1. Who We Are

Scoutcast (PTY) LTD (“Scoutcast,” “we,” “us,” “our”) is a South African company registered under number 2026/040587/07. We operate the Scoutcast mobile application and website (collectively the “Platform”).

Scoutcast is the responsible party (under POPIA) and data controller (under GDPR) for the personal information processed through the Platform.

1.1 Information Officer

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, phone number, password (hashed), date of birth
• Profile information: Bio, profile photo, location, profession, skills, categories, rates, availability
• Portfolio content: Photos, videos, audio files, showreels, and descriptions you upload
• Communications: Messages sent through the Platform, project chat messages, support requests
• Payment information: Subscription tier selection (payment processing is handled by Apple/Google — we do not store card numbers)
• User-generated content: Community posts, Collab listings, comments, reviews

2.2 Information Collected Automatically

• Device information: Device type, operating system, app version, unique device identifiers
• Usage data: Features accessed, screens viewed, search queries, interaction timestamps
• Location data: Approximate location (city/region level) derived from IP address for geographic features. We do not use precise GPS tracking.
• Error and performance data: Crash reports, error logs, performance metrics (via Sentry)

2.3 Information from Third Parties

• Social sign-in providers: If you sign in via Google or Apple, we receive your name and email as permitted by your settings
• App store data: Subscription status from Apple App Store or Google Play Store

3. Lawful Basis for Processing (POPIA Section 11 / GDPR Article 6)

We process your personal information only where we have a lawful basis:

Purpose	POPIA Condition	GDPR Basis
Account creation and authentication	Consent (s11(1)(a)) & Contract (s11(1)(b))	Contract (Art 6(1)(b))
Profile visibility in Scout directory	Consent (s11(1)(a))	Consent (Art 6(1)(a))
Processing subscriptions & payments	Contract (s11(1)(b))	Contract (Art 6(1)(b))
Messaging between users	Contract (s11(1)(b))	Legitimate interest (Art 6(1)(f))
Error monitoring & crash reporting	Legitimate interest (s11(1)(f))	Legitimate interest (Art 6(1)(f))
Platform security & fraud prevention	Legitimate interest (s11(1)(f))	Legitimate interest (Art 6(1)(f))
Direct marketing communications	Consent (s69) — explicit opt-in	Consent (Art 6(1)(a))
Legal compliance & tax records	Legal obligation (s11(1)(c))	Legal obligation (Art 6(1)(c))
Analytics & improving the Platform	Legitimate interest (s11(1)(f))	Legitimate interest (Art 6(1)(f))

4. Direct Marketing (POPIA Section 69)

We will only send direct marketing communications (emails, push notifications about promotions or new features) if you have given explicit, prior consent (opt-in). You may withdraw consent at any time by:

• Toggling notification preferences in your account settings
• Clicking “Unsubscribe” in any marketing email
• Emailing privacy@scoutcast.app

Transactional communications (account verification, subscription confirmations, security alerts) are not marketing and will still be sent as necessary.

5. How We Use Your Information

• Provide, maintain, and improve the Platform
• Display your profile in Scout searches based on your subscription tier and geographic settings
• Facilitate messaging, project collaboration, and community features
• Process subscription payments through Apple/Google
• Send transactional notifications (new messages, Collab applications, project updates)
• Monitor platform stability and fix errors (via Sentry)
• Enforce our Terms of Service and Community Guidelines
• Comply with legal obligations including SARS tax record requirements

6. Automated Decision-Making (GDPR Article 22 / POPIA Section 71)

Scoutcast uses the following automated processing that may affect how your profile is displayed:

• Search ranking: Profiles in Scout search results are ranked based on subscription tier, profile completeness, activity level, and geographic proximity. Higher-tier subscribers receive priority placement.
• Content moderation: Automated filters may flag content that potentially violates Community Guidelines for human review.

These automated processes do not make decisions that produce legal effects or similarly significantly affect you. You may contact us to request human review of any automated decision affecting your account.

7. Service Providers & Data Sharing

We do not sell, rent, or trade your personal information. We share data with the following categories of service providers, each bound by data processing agreements:

Provider	Purpose	Data Shared	Location
Supabase (PostgreSQL)	Database, authentication, file storage	All account & platform data	AWS ap-southeast-1 (encrypted at rest)
Sentry	Error monitoring & crash reporting	Device info, error logs, user ID	USA (EU data routing available)
Resend	Transactional email delivery	Email address, name	USA
Cloudflare	CDN, DNS, DDoS protection for website	IP addresses, request metadata	Global edge network
Apple / Google	Payment processing, app distribution	Subscription status, purchase receipts	USA
Expo (EAS)	App build & update delivery	Device tokens for push notifications	USA

We may also disclose information when required by law, court order, or to protect the safety and security of our users.

8. Cross-Border Transfers (POPIA Section 72)

Your data may be transferred to and processed in countries outside South Africa (see service providers above). We ensure adequate protection through:

• Selecting providers in jurisdictions with adequate data protection laws (per Section 72(1)(a))
• Binding contractual agreements that require equivalent protections (per Section 72(1)(b))
• Your consent to this policy, which includes acknowledgement of these transfers (per Section 72(1)(d))

For GDPR: transfers outside the EEA rely on Standard Contractual Clauses (SCCs) or adequacy decisions.

9. Data Retention

• Active account data: Retained for the duration of your account
• Deleted account data: Permanently deleted within 30 days of account deletion request, except where retention is legally required
• Messages: Deleted when both parties have deleted their accounts, or when you delete a conversation
• Error logs (Sentry): Automatically purged after 90 days
• Financial records: Retained for 5 years as required by the South African Revenue Service (SARS) under the Tax Administration Act
• Legal hold: Data relevant to disputes or legal proceedings may be retained until the matter is resolved

10. Data Security

We implement appropriate technical and organisational measures to protect your information:

• All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Row-Level Security (RLS) on all database tables — users can only access their own data
• Password hashing using bcrypt via Supabase Auth
• Rate limiting and brute-force protection on authentication endpoints
• Regular security audits and dependency updates
• No storage of payment card details (handled by Apple/Google)

11. Data Breach Notification (POPIA Section 22)

In the event of a security breach that compromises your personal information, we will:

1. Notify the Information Regulator as soon as reasonably possible after discovery
2. Notify affected data subjects (you) as soon as reasonably possible, providing:
   • A description of the possible consequences of the breach
   • A description of the measures we are taking or propose to take to address the breach
   • Recommendations for what you can do to mitigate possible adverse effects
   • The identity of the unauthorised person who may have accessed the data, if known
3. Notification will be made by email (to your registered address) and, where appropriate, via in-app notification. If direct notification is not possible, we will use public channels including our website and social media.

12. Your Rights

12.1 Under POPIA (South African Residents)

You have the right to:

• Access: Request confirmation of whether we hold your personal information and obtain a copy (Section 23)
• Correction: Request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, or misleading information (Section 24)
• Deletion: Request destruction or deletion of your personal information (Section 24)
• Object: Object to the processing of your information on reasonable grounds (Section 11(3)(a))
• Object to direct marketing: Object to the use of your information for direct marketing at any time (Section 69(3))
• Complain: Lodge a complaint with the Information Regulator (see Section 14 below)

12.2 Under GDPR (EU/UK Residents)

In addition to the above, you have the right to:

• Data portability: Receive your data in a structured, commonly used, machine-readable format (Article 20)
• Restrict processing: Request that we limit how we process your data in certain circumstances (Article 18)
• Automated decisions: Not be subject to decisions based solely on automated processing, including profiling (Article 22)
• Withdraw consent: Withdraw consent at any time where processing is based on consent (Article 7(3))
• Complain: Lodge a complaint with your local supervisory authority

12.3 Under CCPA (California Residents)

California residents have the right to:

• Know: Request what personal information we have collected
• Delete: Request deletion of personal information
• Non-discrimination: Not be discriminated against for exercising your rights
• Opt-out of sale: We do not sell personal information, so no opt-out is necessary

12.4 How to Exercise Your Rights

To make any request, contact us at privacy@scoutcast.app. We will:

• Verify your identity before processing any request
• Respond within 30 days (POPIA) or 30 days (GDPR, extendable by 60 days for complex requests)
• Not charge a fee unless the request is manifestly unfounded or excessive

13. Children's Privacy

Scoutcast is intended for users aged 18 and older. We do not knowingly create accounts for, or collect personal information from, children under 18. No minor may register as a user of the Platform.

Professional content uploaded by adult account holders (such as agencies, production companies, or photographers) may depict minors in a lawful, professional context, subject to the content requirements set out in our Terms of Service (Section 4.3). In such cases, Scoutcast does not collect or process any personal data of the depicted minor — the uploading account holder is solely responsible for holding all necessary consents.

If we become aware that a child’s personal data has been collected as an account holder, we will delete it immediately. If you believe a minor has created an account or that their personal data has been processed in breach of this policy, please contact privacy@scoutcast.app.

14. Regulatory Contacts

15. Cookies & Tracking

The Scoutcast mobile app does not use cookies. Our website (scoutcast.app) uses only essential cookies required for the website to function. We do not use advertising trackers, analytics cookies, or third-party tracking pixels.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

• Material changes will be communicated via in-app notification and email
• The “Last updated” date at the top will be revised
• Continued use of the Platform after notification constitutes acceptance of the updated policy
• Previous versions will be archived and available on request

17. Contact Us

For any privacy-related questions, requests, or complaints: