Privacy Policy

Pearly Citizen App Privacy Policy Effective Date: 1st May 2026 Version: 2.0 Policy Name: Pearly Citizen App Privacy Policy Responsible Organizations / Joint Controllers: Prime Minister’s Office and TouchStar Robotics and AI 1. Introduction Pearly is a citizen engagement platform that allows residents, citizens, and visitors in Barbados to submit and track reports about public service issues, including road issues, burst mains, traffic obstructions, public infrastructure concerns, public safety concerns, and other service-related matters. This Privacy Policy explains how Pearly collects, uses, stores, shares, protects, and retains personal information submitted through the Pearly Citizen App, including the web and mobile versions of the app. It also explains the rights available to users under the Barbados Data Protection Act, 2019. This is a citizen-facing privacy notice. It must be read together with Pearly’s Terms of Use, Acceptable Use Policy and any service-specific notices shown in the app. 2. Definitions Personal Data Data relating to an individual who can be identified from that data, or from that data together with other information likely to come into the possession of the data controller. Sensitive Personal Data Personal data consisting of information on racial or ethnic origin, political opinions, religious or similar beliefs, political body membership, trade union membership, genetic data, biometric data, financial record or position, criminal record, or related proceedings. Health-related information is treated as sensitive. Data Controller The person who alone, jointly, or in common with others determines the purposes for which, and the manner in which, personal data is processed. Data Processor A person, other than an employee of the data controller, who processes personal data on behalf of the data controller. Processing Any operation performed on personal data, including collecting, storing, using, disclosing, routing, analyzing, correcting, restricting, deleting, or destroying it. Consent Any freely given, specific, informed, and unambiguous indication of a person’s wishes by which that person agrees to processing of personal data relating to them. 3. Privacy Policy Requirements 3.1 Scope 3.1.1 Application of This Privacy Policy This Privacy Policy applies to: Users of the Pearly Citizen App and related Pearly web and mobile services. Personal information submitted, uploaded, generated, or received through the app. Account creation, authentication, report submission, report tracking, notifications, and support interactions. Optional features such as browser or device location, alert preferences, and personalization where enabled 3.1.2 Matters Covered by This Privacy Policy This Privacy Policy covers: What information Pearly collects Why Pearly uses that information The lawful basis for processing How Pearly shares information Cross-border transfers Security safeguards Retention and deletion User rights How to contact Pearly about privacy matters 3.2 Department and Service Provider Involvement 3.2.1 Department Involvement Pearly may share relevant report information with government departments, emergency responders, or authorized service providers where necessary to receive, route, review, investigate, or resolve a report. 3.2.2 Service Provider Involvement Pearly may also use service providers for hosting, storage, authentication, messaging, notifications, mapping, security, analytics, and approved AI-assisted processing. 3.3 Information Pearly Collects 3.3.1 Categories of Information Collected Pearly may collect the following categories of information: Account and authentication data, such as email address, phone number, one-time passcode records, login timestamps, verification status, session data, and policy acceptance records Profile data, such as name, contact details, address, profile photo, and optional profile fields Report data, such as report title, description, category, parish, status, replies, timestamps, department assignment, and report history Location data, such as manually entered location, parish, map pin, latitude, longitude, and location accuracy Media uploads, such as photos, videos, PDFs, and other supported files Emergency report data, such as emergency category, description, contact details, location, evidence, and urgency information Device and technical data, such as IP address, browser type, device type, operating system, app version, and security or diagnostic logs Notification data, such as email, SMS, push notification tokens, topic subscriptions, and delivery records AI-assisted processing data, such as report text, classification outputs, routing suggestions, summaries, and follow-up prompts where enabled Optional preference data, such as alert subscriptions, transit preferences, or personalization settings where enabled 3.3.2 Unnecessary Sensitive Personal Information Pearly does not ask users to submit unnecessary, sensitive personal information. Users must avoid including unnecessary personal information about themselves or other persons unless it is genuinely needed to explain or evidence a report. 3.4 How Pearly Uses Information 3.4.1 Approved Uses of Personal Information Pearly uses personal information only for approved service, operational, legal, and security purposes, including: Authentication and secure access Report submission, review, categorization, routing, tracking, and resolution Communication with users, including updates and follow-up questions Location-based routing and emergency handling Platform security, abuse prevention, fraud detection, and malicious upload handling Audit logging and accountability Legal, regulatory, and retention obligations Service improvement Approved AI-assisted support functions where enabled 3.4.2 No Sale or Third-Party Marketing Use Pearly does not sell citizen personal information and does not use citizen contact details for third-party marketing. 3.5 Lawful Basis for Processing 3.5.1 Lawful Basis Requirement Pearly processes personal information only where there is a lawful basis to do so. Pearly does not rely on consent for every use of personal information. 3.5.2 Lawful Bases Relied Upon Depending on the feature or service involved, Pearly may rely on: Providing the Pearly service, such as creating an account, sending one-time passcodes, receiving reports, and showing report status Performance of public service or official reporting functions, such as routing reports to the appropriate public department or responder Compliance with legal or regulatory obligations, such as record retention, audit, investigation, or legal hold Protection of vital interests, such as handling emergency or urgent safety-related reports Legitimate operational interests, such as securing the platform, preventing misuse, diagnosing issues, and improving service reliability Consent for optional features, such as browser geolocation, optional notifications, or other features where consent is required 3.6 Location Data and Uploaded Media 3.6.1 Location Data Pearly may collect manually entered location data or, where a user chooses to enable it, device or browser location data. Location information is used only for report handling, routing, emergency response, auditability, and service improvement. It is not used for unrelated tracking or third-party marketing. 3.6.2 Uploaded Media Users may upload photos, videos, PDFs, or other supported files to explain a report. Uploaded files may contain personal information about the user or other persons and so users must avoid uploading unnecessary images of uninvolved persons, children, medical or identity documents, private interiors, or unlawful content. 3.6.3 File Review and Restriction Pearly may scan, restrict, remove, or refuse files that appear unsafe, unlawful, abusive, malicious, or unnecessary for report handling. 3.7 Sharing and International Transfers 3.7.1 Sharing of Personal Information Pearly may share personal information only where necessary for the purposes described in this Privacy Policy. 3.7.2 Categories of Recipients This may include sharing with: Government departments and public agencies Emergency responders Hosting and cloud providers Email and SMS providers Push notification providers Mapping services Approved AI and automation providers Security and monitoring providers Legal, regulatory, or audit bodies where disclosure is required by law or authorized process 3.7.3 International Transfers Some service providers used by Pearly may process or store personal information outside Barbados. Where personal information is transferred or processed outside Barbados, Pearly will take reasonable steps to ensure that appropriate contractual, legal, and security safeguards are in place in accordance with applicable law. 3.8 Security Safeguards 3.8.1 Use of Safeguards Pearly uses technical, organizational, and administrative safeguards to protect personal information. 3.8.2 Types of Safeguards These safeguards may include: Encryption in transit Encryption at rest in approved production systems Role-based access control Audit logging Secure storage controls Rate limiting and abuse controls Controlled export processes Vendor security requirements 3.8.3 User Responsibility for Personal Security No system can guarantee complete security. Users must protect their devices, email accounts, phone numbers, and one-time passcodes. 3.9 Data Retention and Deletion 3.9.1 Retention Principles Pearly keeps personal information only for as long as necessary for service delivery, security, audit, legal, regulatory, and operational purposes. 3.9.2 Suspension of Deletion Pearly may suspend deletion where records are subject to legal hold, investigation, audit, regulatory request, court order, or other lawful requirement. 3.9.3 Account Deletion Limitations Deleting or closing a Pearly account does not automatically delete all report records. Where deletion cannot be completed because retention is legally or operationally required, Pearly will explain the reason where appropriate. 3.9.4 Partial Deletion or Restriction Where possible, Pearly may apply partial deletion, deactivation, anonymization, or restriction of non-essential data. 3.10 Your Rights 3.10.1 Available Rights Subject to applicable law and valid exceptions, users may have rights including: Access Correction Restriction of processing Deletion or erasure where applicable Objection where applicable Withdrawal of consent for optional consent-based features Complaint to Pearly or the relevant data protection authority 3.10.2 Identity Verification Pearly may need to verify a user’s identity before responding to a rights request. 3.11 Changes to This Privacy Policy 3.11.1 Right to Update This Privacy Policy Pearly may update this Privacy Policy to reflect changes in law, technology, security controls, vendors, features, or operational practices. 3.11.2 Notice of Material Changes Material changes will be communicated through the app, website, or another appropriate method before or when the updated policy takes effect. 4. Contact Information For questions, privacy requests, or concerns about this Privacy Policy, contact: Pearly Team Controller: TouchStar Robotics and AI Email: Support@pearly.bb