FeaturesHow It WorksPricingFAQ

Privacy Policy

Last updated: March 2026

1. Who We Are

Team Motivator is operated by NEXPILLAR (Pty) Ltd (Reg. 2026/238837/07).

For the purposes of the Protection of Personal Information Act 4 of 2013 (POPIA), NEXPILLAR (Pty) Ltd is the responsible party — that is, the entity that determines the purpose and means of processing your personal information.

2. Information We Collect

We collect the following categories of personal information when you use Team Motivator:

  • Account information: email address, display name, and password. Your password is stored as a one-way bcrypt hash — we cannot read or retrieve your password.
  • Organization data: organization name and URL slug used to identify your workspace.
  • Team data: marble entries (wins and losses), categories, notes attached to entries, and milestone configurations.
  • Technical data: session identifiers, IP address (used for security and rate limiting only), and browser user-agent string.
  • Profile data: avatar images (if uploaded), role assignments, and team memberships within your organization.
  • Security data: login attempt counts, account lock timestamps, last login timestamp, and audit log entries.

What we do NOT collect:

  • No analytics or tracking scripts — we do not use Google Analytics, Mixpanel, or any similar service.
  • No third-party advertising data.
  • No location data beyond the IP address used for security purposes.
  • No biometric data of any kind.
  • No data sourced from social media profiles.

3. How We Use Your Information

We use your personal information only for the following purposes, each with its applicable lawful basis under POPIA Condition 3:

  • Providing the service (Contract performance): operating Team Motivator, processing marble entries, and generating reports for your organization.
  • Authentication and security (Legitimate interest / Legal obligation): verifying your identity, maintaining secure sessions, preventing fraud, and enforcing rate limits.
  • Service communications (Contract performance): sending password reset emails, team invitations, policy change notifications, and account-related alerts.
  • Service improvement (Legitimate interest): aggregated, anonymized usage patterns to improve performance and reliability. We do not track individual users for this purpose.
  • Legal compliance (Legal obligation): responding to lawful requests from authorities and maintaining audit logs as required by applicable law.

We do not sell your data. We do not use your data for advertising. We do not engage in profiling or automated decision-making. We send only transactional emails — no direct marketing, in compliance with POPIA Section 69.

4. Cookies

Team Motivator uses only two cookies, both of which are strictly necessary for the service to function:

  • Session cookie (__session): HttpOnly, Secure, SameSite=Lax. Required for authentication. Expires when you close your browser or after 72 hours of inactivity.
  • CSRF protection cookie (csrf-token): Required to protect against cross-site request forgery attacks. Regenerated on each request.

We do not use tracking cookies, analytics cookies, or third-party cookies of any kind. Because we use only strictly necessary cookies, no cookie consent banner is required under POPIA or the GDPR.

5. Data Storage and Security

We take the security of your personal information seriously and apply multiple layers of protection:

  • Hosting: Your data is stored on servers provided by Rackzar (Pty) Ltd, located in South Africa.
  • Encryption in transit: All connections to Team Motivator use HTTPS/TLS.
  • Encryption at rest: Sensitive personal data (email addresses and display names) is encrypted at the application level using AES-256-GCM with key rotation support.
  • Password security: Passwords are hashed using bcrypt with automatic salting. We cannot retrieve or view your password under any circumstances.
  • Token security: Invitation tokens and password reset tokens are hashed using HMAC-SHA256 before storage. The original tokens are never stored.
  • Data isolation: Per-organization data isolation ensures your team's data is strictly separated from other organizations at the database query level.
  • Session security: Sessions are managed with automatic failover between Redis and database storage for reliability, with a 72-hour absolute timeout.
  • Infrastructure security: Regular security updates, rate limiting on all endpoints, CSRF protection, and input sanitization are applied across the platform.

6. Cross-Border Data Transfers

Your data is primarily stored and processed in South Africa.

When we send transactional emails (such as password resets, invitations, and notifications), email delivery is routed through SMTP servers operated by Qboxmail (via Rackzar Promail), located in Prato, Italy. Italy is a member of the European Union and subject to the General Data Protection Regulation (GDPR), which provides a substantially similar level of data protection to POPIA.

This transfer is permitted under POPIA Section 72(1)(a) (the recipient is subject to a law providing substantially similar protection) and Section 72(1)(c) (the transfer is necessary for the performance of a contract between you and us). Email content in transit is limited to the minimum necessary: recipient address, subject line, and message body. No bulk personal data is transferred.

No other cross-border transfers of personal data take place.

7. Third-Party Service Providers

We use a limited number of third-party service providers ("operators" under POPIA) to deliver the service:

  • Rackzar (Pty) Ltd (South Africa): Server hosting and infrastructure. Your data is stored on Rackzar's servers located in South Africa.
  • Rackzar Promail / Qboxmail (Italy, EU): Transactional email delivery only. Processes email addresses and message content for the purpose of delivering service communications to you.

We do not use:

  • Analytics services (no Google Analytics, no Mixpanel, or similar).
  • Advertising networks of any kind.
  • Social media integrations.
  • Third-party authentication providers.
  • Payment processors (billing features are not yet active).

All third-party providers are contractually required to process your data only for the purposes we specify and to maintain appropriate security measures.

8. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods are:

  • Session data: Automatically expires after 72 hours of inactivity.
  • Rate limiting data: Automatically expires after 15 minutes.
  • Password reset tokens: Expire after 1 hour.
  • Invitation tokens: Expire after 7 days.
  • Account data: Retained while your account is active.
  • Team data (marbles, categories, milestones): Retained while your organization account is active.
  • Audit logs: Retained for a minimum of 7 years for compliance purposes.
  • Account deletion: When you delete your account, a 30-day grace period applies during which your organization administrator can recover the account. After 30 days, personal data is permanently anonymized. Anonymized records may be retained for aggregate statistical purposes.

9. Your Rights

Under POPIA and applicable data protection laws, you have the following rights with respect to your personal information:

  • Confirmation and access (POPIA S23): Request confirmation of whether we hold your personal information and obtain a copy of that information.
  • Correction (POPIA S24): Request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained.
  • Deletion (POPIA S24): Request deletion of your personal information. You can delete your account directly from within the application at any time.
  • Objection (POPIA S11(3)): Object to the processing of your personal information on reasonable grounds.
  • Data portability: Pro plan users can export their team data in CSV format directly from the application.
  • Restrict processing: Request that we restrict the processing of your personal information in certain circumstances.
  • Withdraw consent: Where processing is based on consent, withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.
  • No automated decision-making: You have the right not to be subject to automated decision-making or profiling. We do not engage in either.
  • Lodge a complaint: You have the right to lodge a complaint with the Information Regulator. See Section 12 below for contact details.

To exercise any of these rights, contact us at support@nexpillar.co.za or through the in-app Help and Support page. We will respond within 30 days as required by POPIA.

10. Children's Privacy

Team Motivator is intended for use by adults in a professional or organizational context. We do not knowingly collect personal information from anyone under the age of 18. If you are under 18, please do not create an account or provide any personal information (POPIA Section 34).

If we become aware that we have collected personal information from a person under 18 without appropriate consent, we will take steps to delete that information as soon as reasonably possible. If you believe a child under 18 has provided us with personal information, please contact us at support@nexpillar.co.za.

11. Data Breach Notification

In the event of a security breach that compromises your personal information, we will, in accordance with POPIA Section 22:

  • Notify the Information Regulator as soon as reasonably possible after becoming aware of the breach.
  • Notify affected data subjects (you) as soon as reasonably possible after the breach is confirmed.
  • Provide sufficient information about the breach to allow you to take protective measures.
  • Describe the measures we have taken or intend to take to address the breach and prevent recurrence.

12. Information Regulator

If you are not satisfied with how we handle your personal information or your data protection rights, you have the right to lodge a complaint with the South African Information Regulator (POPIA Sections 73 and following):

We encourage you to contact us first at support@nexpillar.co.za so that we can attempt to resolve your concern directly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be notified to registered users via email using the contact information associated with your account. The "Last updated" date at the top of this policy will be revised accordingly.

Continued use of Team Motivator after changes are posted constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

14. Contact

For privacy questions, data protection requests, or to exercise any of your rights under POPIA, please contact us:

We aim to respond to all enquiries within 30 days.