Privacy Policy
Last updated: 14 April 2026
v1.0-2026-04-141. Introduction
SkySpot SA ("we", "us", "our") is operated by David Graeme Middleton. This policy explains how we collect, use, and protect your personal information in compliance with South Africa's Protection of Personal Information Act (POPIA).
By creating an account or using the app, you consent to the collection and processing of your personal information as described in this policy.
2. Information We Collect
Account Information
- •Email address
- •Display name and username
- •Province
- •Pilot type (RC, FPV, drone, etc.)
Profile Information
- •Bio
- •Social media links (optional)
- •Avatar photo (optional)
Phone Number (Optional Verification)
- •Your full phone number is stored securely by Firebase Authentication for the sole purpose of verification.
- •Only the last 4 digits are stored in our application database, and only the last 4 digits are visible to other users as part of trust display.
- •We never store, display, or share your full phone number outside of Firebase Authentication.
Location Data
- •Collected only when you actively use map features
- •Requires explicit device permission
- •Can be revoked at any time via device settings
Usage Data
- •Check-ins, spot submissions, hearts, vouches, XP activity
- •Comments and reports
Device Information
- •Only collected if voluntarily submitted via bug reports
- •No passive analytics or tracking
3. How We Use Your Information
We use your information to:
- •Provide and improve the app
- •Display your public profile
- •Process vouches and trust systems
- •Send notifications you opt into
- •Moderate content and enforce rules
- •Generate anonymised usage insights
4. Lawful Basis for Processing
We process personal information under:
- •Consent — optional features such as location, phone verification, and notifications
- •Performance of a contract — providing core app functionality
- •Legitimate interest — moderation, abuse prevention, and safety features such as airspace and NOTAM display
- •Legal obligation — compliance with South African law
5. Data Storage & Security
- •Data stored in Firebase Firestore (africa-south1 — Johannesburg)
- •Authentication handled by Firebase Authentication
- •Images stored in Firebase Storage with user-scoped paths
- •All data encrypted in transit via HTTPS/TLS
- •All write operations validated server-side via Firestore Security Rules and Cloud Functions
- •Admin access controlled via Firebase custom claims
6. Cross-Border Data Transfers
While our primary database is hosted in South Africa, some Firebase services involve infrastructure outside the country:
- •Cloud Functions — currently run in the europe-west1 (Belgium) region.
- •Firebase Cloud Messaging (push notifications) — routes through Google's global infrastructure.
- •Firebase Authentication — may process data in multiple Google Cloud regions.
- •Google Maps tiles — served from Google's global content delivery network.
These transfers are protected by Google's POPIA-aligned data processing terms. By using SkySpot SA you consent to these cross-border transfers as required to deliver the service.
7. Your Rights Under POPIA
You have the right to:
- •Access your personal information
- •Correct inaccurate or incomplete data
- •Request deletion of your data (available in-app under Profile → Delete Account)
- •Object to processing on legitimate-interest grounds
- •Withdraw consent for optional features at any time
To exercise these rights, contact us at support@skyspot.co.za.
Right to Lodge a Complaint
You also have the right to lodge a complaint with the Information Regulator of South Africa:
8. Data Sharing
- •We do not sell personal information
- •Public profile information is visible to other users
- •Vouches and trust ratings are visible
- •Data may be shared with authorities if legally required
- •No sharing with advertisers
9. Data Retention
| Data category | Retention |
|---|---|
| Account data | While account is active |
| Deleted accounts | Removed within 30 days of deletion request |
| Submitted content | Retained (anonymised if account deleted) |
| Vouches | Removed on account deletion (see Section 10) |
| Bug reports | 12 months |
| Moderation logs | Retained indefinitely (anonymised) for safety and abuse prevention |
| Anonymised data | Retained indefinitely |
Where data is retained after account deletion, it is irreversibly anonymised and cannot be linked back to the original user.
Retention of moderation data is necessary to maintain platform safety, prevent abuse, and enforce bans.
10. Vouches & Permanent Trust Records
Vouches form part of a permanent community trust record. While your account is active, a vouch you give cannot be individually retracted. This is a deliberate design choice to keep the trust system meaningful and prevent retaliatory retractions.
When you delete your account
- •All vouches you have given to other users are permanently deleted along with your account.
- •All vouches you have received from other users are permanently deleted along with your account.
- •As a result, pilots you had previously vouched for may see their trust rating adjust downward when your account is removed.
Safety exception for banned accounts: If your account was banned at the time of deletion, a limited safety record is retained in a separate moderation collection for ban enforcement and abuse prevention. This record may include the ban reason, the username your account used, the timestamp of the ban, and — where you had verified a phone number — a salted one-way hash of the last 4 digits of that number. It does not contain your email address, full phone number, profile content, or any other directly identifying personal information. This retention is necessary to prevent ban evasion and is justified under the legitimate-interest lawful basis in Section 4.
11. Third-Party Services
We use:
- •Google Firebase (Authentication, Firestore, Cloud Functions, Storage, Cloud Messaging) — infrastructure and data storage
- •Google Maps Platform — mapping and location services
- •Google Fonts — typography (Outfit and Inter)
- •Open-Meteo — weather data (no personal data shared)
- •OpenAIP — airspace data (no personal data shared)
Each provider maintains its own privacy and compliance standards.
12. Children's Privacy
SkySpot SA is intended solely for users aged 18 and over. This minimum age is set in line with POPIA's provisions on the processing of children's personal information (sections 34–35), which require consent from a competent person (such as a parent or guardian) for any processing of a child's data.
We do not knowingly collect personal information from anyone under the age of 18. If you believe a child under 18 has created an account or provided us with personal data, please contact us at support@skyspot.co.za. We will review the report and remove the account where we reasonably believe the user is under 18.
13. Data Breach Notification
In the event of a data breach affecting your personal information, we will notify both the Information Regulator and affected users as soon as reasonably possible, in line with POPIA section 22.
Notification will include:
- •The nature of the breach
- •The categories of personal information affected
- •The steps we are taking to contain and remediate the breach
- •The steps you can take to protect yourself
14. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated in-app and posted on this page. The "Last updated" date at the top of this policy will be advanced whenever changes are made.
Continued use of the app after changes are posted constitutes acceptance of the updated policy.
15. Contact & Information Officer
This email address handles all support and privacy-related queries.