Privacy Policy

Last updated: 16 June 2026

This policy explains how OKR Tracker collects, uses, and protects personal information, in line with the Protection of Personal Information Act, 2013 ("POPIA"). OKR Tracker is designed to collect as little as it needs to work.

Who is responsible for your information

The responsible party is OKR Tracker. For any privacy question or to exercise your rights, contact us at support@yapele.com.

When your team uploads personal information about its members, your team (or its organisation) is the responsible party for that information and we act as its operator — we process it on the team's behalf and on its instructions.

What we collect

• Account information — your email address and display name, and a securely hashed form of your password (never the password itself).
• Security information — if you enable them, your two-factor (TOTP) secret (encrypted at rest) and passkey public keys, and timestamps used to keep your session valid.
• Your Content — the teams, objectives, key results, links, comments, and the history of changes you create.
• Billing identifiers — if your team subscribes, identifiers that link it to its subscription. We do not receive or store card details.
• Limited technical data — request metadata (such as IP address) used transiently for rate limiting and security; we do not run analytics or advertising trackers.

Why we use it, and our lawful basis

We process this information to create and secure your account, provide the Service, process subscriptions, send transactional messages, and protect the Service against abuse. Under POPIA our processing is justified by the performance of our contract with you, your consent (which you may withdraw), our legitimate interests in running and securing the Service, and compliance with the law. We do not use your information for automated decision-making that has legal effects on you, and we do not sell it.

Who we share it with (our operators)

We share personal information only with service providers that help us run the Service, under contracts that require them to protect it and use it only for us:

• Cloud hosting — our database and app run on managed cloud infrastructure located in the European Union (Netherlands).
• Creem — our payment processor and merchant of record. Card details are entered with Creem and never reach us; we store only identifiers linking your team to its subscription.
• Resend — if the operator has enabled email, transactional messages (verification, password reset, invites, reminders) are delivered through Resend. We keep a count of messages sent for quota monitoring, not their contents.
• Google — only if you choose "Continue with Google", to verify your identity for sign-in.

We do not share your information for third-party advertising.

Cross-border transfer

Our cloud infrastructure is located in the European Union (Netherlands), so your personal information is stored and processed there. As permitted by section 72 of POPIA, this transfer is to a jurisdiction with data-protection law (the EU General Data Protection Regulation) that provides protection substantially similar to POPIA, and we rely on contractual safeguards with our operators. Creem, Resend, and Google may also process limited information in other countries under their own equivalent safeguards.

How we protect it

We take reasonable technical and organisational measures appropriate to the risk, as required by POPIA: passwords are hashed, two-factor secrets are encrypted at rest, sign-in supports phishing-resistant passkeys, traffic is encrypted in transit (HTTPS), and we apply rate limiting, strict security headers, and access controls. No system is perfectly secure, but we work to keep your information safe and will notify you and the Information Regulator of a compromise where the law requires.

How long we keep it

We keep your information for as long as your account or team is active and as needed to provide the Service. When you delete a team its contents are removed; when your account is deleted we remove or de-identify your personal information, except where we must retain limited records to comply with the law (for example, billing records).

Cookies

We use a small number of strictly-necessary cookies to keep you signed in and to carry out two-factor and passkey sign-in. There are no analytics, advertising, or cross-site tracking cookies — so there is nothing to consent to, and no cookie banner to click through.

Your rights

Under POPIA you have the right to:

• ask what personal information we hold about you and request access to it;
• ask us to correct or delete information that is inaccurate, irrelevant, or no longer needed;
• object to processing in certain circumstances, and withdraw consent where we rely on it;
• request a copy of Your Content (export); and
• complain to the Information Regulator.

You can edit your account details in the app, and deleting a team removes its contents. For access, export, or account deletion, email support@yapele.com.

Complaints — the Information Regulator

If you are unhappy with how we handle your information you may complain to the Information Regulator (South Africa): Information Regulator, JD House, 27 Stiemens Street, Braamfontein, Johannesburg — enquiries@inforegulator.org.za / POPIAComplaints@inforegulator.org.za. We would appreciate the chance to address your concern first.

Children

The Service is intended for use in a workplace or organisational setting and is not directed at children. We do not knowingly collect the personal information of children.

Changes

We may update this policy as the Service evolves. We will post the updated version here and, for material changes, give notice in the app or by email.