PunchCheck

Privacy Policy

Last updated: 7 May 2026

Draft — review with a legal advisor before relying on this in production. Placeholders below should be replaced with your registered entity name and contact details.

1. Who we are

PunchCheck is operated by PunchCheck (“we”, “us”, “our”), a business based in South Africa. Contact: support@punchcheck.com.

This policy explains what personal information we collect when you use PunchCheck, why we collect it, how it's stored, and the rights you have over it. We collect and process data in line with the Protection of Personal Information Act, 2013 (POPIA).

2. What we collect

  • Account information — your name, email address, and password (stored hashed by Supabase Auth).
  • Organization information — the name of your business, the people you invite, and their roles.
  • Site information — addresses, client names, and contact details that you record against work sites.
  • Checklist content — the answers you provide, photos you upload, and signatures you capture as part of completing checklists.
  • Location data — when a checklist template requires it, we capture GPS coordinates from your device at the moment you submit. You can decline and save without a location stamp.
  • Usage data — cookies and authentication tokens issued by Supabase Auth, request logs (IP address, user agent, timestamps) processed by Vercel.

3. How we use it

  • To provide and operate the service (sign-in, checklist storage, PDF generation, etc.).
  • To send transactional email such as invitations and password resets.
  • To enable share links you create for individual checklists or sites.
  • To diagnose problems and keep the service secure.

We do not sell your data, use it for advertising, or share it with third parties beyond the processors listed below.

4. Where it's stored

We use trusted third-party processors. Each one acts on our instructions and is bound by their own privacy and security obligations.

  • Supabase — primary database (PostgreSQL), file storage for photos and signatures, authentication. Hosted in the EU (Ireland).
  • Vercel — application hosting and request logging.
  • Resend — transactional email delivery.

5. How long we keep it

We keep your data for as long as your account is active. When you close your account, your profile, organizations, sites, and checklists are deleted within 30 days, except where we're legally required to retain certain records.

Share links you generate expire automatically (default 30 days, configurable when you create them) and can be revoked at any time.

6. Your rights

Under POPIA you have the right to:

  • Access the personal information we hold about you.
  • Correct it if it's inaccurate.
  • Have it deleted (subject to any legal retention obligation).
  • Object to processing or withdraw consent.
  • Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, email support@punchcheck.com.

7. Children

PunchCheck is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.

8. Changes

If we make material changes to this policy we'll update the “last updated” date and ask you to re-accept on next sign-in.

See also our Terms of Service.