Privacy Policy

Last updated: 1 March 2026

Table of contents

Bridge Performance Privacy Policy

1. Introduction and purpose

This Privacy Policy explains how Bridge Performance collects, uses, stores, shares, and protects your personal information when you use our website, web application, or services (collectively, the "Service").

We are committed to protecting your privacy and processing your personal information lawfully, in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Electronic Communications and Transactions Act 25 of 2002 ("ECTA"), and all other applicable South African legislation.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we process your personal information based on consent, we will ask for your explicit consent before doing so.

2. Definitions

For the purposes of this Privacy Policy:

  • "Personal information" means information relating to an identifiable, living natural person, as defined in POPIA. This includes (but is not limited to) your name, email address, phone number, physical address, age, gender, and online identifiers.
  • "Special personal information" means personal information concerning a person's health, sex life, religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, biometric information, or criminal behaviour, as defined in section 26 of POPIA.
  • "Processing" means any operation performed on personal information, including collection, receipt, recording, organisation, storage, updating, retrieval, consultation, use, dissemination, merging, restriction, degradation, erasure, or destruction.
  • "Responsible party" means the person or entity that determines the purpose and means of processing personal information — in this case, Bridge Performance.
  • "Data subject" means the person to whom personal information relates — in this case, you.
  • "Operator" means a person or entity that processes personal information on behalf of the responsible party under a contract or mandate.

3. What personal information we collect

We collect the following categories of personal information:

3.1 Account and identity information

  • Full name
  • Email address
  • Phone number (if provided)
  • Password (stored in hashed form only — we cannot see your password)
  • Date of birth or age range

3.2 Health and training questionnaire data (Special personal information)

When you complete our questionnaire, we collect information that may include:

  • Your sport(s) and training frequency, volume, and intensity
  • Training goals (e.g., marathon preparation, general fitness, recovery)
  • Body weight and composition information
  • Dietary preferences, restrictions, and allergies
  • Current supplement use
  • Health conditions, injuries, or medical history relevant to supplement suitability
  • Medications you are currently taking
  • Pregnancy or breastfeeding status
  • Sleep patterns and recovery information

Important: Some of the information listed above — particularly information about health conditions, injuries, medications, allergies, and pregnancy/breastfeeding status — constitutes special personal information under section 26 of POPIA. We process this information only with your explicit consent (section 27(1)(a) of POPIA) and solely for the purpose of generating personalised supplement recommendations. See section 5 below for more detail.

3.3 Order and transaction information

  • Delivery address
  • Order history and product preferences
  • Payment reference and last four digits of payment card (we do not store full card details — see section 10)

3.4 Technical and usage information

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited, time spent on pages, and clickstream data
  • Cookies and similar tracking technologies (see section 12)

3.5 Communication information

  • Messages you send us via email, chat, or support channels
  • Feedback and survey responses

4. How we collect your information

We collect personal information in the following ways:

  • Directly from you: When you create an account, complete the questionnaire, place an order, contact support, or otherwise interact with the Service.
  • Automatically: Through cookies, analytics tools, and similar technologies when you use the Service (see section 12).
  • From third parties: We may receive limited information from payment processors (transaction confirmation and status) and courier partners (delivery status updates). We do not purchase personal information from data brokers or other third-party sources.

5. Why we process your information and our legal basis

We process your personal information for the purposes set out below, together with the legal basis under POPIA for each:

5.1 To provide the Service and generate recommendations

  • Purpose: Processing your questionnaire responses using our AI system to generate personalised supplement recommendations.
  • Legal basis: Your explicit consent (POPIA section 11(1)(a) and, for special personal information, section 27(1)(a)).
  • Note on AI processing: Your questionnaire data is processed by automated systems, including artificial intelligence and machine learning models. These systems interpret your responses and match them against nutritional research to produce recommendations. No human reviews your individual questionnaire responses as part of the standard recommendation process, although our team may review aggregated, de-identified data to improve the system. You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects (see section 8.8 below).

5.2 To fulfil orders and arrange delivery

  • Purpose: Processing your name, delivery address, and order details to fulfil and deliver your order.
  • Legal basis: Necessary for the performance of a contract (POPIA section 11(1)(b)).

5.3 To process payments

  • Purpose: Facilitating payment through our third-party payment service providers.
  • Legal basis: Necessary for the performance of a contract (POPIA section 11(1)(b)).

5.4 To communicate with you

  • Purpose: Sending order confirmations, dispatch notifications, delivery updates, and responding to your queries or support requests.
  • Legal basis: Necessary for the performance of a contract (POPIA section 11(1)(b)) and/or your consent.

5.5 To send marketing communications

  • Purpose: Sending newsletters, product updates, promotions, and other marketing content.
  • Legal basis: Your consent (POPIA section 11(1)(a) and section 69). You can opt out of marketing communications at any time (see section 8.5).

5.6 To improve the Service

  • Purpose: Analysing usage patterns, improving the AI recommendation system, conducting internal research, and enhancing the user experience.
  • Legal basis: Legitimate interest (POPIA section 11(1)(f)), using aggregated or de-identified data wherever possible.

5.7 To comply with legal obligations

  • Purpose: Meeting our obligations under South African tax, consumer protection, and other applicable laws.
  • Legal basis: Compliance with a legal obligation (POPIA section 11(1)(c)).

5.8 To protect our legitimate interests

  • Purpose: Fraud prevention, enforcing our Terms and Conditions, and protecting the security of the Service.
  • Legal basis: Legitimate interest (POPIA section 11(1)(f)).

6. Special personal information — additional safeguards

Because our questionnaire collects health-related information that constitutes special personal information under POPIA section 26, we apply the following additional safeguards:

  • Explicit consent: Before you submit the questionnaire, we will ask you to provide explicit, informed, voluntary, and specific consent to the processing of your health-related information for the purpose of generating personalised supplement recommendations. This consent is separate from general acceptance of these terms.
  • Purpose limitation: Your health-related information is used solely to generate recommendations and improve the recommendation system (using aggregated, de-identified data). It is not used for marketing, profiling for advertising purposes, or shared with third parties for their own purposes.
  • Minimisation: We only ask for health-related information that is directly relevant to generating supplement recommendations. We do not ask for more health information than is necessary.
  • Access controls: Access to health-related questionnaire data within our organisation is strictly limited to authorised personnel and systems that require it for the purposes described.
  • Encryption: Health-related data is encrypted both in transit (using TLS/SSL) and at rest (using AES-256 or equivalent industry-standard encryption).
  • Separation: Health-related questionnaire data is stored separately from general account and transaction data where technically feasible, to reduce the risk of unauthorised access.
  • Right to withdraw consent: You may withdraw your consent to the processing of your health-related data at any time (see section 8.4). Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal. If you withdraw consent, we may no longer be able to provide personalised recommendations.

7. How we store and protect your information

7.1 Storage location

Your personal information is stored on secure servers. Where we use cloud-based infrastructure, our service providers may store data in locations outside South Africa. In such cases, we ensure that appropriate safeguards are in place in compliance with section 72 of POPIA (see section 9 below).

7.2 Security measures

We take the security of your personal information seriously and implement appropriate technical and organisational measures in accordance with section 19 of POPIA, including:

  • Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL. Sensitive data, including health-related questionnaire responses, is encrypted at rest using AES-256 or equivalent encryption.
  • Access controls: Access to personal information is restricted on a need-to-know basis. Staff and systems are granted the minimum level of access necessary to perform their functions.
  • Authentication: User accounts are protected by secure password hashing (e.g., bcrypt). We encourage you to use a strong, unique password.
  • Infrastructure security: We use reputable hosting and cloud providers that maintain industry-standard certifications and security practices.
  • Regular monitoring: We monitor our systems for vulnerabilities and unauthorised access attempts.
  • Incident response: We have procedures in place to detect, respond to, and report data breaches in accordance with POPIA section 22 (see section 11 below).

7.3 Retention periods

We retain your personal information only for as long as is necessary to fulfil the purpose for which it was collected, or as required by law:

  • Account information: Retained for the duration of your account and for [12 months / period] after account closure, unless a longer retention is required by law (e.g., tax records).
  • Questionnaire data: Retained for the duration of your account. If you delete your account or withdraw consent for processing of health data, your questionnaire responses will be deleted or de-identified within [30 days / period].
  • Order and transaction records: Retained for a minimum of 5 years as required by South African tax legislation (Tax Administration Act 28 of 2011) and the CPA.
  • Marketing consent records: Retained for as long as you remain subscribed, plus [12 months] after unsubscribing (as proof of prior consent).
  • Technical and usage data: Retained in identifiable form for no longer than [12 months], after which it is aggregated or deleted.

When personal information is no longer needed, it is securely deleted or de-identified so that it can no longer be linked to you.

8. Your rights as a data subject

Under POPIA, you have the following rights in relation to your personal information:

8.1 Right to be informed (section 18)

You have the right to know what personal information we collect, why we collect it, and how we use it. This Privacy Policy serves as our notification to you.

8.2 Right of access (section 23)

You have the right to request access to the personal information we hold about you, including a description of the information and the third parties who have or have had access to it.

8.3 Right to correction (section 24)

You have the right to request that we correct or update any personal information that is inaccurate, incomplete, misleading, or not up to date.

8.4 Right to withdraw consent

Where we process your personal information based on consent, you have the right to withdraw that consent at any time. This includes your consent for the processing of health-related special personal information. To withdraw consent, contact us at [support email] or use the account settings in the Service. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

8.5 Right to object (section 11(3))

You have the right to object to the processing of your personal information on reasonable grounds, unless legislation provides for such processing. You also have the right to object to the processing of your personal information for direct marketing purposes (section 69).

To opt out of marketing emails, click the "unsubscribe" link in any marketing email, or contact us at [support email].

8.6 Right to deletion (section 24)

You have the right to request the deletion or destruction of your personal information where:

  • the information is no longer necessary for the purpose for which it was collected;
  • you withdraw your consent and there is no other legal ground for the processing;
  • the information has been unlawfully processed; or
  • applicable law requires deletion.

We will comply with valid deletion requests, subject to our legal obligations to retain certain records (see section 7.3).

8.7 Right to lodge a complaint

If you believe we have processed your personal information in violation of POPIA, you have the right to lodge a complaint with the Information Regulator:

  • Website: www.justice.gov.za/inforeg
  • Email: [complaints.IR@justice.gov.za or current email]
  • Phone: [012 406 4818 or current number]

We encourage you to contact us first so we can try to resolve the issue directly.

8.8 Right not to be subject to automated decision-making

You have the right not to be subject to a decision that has legal effects concerning you, or that similarly significantly affects you, that is based solely on the automated processing of your personal information. Our AI recommendation system does not make decisions that have legal effects on you — it generates suggestions that you are free to accept, modify, or disregard. If you have concerns about the automated processing of your data, please contact us at [support email].

8.9 How to exercise your rights

To exercise any of your rights, contact us at:

  • Email: [support email]
  • Subject line: "POPIA Request — [Your Name]"

We will verify your identity before processing your request and respond within a reasonable time, not exceeding 30 days. We will not charge you a fee for a POPIA request unless the request is manifestly unfounded, excessive, or repetitive.

9. Sharing and cross-border transfers

9.1 Who we share your information with

We share your personal information only with the following categories of third parties, and only to the extent necessary:

  • Payment service providers: To process your payment. They receive only the information necessary to complete the transaction. [e.g., PayFast, Yoco, Stripe — insert your provider]
  • Courier and delivery partners: To deliver your order. They receive your name, delivery address, phone number, and order reference. [e.g., The Courier Guy, Aramex — insert your provider]
  • Cloud and hosting providers: To store and process data as part of our infrastructure. [e.g., Vercel, AWS, Supabase — insert your providers]
  • AI and analytics providers: To power our recommendation engine and analyse usage data. [e.g., OpenAI, Pinecone — insert your providers]. Where AI providers process your data, we ensure they are contractually bound to protect your information and use it only for the purposes we specify.
  • Email and communications providers: To send transactional and marketing emails. [e.g., Resend, Mailchimp — insert your provider]
  • Professional advisors: Legal, accounting, and auditing professionals, where necessary and under obligations of confidentiality.
  • Regulatory or law enforcement authorities: Where required by South African law or court order.

We do not sell your personal information to any third party.

9.2 Cross-border data transfers

Some of our service providers (such as cloud hosting and AI providers) may store or process your personal information outside of South Africa. Where this occurs, we ensure compliance with section 72 of POPIA by confirming that at least one of the following conditions is met:

  • The recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection substantially similar to POPIA;
  • You have consented to the transfer;
  • The transfer is necessary for the performance of a contract between you and us; or
  • The transfer is for your benefit and it is not reasonably practicable to obtain your consent, but if it were, you would be likely to give it.

We maintain a record of our cross-border data transfers and the safeguards in place.

10. Payment information

Payments are processed by our third-party payment service provider(s). We do not receive, process, or store your full credit or debit card number, CVV, or PIN. Our payment provider handles this information directly under their own security standards (e.g., PCI-DSS compliance).

We may store the following payment-related information for support and record-keeping purposes:

  • A payment reference or transaction ID
  • The last four digits of your card number
  • Transaction date, amount, and status

11. Data breaches

In the event of a security breach that compromises your personal information, we will:

  • Take immediate steps to investigate, contain, and remediate the breach;
  • Notify the Information Regulator as soon as reasonably possible, in accordance with section 22 of POPIA;
  • Notify you as soon as reasonably possible if the breach is likely to result in a risk to your rights and freedoms, providing details of what happened, what information was affected, and what steps we are taking; and
  • Maintain a record of all data breaches, including those that are not reportable.

12. Cookies and tracking technologies

12.1 What are cookies?

Cookies are small text files that are placed on your device when you visit a website. They help us understand how you use the Service and improve your experience.

12.2 Types of cookies we use

  • Strictly necessary cookies: Required for the Service to function (e.g., session management, authentication). These cannot be disabled.
  • Analytics cookies: Help us understand how you use the Service (e.g., pages visited, time spent). These use [Google Analytics / Plausible / PostHog — insert your provider].
  • Preference cookies: Remember your settings and preferences (e.g., language, display preferences).

We do not use advertising or third-party tracking cookies.

12.3 Managing cookies

You can manage or disable cookies through your browser settings. Note that disabling strictly necessary cookies may affect the functionality of the Service. We will ask for your consent before placing non-essential cookies on your device, in accordance with POPIA and ECTA.

13. Direct marketing

We will only send you direct marketing communications (such as newsletters, promotions, or product updates) with your prior consent, in accordance with POPIA section 69 and ECTA section 45.

Every marketing communication will include a clear and easy way to unsubscribe or opt out. You can also opt out at any time by contacting us at [support email] or updating your preferences in your account settings.

If you opt out of marketing, we will continue to send you transactional communications related to your account and orders (e.g., order confirmations, dispatch notifications).

14. Children's personal information

The Service is intended for persons aged 18 years and older. We do not knowingly collect personal information from children under the age of 18 without the consent and involvement of a parent or legal guardian, in accordance with POPIA sections 34 and 35.

If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information as soon as reasonably possible.

If you believe we have inadvertently collected information from a child, please contact us immediately at [support email].

15. Third-party links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing them with any personal information.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or for other operational reasons. We will notify you of material changes by:

  • posting the updated Privacy Policy on the Service with a revised "Last updated" date;
  • sending you an email notification (for material changes that affect how we process your personal information); or
  • displaying a prominent notice on the Service.

Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acceptance of the changes.

17. Complaints and dispute resolution

If you have a concern or complaint about how we handle your personal information:

Step 1: Contact us first at [support email]. We will investigate and respond within 30 days.

Step 2: If you are not satisfied with our response, you may lodge a complaint with the Information Regulator:

  • The Information Regulator (South Africa)
  • Website: https://inforegulator.org.za
  • Email: [complaints.IR@justice.gov.za or current email]
  • Postal address: P.O. Box 31533, Braamfontein, Johannesburg, 2017
  • Phone: [012 406 4818 or current number]

18. POPIA section 18 notification summary

In compliance with section 18 of POPIA, we confirm:

  • Responsible party: [Legal entity name]
  • Address: [Physical address]
  • Information Officer: [Name], [email address]
  • Purpose of processing: To provide AI-assisted supplement recommendations, fulfil orders, process payments, communicate with you, and improve the Service (see section 5 for full details).
  • Categories of data subjects: Users of the Bridge Performance Service, including account holders and customers.
  • Categories of personal information: Identity data, contact data, health and training questionnaire data (special personal information), transaction data, technical data, and communications data (see section 3 for full details).
  • Recipients of personal information: Payment providers, courier partners, cloud/hosting providers, AI providers, communication providers, and professional advisors (see section 9 for full details).
  • Cross-border transfers: Certain service providers may process data outside South Africa, subject to POPIA section 72 safeguards (see section 9.2).
  • Security measures: Encryption in transit and at rest, access controls, secure authentication, monitoring, and incident response procedures (see section 7.2).
  • Your rights: Access, correction, deletion, objection, withdrawal of consent, and the right to complain to the Information Regulator (see section 8).
  • Legislation authorising collection: POPIA, ECTA, CPA, Tax Administration Act 28 of 2011, and other applicable South African laws.
  • Voluntary or mandatory: Provision of personal information is voluntary. However, if you do not provide certain information, we may not be able to provide the Service or process your order. Health-related questionnaire information is voluntary — you do not have to disclose health conditions, but doing so allows us to provide more relevant recommendations.

End of Privacy Policy — Last updated: 1 March 2026

Back to top