Built to protect your people's data.

POPIA compliant. OHS Act aligned. Anonymity hardcoded. Every design decision starts with privacy.

POPIA CompliantOHS Act AlignedAnonymity by Design

POPIA Compliant by Design

Alignn is built for compliance with the Protection of Personal Information Act (POPIA). We collect only what is necessary to deliver the service, and every data processing decision is transparent and documented.

Every user has the right to access, correct, or delete their personal information. Company admins can exercise these rights on behalf of their employees through the Data Rights section in the admin panel.

Data retention: Assessment results are retained for the life of the account. Pulse responses are anonymised after 24 months. Safety reports are retained for minimum 3 years as required by the OHS Act.

OHS Act Aligned Reporting

Alignn's safety reporting module is designed to support compliance with the Occupational Health and Safety Act 85 of 1993. When a safety report is filed, Alignn automatically suggests the relevant OHS Act section for context and records the report with a tamper-proof audit trail.

Safety reports are retained for a minimum of 3 years with deletion prevention enforced at the database level. Company admins can export a date-ranged CSV at any time for Section 80 compliance.

Alignn is a reporting and awareness tool only. We do not replace a formal OHS management system, a registered Safety Officer, or the legal obligation to report serious incidents to the Department of Employment and Labour.

Anonymity Architecture

Alignn applies a two-threshold anonymity rule across all reporting. This ensures individual employees are never identifiable through the insights their managers receive.

General insights — how a personality colour type typically behaves as a group — are shared freely regardless of group size. This is population-level behavioural knowledge, not individual identification.

Specific patterns — a score drop concentrated in one colour group, or a behaviour attributed to one type — are only referenced when 4 or more employees of that type exist in the team. Below that threshold, Alignn uses neutral language. The insight is never suppressed — only the colour attribution.

Pulse survey responses are always anonymous. Safety reports are anonymous by default. The reporter's identity is stored server-side only for notification purposes and is never exposed to managers through any API endpoint.

Data Hosting

Alignn currently hosts all data in West EU (Ireland) via Supabase. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Database access is controlled via Row Level Security (RLS) policies that enforce strict company-level isolation.

We are planning migration to South African hosting infrastructure before onboarding our first paying customer. This will ensure data sovereignty for all SA-based clients.

Every database query is scoped to the requesting user's company via JWT claims. There is no API endpoint that returns data across company boundaries. Service role access is restricted to server-side operations only.