Legal
Privacy Policy
This Privacy Policy explains what personal information Decimators (Pty) Ltd collects, why we collect it, how we use and protect it, and what rights you have over your information. This Policy is written in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), which commenced on 1 July 2021, and applies to all users of the Decimators platform, including parents, educators, players, and the children for whom adult accounts are created.
1. Who We Are
The responsible party for personal information processed through the Decimators platform is:
2. Information Officer
As required by Section 55 of POPIA, Decimators has designated an Information Officer who is responsible for overseeing compliance with POPIA and handling data subject requests.
All data-related requests and complaints should be directed to the Information Officer at:
We are registered with the Information Regulator of South Africa in accordance with POPIA requirements.
3. Information We Collect
We collect the minimum personal information necessary to provide the Service. The following table sets out what we collect and from whom:
| Category | Information collected | Who it applies to |
|---|---|---|
| Account identity | Email address, display name or full name (optional), chosen username | Parents, Educators, Players |
| Authentication | Password (hashed and secured by Google Firebase Authentication for main accounts); in-app access credentials for child/student accounts | All account types |
| Account profile | Account role (parent/educator/player/child/student), school name (educators), associated adult account email (children/students), account creation date | All account types |
| Subscription records | Plan type, tier, price paid, subscription start and end dates, payment reference numbers (from Yoco) | Parents, Educators, Players |
| Game activity | Game scores, progress data, selected scoreboards | All players (including children) |
| Contact enquiries | Name, email address, topic, and message content submitted via the contact form | Any website visitor |
| Usage analytics | Page views, device type, browser, general geographic region, session duration — collected in aggregate via Google Analytics | All website visitors |
We do not collect or store:
- Payment card details (these are handled entirely by Yoco);
- Photographs or images of users;
- Location data beyond general region;
- Health, biometric, or sensitive personal information as defined under POPIA Section 26.
4. How We Collect Your Information
We collect personal information in the following ways:
- Directly from you: when you register an account, make a payment, create child or student accounts, or submit a contact form;
- Via Google Sign-In: if you choose to authenticate using your Google account, we receive your Google-verified email address and display name;
- Automatically: usage data and analytics are collected automatically when you visit and interact with the Service;
- From Yoco: upon successful payment, Yoco notifies us of the transaction via a secure webhook; we receive only the transaction reference and metadata necessary to activate your account.
5. Why We Process Your Information
Under POPIA, we must have a lawful basis for processing personal information. The table below sets out our processing purposes and the corresponding legal basis:
| Purpose | Legal basis (POPIA) |
|---|---|
| Creating and managing your account | Performance of a contract (our Terms of Service) |
| Verifying payment and activating access | Performance of a contract |
| Sending renewal reminders and account notices | Legitimate interest; performance of a contract |
| Processing and storing game scores | Performance of a contract |
| Managing child and student accounts linked to your account | Performance of a contract; consent of the parent or guardian |
| Responding to contact form enquiries | Legitimate interest |
| Website analytics and improvement | Legitimate interest; consent (via cookie acceptance) |
| Complying with legal obligations | Legal obligation |
We do not use your personal information for profiling, automated decision-making with legal consequences, or direct marketing without your explicit consent.
6. Children's Personal Information
POPIA Section 35 — Special Protection for Children: South African law prohibits the processing of personal information concerning a child without the consent of a competent person (a parent or legal guardian). Decimators complies strictly with this requirement.
6.1 What "child accounts" are
A child account is an in-app profile created by an adult Parent or Educator to give a child access to the game. Child accounts are not independent accounts — they are sub-profiles linked to and managed by the adult account holder.
6.2 What information we hold about children
We hold only the minimum information necessary for a child to access and play the game:
- A chosen username (not the child's real name unless the adult chooses to use it);
- An in-app password to allow the child to sign in to their sub-profile (this is a simple access code, not linked to any external account or email);
- The parent's or educator's account email as the linking identifier;
- Game scores associated with the username.
We do not collect:
- The child's real name (unless the adult enters it as the username);
- The child's email address or any contact details;
- Location, device, or behavioural data linked to the child's identity;
- Any sensitive personal information about the child.
6.3 Parental and guardian consent
By creating a child or student account, the adult account holder:
- Confirms they are the parent, legal guardian, or authorised educator of the child;
- Gives informed consent to the processing described in this section on behalf of the child;
- Accepts full responsibility for the child's use of the Service.
6.4 No direct marketing to children
We never direct marketing communications at children. All account-related communications are sent exclusively to the email address of the adult account holder.
6.5 Removing a child's data
A Parent or Educator may request the deletion of a child account and all associated data at any time by contacting accounts@decimators.app.
7. Sharing Your Information
We do not sell, rent, or trade your personal information. We share information only in the following circumstances:
- Service providers: We share information with sub-processors (Google Firebase, Yoco, Google Analytics) strictly to operate the Service. These are listed in Section 8.
- Legal compliance: Where required by South African law, a court order, or a lawful request from a regulatory authority.
- Protection of rights: To investigate or prevent fraud, security breaches, or violations of our Terms of Service.
- Business transfer: In the event of a merger, acquisition, or sale of the business, your information may be transferred. We will notify you before that happens and ensure the acquiring party upholds POPIA compliance.
8. Third-Party Services
The following third-party services process personal information on our behalf or in connection with the Service:
8.1 Google Firebase (Google LLC)
We use Firebase for authentication (sign-in), database storage (Firestore), and hosting. Firebase processes personal information in accordance with Google's privacy policies and data processing agreements. Firebase servers may be located outside South Africa. See Section 9.
Learn more: firebase.google.com/support/privacy
8.2 Yoco Technologies (Pty) Ltd
Yoco processes payment card information on our behalf. When you make a payment, you are transacting directly with Yoco's secure payment infrastructure. Decimators does not receive or store your card number, expiry date, or CVV. Yoco is a South African company regulated by the South African Reserve Bank.
Learn more: yoco.com/za/privacy-policy
8.3 Google Analytics (Google LLC)
We use Google Analytics to understand how users interact with our website in aggregate. Google Analytics collects anonymised data including page views, session duration, device type, and general geographic region. This data is not linked to individual user accounts. You may opt out via your browser settings or a Google Analytics opt-out extension.
8.4 Google Fonts
We load fonts from Google Fonts, which may result in your IP address being transmitted to Google's servers. No personal information is stored by this service.
8.5 Google Sign-In (Google Identity Services)
If you choose to sign in using your Google account, Google processes your authentication and shares your verified email address and display name with us. Your Google account remains under Google's control and privacy policy.
9. International Data Transfers
Some of our service providers (particularly Google Firebase and Google Analytics) operate servers outside the Republic of South Africa, including in the United States and European Union.
Where personal information is transferred outside South Africa, we ensure adequate safeguards are in place as required by POPIA Section 72. Google LLC participates in the EU-U.S. Data Privacy Framework and maintains Standard Contractual Clauses that provide appropriate safeguards for cross-border data transfers.
Children's data (usernames and access credentials stored in Firebase Firestore) is subject to the same cross-border safeguards described above.
10. How Long We Keep Your Information
| Data category | Retention period |
|---|---|
| Account information (email, username, profile) | For as long as your account is active, plus 12 months after account closure |
| Child / student account data | For as long as the parent/educator account is active, or until deletion is requested |
| Subscription records | 5 years from the date of transaction (tax and accounting obligations) |
| Game scores | For the life of the account; deleted upon account closure |
| Contact form submissions | 2 years from submission date, or until the enquiry is resolved |
| Analytics data | 14 months (Google Analytics default); no individually identifiable data is retained |
When retention periods expire, data is securely deleted. You may request earlier deletion — see Section 12.
11. Security of Your Information
We implement appropriate technical and organisational measures to protect personal information against unauthorised access, loss, misuse, or destruction, in accordance with POPIA Condition 7 (Security Safeguards):
- All data in transit is encrypted using TLS (HTTPS);
- Account authentication is managed by Google Firebase Authentication, which provides industry-standard security including hashed password storage for main accounts;
- Access to our database (Firebase Firestore) is restricted by server-side security rules;
- Payment processing is handled entirely by Yoco and is never processed through our own infrastructure;
- Access to production systems is restricted to authorised personnel only.
Despite these measures, no internet-based service can be 100% secure. If you believe your account has been compromised, contact us immediately at support@decimators.app.
11.1 Security breaches
In the event of a security compromise involving personal information, we will notify affected individuals and the Information Regulator as required by POPIA Section 22, within a reasonable time after becoming aware of the breach.
12. Your Rights Under POPIA
POPIA grants you the following rights regarding your personal information. To exercise any of these rights, contact our Information Officer at contact@decimators.app. We will respond within 30 days.
12.1 Right of access (Section 23)
You may request a copy of the personal information we hold about you and information about how it is processed.
12.2 Right to correction or deletion (Section 24)
You may request that we correct inaccurate information or delete information we no longer have a lawful reason to hold. Note that we may need to retain some information for legal or contractual reasons.
12.3 Right to object (Section 11(3))
You may object to the processing of your personal information where our lawful basis is legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
12.4 Right to withdraw consent
Where processing is based on your consent (e.g., analytics cookies), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
12.5 Rights on behalf of children
Parents and guardians may exercise any of the above rights on behalf of the children in their account. This includes requesting access to, correction of, or deletion of a child's data.
12.6 Complaints to the Information Regulator
If you believe your POPIA rights have been violated, you may lodge a complaint with the Information Regulator of South Africa:
13. Cookies and Tracking Technologies
13.1 What cookies we use
We use the following types of cookies and similar technologies:
- Essential cookies: Required for the Service to function. These include Firebase Authentication session cookies that keep you signed in. They cannot be disabled without preventing use of the Service.
- Analytics cookies: Google Analytics uses cookies to collect aggregate usage statistics. These cookies do not identify you personally.
- Local storage: We use browser local storage to remember your username and selected scoreboard between sessions. This data is stored on your device only.
13.2 Managing cookies
You can control or delete cookies through your browser settings. Please be aware that disabling essential cookies will prevent you from signing in to the Service. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:
- Update the "Last updated" date at the top of this document;
- Notify active account holders by email at least 20 business days before the changes take effect.
We encourage you to review this Policy periodically. The current version is always available at decimators.app/privacy.html.
15. Contact Us and Complaints
For any privacy-related questions, data access requests, or complaints, please contact our Information Officer:
We will acknowledge your request within 5 business days and provide a substantive response within 30 days, as required by POPIA.