on13 — Innsights That Matteron13Innsights That Matter

Privacy Policy

Last reviewed: 20/06/2026

on13 ("we", "us", "the Platform") is architected to satisfy, concurrently, the South African Protection of Personal Information Act ("POPIA"), the Zimbabwean Cyber Security and Data Protection Act, and applicable regional Caribbean data protection statutes. This policy explains what we collect, why, and — critically — what we structurally cannot do with it.

1. Identity Tokenization — No Identity Recovery Path

When you submit a review, your authenticated account identifier is never written to the review datastore. Instead, a server-side process combines your identifier with a rotating cryptographic salt, held only in our deployment's secret manager, and produces a one-way SHA-256 digest rendered as a PID_HASH_ZIM_XXXXXXXXXXXX token. This transformation is mathematically irreversible: no key, no internal process, and no court order compelling us can recover the original identifier from the token, because the original identifier was never stored alongside it. Rotating the salt periodically further severs linkability between a user's past and future submissions by design, not as a policy promise but as a structural property of the system.

2. IP Addresses & Browser Fingerprints

Raw device IP addresses and browser canvas fingerprints are used strictly by memory firewall nodes to calculate submission rate limits (a hard cap of 10 submissions per hour per IP+fingerprint combination) and to detect coordinated abuse. These values are hashed together with a daily-rotating salt before being logged to the rate-limit table. They are never written to, or joinable with, the review content datastore. Once the relevant rate-limit window expires, the underlying log entries are eligible for routine purging.

3. What We Collect

  • Reviewer-type classification (current employee, past employee, customer, vendor/supplier)
  • Five-domain ratings and optional free-text comments
  • The pseudonymous token described in Section 1 — never the raw identifier
  • Hashed IP+fingerprint values for fraud/rate-limiting purposes only, as described in Section 2

4. Your Rights

Under POPIA, the Zimbabwean Cyber Security and Data Protection Act, and comparable Caribbean frameworks, you retain the right to request access to, correction of, or deletion of personal information we hold about you, and to lodge a complaint with your local data protection authority. Because review content is pseudonymized at the point of submission, requests to delete a specific review should be made with reference to the review's visible content, as we cannot reverse-match a token to an account.

5. Cross-Border Data Transfer

Where infrastructure providers process data outside the jurisdiction in which you reside, we rely on contractual safeguards and provider-level compliance certifications consistent with POPIA's cross-border transfer conditions and equivalent Caribbean and Zimbabwean requirements.

6. Contact

Questions about this policy or data subject requests can be directed through the contact channel listed on our website footer.