How we handle your data
Last updated 22 June 2026. This policy is maintained by Prevailing Ideas (Pty) Ltd, the data controller for Scorecard Keeper.
1. Who we are
Scorecard Keeper is operated by Prevailing Ideas (Pty) Ltd. For any privacy question, data-subject request, or complaint, contact us at support@accotrack.app.
2. Data we collect
- Account data: name, work email, organization, role, hashed password.
- Application data you enter: scorecards, KPIs, risks, appraisals, evidence files.
- Operational data: sign-in events, audit log entries, IP address, browser/device metadata.
- Email delivery logs: message status (sent, delivered, bounced) for transactional emails.
We do not sell personal data. We do not use your data to train AI models.
3. Why we process it (legal basis)
- Contract — to provide the service to your organization.
- Legitimate interests — security monitoring, abuse prevention, product improvement.
- Legal obligation — to comply with applicable law and lawful requests.
- Consent — where required (e.g. optional communications).
4. Where data is stored
Application data is stored in a managed PostgreSQL database with row-level security so each organization can only access its own records. Evidence files are stored in private object storage and served via short-lived signed URLs. Data is encrypted in transit (TLS) and at rest.
5. Sub-processors
We rely on the following providers to deliver the service:
- Lovable Cloud — application hosting, database, authentication, file storage.
- Lovable Email — transactional email delivery from
notify@accotrack.app.
We will update this list before engaging any new sub-processor that handles personal data.
6. Retention
We retain personal and application data for as long as your organization maintains an active account. After an organization is deleted, data is retained for 90 days and then permanently deleted from production systems. Backups containing the data age out on the same 90-day cycle. Audit-log entries required for security or legal purposes may be retained longer where the law allows.
7. Your rights
Depending on where you live, you have rights under one or more of: the EU/UK GDPR, the California CCPA/CPRA, South Africa's POPIA, and Botswana's Data Protection Act. These include the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your account and personal data.
- Object to or restrict certain processing.
- Receive a copy of your data in a portable format.
- Lodge a complaint with your local supervisory authority.
To exercise any of these rights, email support@accotrack.app. We respond within statutory time-frames (30 days for GDPR/POPIA, 45 days for CCPA).
8. Security
Access to your organization's data is enforced at the database level using row-level security. Passwords are hashed; sessions use short-lived JSON Web Tokens. Administrative access is restricted to named personnel and is logged.
9. International transfers
Your data may be processed in jurisdictions outside your home country by our sub-processors. Where required, we rely on appropriate safeguards such as standard contractual clauses.
10. Changes
We will update the date at the top of this page when this policy changes. Material changes will be communicated to organization administrators by email.
