
Privacy policy
Last updated: 13 June 2026
This policy explains how the eRAMS platform handles personal information. It is written to comply with the South African Protection of Personal Information Act, 2013 (POPIA), and to be honest about what we do today rather than what we plan to do later.
1. Who we are
eRAMS is a road asset and assessment platform operated by Dlala Group. In this policy, “we”, “us” and “eRAMS” refer to Dlala Group acting as the responsible party for personal information processed through the platform.
For privacy questions, requests or complaints, contact us at accounts@erams.co.za.
2. What information we collect
We only collect information that is needed to deliver the platform. The categories below correspond to the surfaces a user actually interacts with.
2.1 Assessor mobile app
- Account credentials. Email address and password used to sign in. Authentication is handled by Supabase Auth; passwords are hashed by Supabase and are never stored or visible to us in plaintext.
- Device identifier. A randomly generated identifier created on first launch and registered with the server. We use it to associate offline assessment data with a specific device for sync, audit and support.
- Location data. GPS coordinates from the device while the app is in use, used for road-segment proximity, map centring and depot-issue capture. Location is not tracked in the background.
- Photos. Photos attached to assessments and depot-issue reports. Field photos are taken to document infrastructure condition and may incidentally include people, vehicles or number plates that were in frame.
- Assessment data. TMH 9 visual condition ratings of public road infrastructure, captured against road segments. This is infrastructure data rather than personal data, but is listed here for transparency.
- Free-text notes. Notes typed by the assessor or QA reviewer. These could contain incidental personal information if the user chooses to type it.
2.2 Web admin and QA
- Account credentials. Same Supabase Auth account used for the mobile app.
- Notification preferences. A record of which tenant-scoped notification streams a user has opted out of.
- Audit log entries. Each meaningful state transition (assessment submission, QA decision, reassignment, etc.) is recorded with the acting user, timestamp and before/after state. This supports investigations and dispute resolution.
2.3 Marketing site
- Contact form submissions. When you complete the form at /contact we collect your name, email, organisation, role, area of interest and message. The submission is delivered to our team by email so we can respond.
- Essential cookies. We use only the cookies required for the site to function, including the session cookie for authenticated areas. We do not deploy advertising cookies, analytics cookies or third-party trackers on this site today.
3. Why we collect it
- To authenticate users and authorise access to tenant-scoped data.
- To capture, sync and quality-assure road condition assessments.
- To maintain an audit trail that satisfies engineering and municipal accountability requirements.
- To respond to enquiries you submit through the contact form.
- To send transactional emails related to assessments and platform activity (for example QA notifications), subject to your preferences.
We do not sell personal information. We do not use it for advertising, behavioural profiling or third-party marketing.
4. How we store and protect it
- Encryption in transit. All client-server traffic uses HTTPS / TLS.
- Encryption at rest. Database and storage are encrypted at rest using the defaults provided by Supabase.
- Tenant isolation. Data is partitioned per tenant (organisation) and access is enforced at the database layer using Supabase Row Level Security policies.
- Least-privilege access. Only authorised staff with an operational need can access production systems, and actions on production data are logged.
Backups. Supabase takes regular automated daily backups of the database. Point-in-time recovery is not available on the current plan.
Automated retention. Audit-log records older than 365 days are automatically deleted by a nightly scheduled job. No other data is deleted automatically at this time. Personal information in assessments, accounts and attachments is retained for as long as it is needed for the purposes above, or for as long as a customer contract requires.
5. Where it lives (data residency)
The primary database, file storage and authentication services are hosted by Supabase in the EU (Ireland, eu-west-1) region. The background worker that handles imports and notifications runs on Render in Frankfurt. The marketing and admin web applications are served from Vercel’s global edge network.
Personal information is therefore processed in the EU and may be transferred outside South Africa. We rely on the contractual and technical safeguards offered by our infrastructure providers for such transfers.
6. Who else processes it
We use the following operators (third-party processors) to deliver the platform. Each is bound by their own privacy commitments.
- Supabase — managed Postgres, authentication, file storage and realtime infrastructure. Supabase privacy policy.
- Render — compute for the background worker. Render privacy policy.
- Resend — transactional email delivery for contact-form notifications and assessment-related emails. Resend is based in the United States. Resend privacy policy.
- Vercel — hosting for the marketing and admin web applications. Vercel privacy policy.
7. Photos and incidental personal data
Field photos taken during an assessment are intended to document the condition of public infrastructure. They may incidentally contain images of people, vehicles or number plates that were in frame at the time of capture.
- We do not run facial recognition, plate recognition or any other automated identification on these images.
- Photos are stored against the assessment record and access is restricted by Row Level Security to the tenant that owns the assessment.
- If a photo contains personal information that should not have been captured, contact us and we will remove or redact it.
8. Your rights under POPIA
As a data subject under POPIA you have the right to:
- Ask us to confirm whether we hold personal information about you and to receive a copy of it.
- Ask us to correct or update personal information that is inaccurate, irrelevant, out of date, incomplete, misleading or unlawfully obtained.
- Ask us to delete personal information we are no longer authorised to retain.
- Object to the processing of your personal information on reasonable grounds.
- Lodge a complaint with the Information Regulator if you believe we have not handled your personal information lawfully.
To exercise any of these rights, email accounts@erams.co.za. We will acknowledge your request promptly and act on it within 30 days as required by POPIA §23. We may need to verify your identity before acting on requests that relate to specific personal information.
Erasure requests. Where you ask us to delete your account, we action this by anonymising your account record: your name, email address and other identifying fields are removed, and authentication credentials are disabled. Assessment records, audit entries and other operational data that reference your account are retained in anonymised form to preserve the integrity of engineering records. A full hard delete is not technically possible while those records exist, and the anonymisation approach achieves the same privacy outcome.
9. Cookies
The marketing site uses only essential cookies needed for the site to function, such as the session cookie for authenticated areas of the platform. We do not deploy Google Analytics, advertising pixels, social-media trackers or any third-party analytics tools on this site today. If that changes, we will update this policy before deploying them.
10. Children’s data
eRAMS is a professional tool for municipal staff, engineering firms and their contractors. It is not directed at children and we do not knowingly collect personal information from anyone under the age of 18. If you believe a child has provided us with personal information, contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. The current version will always be available at this URL and the “last updated” date at the top will reflect the most recent change. Material changes will be communicated to active customers through the usual channels.
12. Contact
For any privacy question, request or complaint, contact us at accounts@erams.co.za.
You also have the right to lodge a complaint with the Information Regulator of South Africa:
- Website: inforegulator.org.za
- Email: inforeg@justice.gov.za
Last updated: 13 June 2026.