EVPlug

Legal

Privacy Policy

Last updated: 7 May 2026

1. Introduction

This Privacy Policy explains how EVPlug collects, uses, shares and safeguards personal information. It is written in accordance with the Protection of Personal Information Act, 2013 ("POPIA") of the Republic of South Africa.

2. Who we are

The responsible party for your personal information is EVPlug.

3. Personal information we collect

We try to collect as little as we can. Depending on how you use the Services, we may process:

  • Driver account holders (EVPlug app): name, email address, mobile phone number, securely hashed password, RFID/scan-card identifier (if issued), wallet balance, charging session history, vehicle make and model and connector type (if you choose to add it), location data when you use the in-app charger map (with your permission), and payment instrument tokens (we never store full card numbers — see "Security" below).
  • Operator tracker users: name, email address, securely hashed password, role flags, and records of your activity in the admin area.
  • Launch-update subscribers: email address, optional interest flag (e.g. "property partner"), and the source page you subscribed from.
  • Location suggestions: province, city and location name, optional notes, optional email address, and the IP address and user-agent string of your request.
  • Visitors: server log entries (IP address, URL path, referrer, browser user-agent, timestamp) and basic analytics required to operate the site and detect abuse.
  • Charging session data (your own sessions): station ID, start and end timestamps, kWh delivered, ZAR billed, payment status, and any fault codes returned by the charger.
  • Roaming session data: when you charge at a partner network station via the EVPlug app, or when a partner network driver charges at an EVPlug station, the OCPI Charge Detail Record (CDR) is exchanged between the operators. We share or receive session details (kWh, time, station ID, anonymised driver token), but we never share your full name, email, or full payment data with roaming partners.
  • Cookies and similar technologies: see our Cookie Policy.

We do not store full credit card numbers, CVV codes, or other sensitive payment data. Payment instruments are tokenised by our payment provider, and we receive only the token, the last four digits and the card brand.

We do not knowingly collect special personal information (race, religion, health) or the personal information of children under 18 without appropriate consent.

4. How we use it

  • To provide, operate and secure the EVPlug app, website, and charging stations.
  • To authenticate you and manage your account and wallet.
  • To process charging sessions and bill them correctly.
  • To process wallet top-ups, payments, and refunds via our payment providers.
  • To exchange Charge Detail Records (CDRs) with roaming partner networks for cross-network charging.
  • To communicate essential service messages (password resets, session receipts, refund notifications, charger fault alerts on your active sessions, account verification, security notices).
  • To improve and prioritise our network (e.g., deciding where to put the next charging station based on usage patterns and location suggestions).
  • To debug, detect abuse and protect our systems and users.
  • To comply with our legal obligations (tax, AML, regulatory).

We don't sell your personal information, and we don't share it with third parties for their own marketing.

5. Legal basis

We process personal information on one or more of these lawful bases under POPIA: consent (e.g., when you subscribe to updates), performance of a contract (e.g., provisioning your account, processing your charging sessions and payments), compliance with law (e.g., tax record retention), protection of our legitimate interests (e.g., security, fraud prevention), and — in the case of publicly-available charging station operator data — the public-domain source.

6. Who we share with

We share personal information with a small number of operators that help us run the Services. Each is bound by a written agreement and may only process personal information on our instructions:

  • Our infrastructure provider — application hosting, database storage, object storage, DNS, map tile service and authenticated map access.
  • Our transactional email provider — sending operational messages such as password resets and invitations.
  • Our deployment tooling provider — infrastructure tooling used to run the application.
  • Our payment providers — processing wallet top-ups. They receive your name, email and the payment amount. You provide your card details directly to them through their secure payment forms; we never see or store your full card details.
  • OCPI roaming partners — when you charge at a partner network via EVPlug, or when a partner network's driver charges at an EVPlug station, we exchange Charge Detail Records (CDRs) including kWh, time, station ID and an anonymised driver token. We do not share your full name, email, or payment details with roaming partners.

We may also disclose personal information when required by law, court order or legitimate regulatory request.

7. Cross-border transfers

Our primary application region is in South Africa. Some of the third-party services we rely on — including certain infrastructure components and payment providers — operate globally and may process data outside South Africa. Where personal information is transferred across borders, we rely on POPIA section 72 protections, including binding contractual safeguards with the receiving party.

8. Retention

We keep personal information only as long as reasonably needed:

  • Driver account data: retained while your account is active. If you close your account, basic data is retained for 5 years to meet tax and accounting obligations under the Tax Administration Act and the Companies Act.
  • Charging session records: retained for 5 years for tax and accounting compliance.
  • Payment records: retained as required by tax and AML legislation, typically 5 years.
  • Server logs: kept for a short operational window (typically 90 days).
  • Location suggestions: kept for as long as they remain useful to planning decisions.

After applicable retention periods, data is deleted or fully de-identified.

9. Your rights under POPIA

You have the right to:

  • Confirm whether we hold personal information about you and request a copy.
  • Request correction or deletion of information that is inaccurate, out of date, misleading or unlawfully obtained, subject to retention obligations under tax and AML legislation.
  • Object to processing, including for direct marketing.
  • Withdraw consent where we process on the basis of consent.
  • Lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za).

To exercise these rights, email our Information Officer at the address below. We'll respond within a reasonable time, usually within 30 days.

10. Security

We apply reasonable technical and organisational measures to protect personal information, including encryption in transit (TLS), password hashing, role-based access to the admin area, two-factor authentication support, regular patching, and infrastructure-level isolation. Payment data is tokenised by our payment provider — your full card number never reaches our servers. No system is perfectly secure; if we ever become aware of a security compromise affecting personal information, we will notify the Information Regulator and affected data subjects as required by POPIA.

11. Children

The Services are aimed at adults. The minimum age to register an EVPlug account is 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided us personal information, please contact us so we can remove it.

12. Cookies

We use a small number of cookies to run the site and keep you signed in. Details are in our Cookie Policy.

13. Changes to this policy

We may update this policy from time to time. When we do, we'll update the "Last updated" date above. If changes are material, we'll highlight them on the site and notify account holders by email.

14. Information Officer and contact

Attention: Information Officer
Email: privacy@evplug.co.za