Privacy Policy

BlueStone (Pty) Ltd (“BlueStone”, “we”, “us” or “our”) is committed to protecting your privacy and the personal information you entrust to us. This Privacy Policy explains how we collect, use, store, share and protect personal information in accordance with the Protection of Personal Information Act, 4 of 2013 (“POPIA”) and other applicable data protection laws.

This Policy applies to our website (www.bluestone.africa), our cloud-based Enterprise Asset Management (EAM) platform (the “BlueStone Platform”), our mobile applications, and all related services (collectively, the “Services”).

By using our Services or providing us with your personal information, you acknowledge that you have read and understood this Policy.

BlueStone is the Responsible Party (as defined in POPIA) for the personal information described in this Policy. Our details are:

• Company name: BlueStone (Pty) Ltd
• Registered address: 3rd Floor, Boulevard Place, South Lobby, 1 Heron Crescent, Century City, Cape Town, 7441
• Telephone: +27 87 802 0441
• Email: info@bluestone.africa
• Website: www.bluestone.africa

For ease of reference, the following terms have the meanings given to them in POPIA:

• Personal Information: Information relating to an identifiable, living natural person, and where applicable, an identifiable, existing juristic person. This includes (but is not limited to) names, contact details, identity numbers, employment information, financial information and online identifiers.
• Special Personal Information: Information about religious or philosophical beliefs, race, ethnic origin, trade union membership, political persuasion, health, sex life, biometric information, or criminal behaviour.
• Processing: Any operation or activity concerning personal information, including collection, storage, use, sharing, deletion or destruction.
• Data Subject: The person to whom personal information relates.
• Responsible Party: The party (in this case, BlueStone) that determines the purpose and means of processing personal information.
• Operator: A party that processes personal information on behalf of a Responsible Party (for example, BlueStone may act as an Operator for its enterprise clients).

Depending on how you interact with us, we may collect the following categories of personal information:

4.1 Information you provide to us directly

• Contact information: Name, surname, job title, employer, email address, telephone number and physical address.
• Account information: Username, password (encrypted), role, permissions and user preferences for the BlueStone Platform.
• Communication content: Information you provide when you contact us via email, telephone, contact forms, support requests or during meetings and demonstrations.
• Procurement information: Where you transact with us as a supplier or client, we may collect billing information, banking details, tax certificates and B-BBEE certificates.

4.2 Information we collect automatically

• Device and usage data: IP address, device identifiers, browser type, operating system, referring URLs, pages viewed and timestamps.
• Mobile application data: When you use our mobile applications (for example, for QR scanning, asset verification or field inspections), we may collect device location (with your permission), photos you capture, and the time and details of actions you perform.
• Cookies and similar technologies: See section 11 below for our use of cookies.

4.3 Information we collect from third parties

• Public sources: Publicly available business information (for example, from CIPC, LinkedIn or company websites) where relevant to our business development activities.
• Client-supplied data: Our enterprise clients upload data into the BlueStone Platform that may include the personal information of their employees, contractors or third parties (see section 6).

We process personal information for the following purposes, and only where we have a lawful basis to do so under POPIA:

5.1 To provide our Services

• Creating and managing user accounts on the BlueStone Platform and mobile applications.
• Delivering the asset tracking, maintenance, verification and reporting functions of the BlueStone Platform.
• Providing implementation, training, support and SLA services.

5.2 To run our business

• Responding to enquiries, demonstrations, proposals and contract negotiations.
• Invoicing, payment processing and supplier management.
• Internal record-keeping, audit and quality assurance.

5.3 For marketing and communications

• Sending you information about our products, services, events and case studies, where you have consented or where we are permitted to do so under POPIA, the Electronic Communications and Transactions Act and the Consumer Protection Act.
• You may unsubscribe at any time via the link in our communications or by contacting info@bluestone.africa.

5.4 For compliance, security and legal reasons

• Complying with our legal and regulatory obligations (including tax, BBBEE, public procurement and labour legislation).
• Preventing, detecting and investigating fraud, security incidents and unauthorised access.
• Establishing, exercising or defending legal claims.

When an enterprise client uploads, captures or generates data within the BlueStone Platform (for example, asset registers, work orders, technician records, photographs or inspection notes), the client is the Responsible Party for any personal information contained in that data. BlueStone acts as an Operator and processes that information only on the documented instructions of the client, in terms of our Services Agreement and Data Processing Addendum.

If you are an employee, contractor or other individual whose information has been uploaded into the BlueStone Platform by one of our clients, you should refer to that client's own privacy notice for information about how they process your personal information. You may also contact us at info@bluestone.africa and we will, where appropriate, refer your request to the relevant client.

Under POPIA, we may only process personal information if at least one of the following grounds applies. We rely on the following:

• Consent: You have given us your consent to process your personal information for a specific purpose (for example, marketing communications).
• Contract: Processing is necessary to conclude or perform a contract with you or your employer (for example, to provide the BlueStone Platform).
• Legal obligation: Processing is required to comply with a law (for example, tax legislation).
• Legitimate interest: Processing is necessary for our legitimate interests, or those of a third party, provided these are not overridden by your rights (for example, to secure our systems, prevent fraud, or develop our products).
• Protection of your interests: Processing protects a legitimate interest of yours.
• Public interest: Processing is necessary for the proper performance of a public law duty by a public body.

We do not sell your personal information. We may share your information with the following categories of recipients, only where necessary and subject to appropriate safeguards:

• Service providers and Operators: Cloud hosting providers, IT support, communications platforms, payment processors, professional advisors and other vendors who process information on our behalf under written agreements that require confidentiality and POPIA-compliant safeguards.
• Authorities and regulators: Where required by law, court order or regulatory request (for example, SARS, the Information Regulator, or law enforcement).
• Professional advisors: Our auditors, lawyers, bankers and insurers, where strictly necessary.
• Business transfers: In connection with a merger, acquisition, sale of assets or due diligence process, subject to appropriate confidentiality protections.

Some of our service providers (including cloud hosting and email providers) may store or process information outside South Africa. Where we transfer personal information to another country, we will only do so where:

• The recipient is subject to a law, binding corporate rules or contractual obligations that provide an adequate level of protection substantially similar to POPIA;
• You have consented to the transfer;
• The transfer is necessary for the performance of a contract with you, or in your interest; or
• Another lawful ground under section 72 of POPIA applies.

You may contact us for further information about the safeguards we have in place for cross-border transfers.

We keep personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:

• Client and supplier records: Retained for the duration of our relationship and for a minimum of five (5) years thereafter, in line with tax and commercial record-keeping requirements.
• Platform data (where we are Operator): Retained for the period agreed with our client and deleted or returned at the end of our agreement.
• Marketing data: Retained until you withdraw your consent or object.
• Website and log data: Retained for up to twelve (12) months for security and analytics purposes.

Where information is no longer required, we will securely delete, destroy or de-identify it.

Our website uses cookies and similar technologies to operate effectively, analyse usage and improve your experience. Cookies are small text files placed on your device. We use:

• Strictly necessary cookies: Required for the website and Platform to function (these cannot be switched off).
• Performance and analytics cookies: To understand how visitors use our website (for example, Google Analytics).
• Functional cookies: To remember your preferences.

You can manage your cookie preferences through your browser settings or through our cookie consent banner. Disabling certain cookies may affect the functionality of our website.

Under POPIA, you have the following rights in relation to your personal information:

• Right to access: To request confirmation of whether we hold your personal information and to request a copy of it.
• Right to correction: To request that we correct or update inaccurate, misleading or outdated information.
• Right to deletion: To request that we delete or destroy information that is no longer required, or that we are not authorised to keep.
• Right to object: To object, on reasonable grounds, to the processing of your personal information.
• Right to withdraw consent: To withdraw any consent you have given, at any time (this does not affect the lawfulness of processing carried out before withdrawal).
• Right to object to direct marketing: To object to your information being used for direct marketing.
• Right to lodge a complaint: To submit a complaint to the Information Regulator (see section 15).

To exercise any of these rights, please contact us at info@bluestone.africa. We may ask you to verify your identity before responding. We will respond within a reasonable time and in any event within the timeframes set by POPIA. Certain requests may be subject to PAIA Form 2 (Request for Access to Information) — please see our PAIA Manual on our website.

We have implemented reasonable, appropriate technical and organisational safeguards to protect personal information against loss, damage, unauthorised access, alteration or disclosure. These include:

• Encryption of data in transit and at rest where appropriate.
• Role-based access controls and the principle of least privilege.
• Full audit logging and monitoring.
• Secure data centres operated by reputable cloud providers.
• Regular backups and disaster recovery procedures.
• Staff training and confidentiality undertakings.
• Vendor due diligence and written Operator agreements.

In the event of a security compromise that creates a reasonable belief that personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in line with section 22 of POPIA.

Our Services are intended for use by businesses and their employees and are not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with their personal information, please contact us and we will take steps to delete it.

If you have any concerns about how we process your personal information, please contact us first at info@bluestone.africa so we have an opportunity to address your concern.

If you are not satisfied, you have the right to lodge a complaint with the Information Regulator of South Africa:

• Website: https://inforegulator.org.za
• Email (complaints): complaints.IR@justice.gov.za
• Email (general enquiries): inforeg@justice.gov.za
• Postal address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Telephone: +27 10 023 5200

We may update this Privacy Policy from time to time to reflect changes in our business, technology, legal requirements or industry practice. The latest version will always be available on our website at www.bluestone.africa. Where changes are material, we will provide additional notice (for example, via email or a website banner). The “Last updated” date at the top of this Policy indicates when it was most recently revised.

If you have any questions about this Policy, our use of your personal information, or you wish to exercise any of your rights, please contact us:

• Privacy enquiries: info@bluestone.africa
• Telephone: +27 87 802 0441
• Postal: 3rd Floor, Boulevard Place, South Lobby, 1 Heron Crescent, Century City, Cape Town, 7441