Privacy Policy

How we collect, use, store and protect your personal data

Version1.2

Effective Date22 May 2026

Last Reviewed23 May 2026

Governing LawBotswana Data Protection Act, 2018 (Act No. 32 of 2018)

1. About This Policy

This Privacy Policy explains how The Civic Chapter (“we”, “us”, “our”) collects, uses, stores, shares and protects personal data when you use the Civic Chapter Volunteer Portal (the “Platform”), accessible at volunteer.thecivicchapter.org.

We are committed to protecting your privacy and to processing your personal data in full compliance with the Data Protection Act, 2018 of Botswana (Act No. 32 of 2018) (the “Act”). By using the Platform, and by providing your explicit consent at registration, you acknowledge this Policy.

Please read this Policy carefully. If you do not agree with any part of it, or if you do not consent to your data being processed in the manner described, you may not be able to use the Platform. You will be asked to provide explicit consent during registration and during your first login after this Policy takes effect.

2. Who Controls Your Data

The data controller responsible for personal data processed through the Platform is:

Name	The Civic Chapter
Country of registration	Botswana
Email	thecivicchapter@gmail.com
Platform URL	volunteer.thecivicchapter.org
Data Protection Officer	Kagiso David , kagiso@thecivicchapter.org

For any data protection enquiries, rights requests, or complaints, please contact us at the email address above, clearly stating “DATA PROTECTION” in the subject line. We will respond within 30 days.

3. What We Collect and Why

3.1 Volunteer Accounts

When you register as a volunteer and use the Platform, we collect:

Identity data: full name, email address, phone number.
Profile data: biography, city/location, skills, causes of interest, availability.
Account data: role, account creation and update timestamps, notification preferences.
Activity data: activities you sign up for, attendance records, hours volunteered, badges earned.
Communication data: support tickets you submit, notifications you receive.
Technical data: authentication metadata (email, encrypted password hash, session tokens), browser storage flags (session management).

3.2 Organisation Accounts

When you register an organisation, we collect:

Organisation profile data: organisation name, description/bio, category, city, website, contact email, phone number, logo.
Verification (KYC) data: certificate of registration/incorporation, representative identity document (national ID card or passport), proof of address (utility bill or bank statement). These documents are classified as sensitive personal data under the Act.
Activity data: activities created, published, and managed through the Platform.
Account data: KYC status, verification status, rejection reasons (if any), audit log entries.
Communication data: support tickets, admin correspondence.

3.3 Data We Do Not Collect

We do not collect racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual life information, genetic data, or biometric data for recognition purposes beyond what is contained in submitted KYC identity documents, which are used solely for identity verification.

3.4 Automatically Collected Data

When you use the Platform, our infrastructure providers (Vercel, Supabase, and Cloudflare) automatically collect certain technical data including IP addresses, request logs, browser/device type, and usage patterns. This data is used for security, performance, and error monitoring. Vercel Analytics may collect anonymised page view and performance data. Cloudflare processes connection metadata (IP address, browser fingerprint, and behavioural signals) to provide bot and spam protection via its Turnstile service.

We do not use advertising trackers, third-party marketing pixels, or social media tracking technologies on the Platform.

4. Our Legal Bases for Processing

Under the Act (Section 16), personal data may be processed where one or more of the following criteria are met. We rely on the following bases:

Processing Activity	Legal Basis (Section 16)
Account registration and management	s16(a) Consent + s16(b) Contract performance
Matching volunteers with activities	s16(b) Contract performance
KYC/verification of organisations	s16(a) Consent (explicit, for sensitive personal data)
Participation records, hours, badges	s16(b) Contract performance + s16(a) Consent
Notifications and communications	s16(b) Contract performance + s16(a) Consent
Support tickets	s16(b) Contract performance
Platform analytics and security	s16(f) Legitimate interest (platform integrity and safety)
International transfer of data to foreign hosting	s49(5) Consent + s49(5)(a) Contract performance

5. How and With Whom We Share Data

5.1 With Other Users of the Platform

Volunteers and organisations: When a volunteer signs up for an activity, the volunteer's name and profile information may be visible to the organisation running that activity through the attendance sheet feature. Organisations do not receive your email address, phone number, or any document you have not directly submitted to them.
Public activity listings: Activity details created by organisations are publicly visible to all registered volunteers on the Service Hub. No personal data of individual volunteers is publicly displayed.
Civic Resume: A volunteer's participation history, earned badges, and hours are visible within their own account. This information is not shared externally or publicly without your action.

5.2 With Our Infrastructure Providers (Data Processors)

We use the following third-party services to operate the Platform. These services act as data processors on our behalf and are bound by data processing agreements:

Provider	Purpose	Data Location
Supabase, Inc.	Database, authentication, file storage, real-time services	Federal Republic of Germany (Amazon Web Services, eu-central-1, Frankfurt)
Vercel, Inc.	Application hosting, server-side rendering, API routing, analytics	United States of America (primary: Washington D.C., IAD1); Edge: global
Cloudflare, Inc.	Domain DNS, network security, and bot/spam protection (Cloudflare Turnstile). Turnstile processes connection metadata, including IP address, browser fingerprint, and behavioural signals, to distinguish human users from automated bots without the use of visual CAPTCHAs or persistent tracking cookies.	United States of America (Cloudflare global network; data may transit multiple countries via Cloudflare's distributed infrastructure)

Each of these providers acts as a data processor on our behalf and is subject to appropriate contractual and legal data protection obligations.

5.3 With Administrators

Authorised administrators of The Civic Chapter may access personal data, KYC documents, activity records, attendance logs, and support tickets for the purposes of platform moderation, verification, and compliance. All administrators are bound by confidentiality obligations.

5.4 Legal Disclosure

We may disclose personal data where required by Botswana law, by order of a competent court, or upon lawful request by the Information and Data Protection Commission in accordance with the Act.

5.5 Business Transfers

In the event of a merger, acquisition, or transfer of the Platform, personal data may be transferred to the successor entity. We will notify users and provide the opportunity to revoke consent prior to any such transfer.

6. International Data Transfers

The Platform is operated using cloud infrastructure located outside Botswana. Under Section 48 of the Act, the transfer of personal data from Botswana to another country is generally prohibited. However, under Section 49(5), such transfer is permitted where the data subject has given their explicit consent, or where the transfer is necessary for the performance of a contract between the data subject and the data controller.

We rely on both grounds: your explicit consent (collected at registration and first login) and the necessity of international infrastructure for the Platform to function. Without this processing, the Platform cannot operate.

Our primary database infrastructure is hosted in the Federal Republic of Germany (Frankfurt, within the European Union), which is subject to the EU General Data Protection Regulation (GDPR), one of the most stringent data protection regimes in the world. This provides a strong level of protection for your personal data. Application hosting and API processing is handled by Vercel, Inc., based in the United States. Additionally, Cloudflare, Inc. (United States) provides DNS and bot-protection services; connection metadata may transit Cloudflare's globally distributed network.

Countries Involved

Country	Provider	Data Types Transferred
Germany (EU)	Supabase, Inc. (AWS eu-central-1, Frankfurt)	All personal data: profiles, activity records, KYC documents, notifications, support tickets, authentication data, uploaded files. Storage and backups in Germany.
United States of America	Vercel, Inc.	Personal data processed during server-side rendering and API calls; request logs, analytics. Data passes through US servers but is stored in Germany.
Global (via CDN)	Vercel Edge Network	Page content may be cached and served via globally distributed edge nodes for performance. No personal data is persistently stored at edge nodes.
United States of America (global network)	Cloudflare, Inc.	DNS resolution and Turnstile bot-protection signals (IP address, browser fingerprint, behavioural metadata). No personal data is persistently stored by Cloudflare on our behalf beyond the processing required to resolve DNS queries and evaluate bot-protection challenges.

You have the right to withdraw your consent to international transfer at any time by contacting us. If you withdraw consent and it is not possible to maintain your account on infrastructure located exclusively within Botswana, we will be unable to continue providing the service and your account will be scheduled for deletion, with a 30-day notice period.

7. Cookies and Local Storage

The Platform uses the following browser storage technologies:

Technology	Purpose	Duration
Supabase authentication cookies	Maintain your logged-in session	Session or up to 7 days (if “Remember me” selected)
localStorage: `civic.rememberMe`	Remember your session preference across browser restarts	Persistent until cleared or you sign out
sessionStorage: `civic.sessionActive`	Track that your current browser session is active (cleared when tab closes)	Browser session only
Vercel Analytics	Server-side page view and Web Vitals metrics. Operates without cookies or persistent identifiers. Collects aggregated page view counts, performance data, and approximate geographic region (country/region level) derived from IP address. No personally identifiable information is stored.	Aggregated data retained 90 days by Vercel, then automatically deleted
Cloudflare Turnstile	Bot and spam protection on forms and authentication flows. Processes connection metadata (IP address, browser fingerprint, behavioural signals) to verify human interaction. Does not set persistent tracking cookies; any short-lived tokens exist only for the duration of the challenge session. Provided by Cloudflare, Inc. (United States) under Cloudflare's privacy policy.	Challenge tokens are short-lived (minutes); no persistent cookies or identifiers are stored on your device by Turnstile

We do not use advertising cookies, third-party tracking cookies, or social media cookies.

7.1 Usage Analytics

We use Vercel Analytics, provided by Vercel, Inc. (United States), to understand how visitors interact with the Platform. Vercel Analytics operates in privacy-preserving mode:

It does not use cookies or store any personally identifiable information.
It collects aggregated page view data, Web Vitals performance metrics, and general geographic region (country/region level) derived from your IP address at the time of the request.
IP addresses are not stored, only the derived geographic region is retained.
Analytics data is processed on Vercel infrastructure in the United States and is covered by the international transfer consent you provided at registration.
Aggregated analytics data is automatically deleted after 90 days.
We do not combine analytics data with your personal profile or share it with any third party.

Because Vercel Analytics does not use cookies or persistent identifiers, no separate cookie consent is required for this tool. If you wish to limit analytics collection, you may use browser privacy settings or a privacy-focused browser extension. This will not affect your access to the Platform.

8. Retention and Deletion

Data Category	Retention Period
Active user profile data	For the duration of the account, plus 2 years after account deletion
Activity participation records and attendance logs	For the duration of the account, plus 3 years after account deletion (required for civic record-keeping)
KYC documents (sensitive), identity documents, proof of address, registration certificates	Deleted within 24 hours of successful verification. If verification is declined or the submission is withdrawn, documents are deleted within 24 hours of that outcome. Documents are never retained beyond the point at which the verification decision has been made.
Support tickets	2 years from ticket creation
Admin audit logs	5 years (regulatory compliance)
Consent records	7 years from the date of consent (legal record)
Authentication logs (IP addresses, session records)	90 days
Accounts of non-consenting users	Scheduled for deletion 7 days after consent is refused or revoked

After the applicable retention period, personal data is securely deleted from active databases and storage. Backups containing personal data are subject to the same deletion schedule on a rolling basis.

You may request deletion of your account and associated personal data at any time via the Settings page or by emailing us. We will process deletion requests within 30 days.

9. Security

We implement appropriate technical and organisational security measures in accordance with Section 32 of the Act, including:

Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS 1.2+.
Encryption at rest: Database storage and file storage are encrypted at rest by Supabase (AWS-level AES-256 encryption).
Row-Level Security (RLS): Database access is controlled at the row level, users can only access their own data; organisations can only access data relating to their activities.
Authenticated API routes: All sensitive operations require a valid authenticated session. Server-side API routes verify user identity and ownership before processing any data.
Access controls: Admin access is role-gated. Only designated administrators may access the admin panel and user management functions.
File access controls: KYC documents and uploaded files are stored in access-controlled storage buckets, not publicly accessible URLs.
Password security: Passwords are never stored in plaintext. Supabase uses bcrypt hashing for password storage.
Session management: Sessions expire automatically. The “Remember me” feature extends sessions up to 7 days only when explicitly selected.

Despite our measures, no internet-based service can guarantee absolute security. In the event of a data breach, we will notify the Information and Data Protection Commission without delay (as required by Section 33 of the Act) and notify affected users as promptly as practicable.

10. Automated Decision-Making

The Platform uses automated processing for the following purposes:

Badge awards: Badges are automatically awarded based on participation thresholds (e.g., number of activities completed, hours volunteered). This does not constitute a decision that significantly affects your legal rights or produces legal effects.
Cron-based reminders: Automated notifications are sent for KYC deadline enforcement and activity reminders. These are administrative in nature.
Spot availability management: Activity spot counts are automatically maintained. If an activity is full, you are automatically placed on a waitlist.

No fully automated decisions that produce legal effects or significantly affect individuals are made without human review. KYC approval/rejection decisions are made by human administrators, not automated systems.

11. Your Rights

Under Section 30 of the Act, you have the following rights as a data subject:

Right	Description	How to Exercise
Right of Access	Obtain confirmation of whether we hold personal data about you, and receive a copy of that data	Email us, we will respond within 30 days
Right to Rectification	Have inaccurate or incomplete personal data corrected	Update your profile in Settings, or contact us
Right to Deletion	Request deletion of your personal data (subject to legal retention obligations)	Account Settings → Delete Account, or contact us
Right to Object	Object to processing of your data in certain circumstances	Contact us with specific grounds
Right to Revoke Consent	Withdraw consent at any time (s19 of the Act), this may affect your ability to use the Platform	Account Settings or contact us
Right to Complain	Submit a complaint to the Information and Data Protection Commission	Contact the Commission directly

All rights requests are free of charge and will be answered within 30 days of receipt. We may request verification of your identity before processing a request.

If you are unsatisfied with our response, you have the right to submit a complaint to the Information and Data Protection Commission of Botswana.

12. Minors

The Platform is not intended for use by persons under the age of 18 without verified parental or guardian consent. Age restrictions on specific activities are set by the organising organisations and are displayed on each activity listing. We do not knowingly collect personal data from minors without appropriate safeguards.

Please note that under the Act, data of minors is classified as sensitive personal data and is subject to enhanced protection requirements.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our platform, or our data practices. Material changes (including changes to data categories, processing purposes, or international transfer arrangements) will be communicated to you via email and/or an in-platform notification, and you will be asked to review and re-consent where required by law.

Minor, non-material changes may be published with an updated “Last Reviewed” date without individual notification. The current version of this Policy is always accessible at volunteer.thecivicchapter.org/legal/privacy-policy.

Continued use of the Platform after a material change takes effect constitutes acceptance of the revised Policy, subject to any re-consent requirements.

15. Version History

Version	Date	Summary of Changes
1.2	23 May 2026	Appointed Data Protection Officer (Kagiso David, kagiso@thecivicchapter.org). Added DPO details to §2 (Who Controls Your Data) and §14 (Contact Us).
1.1	23 May 2026	Added Cloudflare, Inc. as a data processor. Updated §3.4 (automatically collected data), §5.2 (data processors table), §6 (international transfers table), and §7 (cookies and local storage table) to disclose Cloudflare DNS and Turnstile bot-protection services.
1.0	22 May 2026	Initial publication.

14. Contact Us

For all data protection enquiries, rights requests, or complaints, please contact:

Data Protection Officer
Kagiso David
Email: kagiso@thecivicchapter.org
Subject line: “DATA PROTECTION , [your enquiry type]”
Response time: within 30 days

You may also reach us at our general inbox: thecivicchapter@gmail.com

You also have the right to lodge a complaint directly with the Information and Data Protection Commission of Botswana if you believe your rights under the Data Protection Act, 2018 have been violated.