eVoting eVoting
Home Elections Results Pricing Recover Voting Link Admin Sign In
← Back to home

Legal

Privacy Policy

Last updated: 02 May 2026. Version 1.0.

1. Who we are

eVoting (the “Service”) is an online elections and nominations platform operated by Nei Shot Webx Solutions CC (registration number CC/2025/02042) of the Republic of Namibia (the “Operator”, “we”, “us”). When an organisation uses eVoting to run an election, that organisation is the data controller for voter information; we are the data processor acting on its instructions.

2. Scope

This policy applies to every person who interacts with eVoting, including voters, nominees, administrators, observers, and members of the public who view our public pages. It covers personal information collected through:

  • The public website at this domain
  • The administrator portal at /admin
  • Voter ballot links delivered by email or SMS
  • Nomination submission and acceptance flows
  • Helpdesk and support communications, including WhatsApp

3. Information we collect

3.1 Voter information

Provided by the organisation running the election: full name, membership number or external ID, email address, mobile phone number, preferred channel of contact, voting weight, and any custom attributes the organisation chooses to import.

3.2 Ballot information

When you submit a ballot we record the choices, contest, election, time of submission, and a randomly generated anonymous reference for the receipt. For elections configured as secret ballots, the cast vote record is stored with no link back to the voter who cast it. For elections configured as transparent ballots (such as board show-of-hands votes) the cast vote is linked to the voter; this is disclosed at vote time and is required by the organisation for governance reasons.

3.3 Authentication and access

Hashed (not plaintext) ballot tokens, ballot reference codes, recovery codes, and ballot delivery keys. For administrators we additionally store hashed passwords (bcrypt) and two-factor recovery records.

3.4 Technical telemetry

For administrator sessions and ballot link access we record IP address, user agent, time of access, and audit events (login, logout, election state changes, voter imports, exports). For secret-ballot elections, IP and user agent are redacted from the ballot record at submission time so that the technical trail cannot be used to reconstruct who voted for what.

3.5 Cookies

We use only essential cookies: a session cookie to keep you signed in, an XSRF cookie to prevent cross-site request forgery, and a small cookie_consent entry stored in your browser’s local storage to remember that you have dismissed the consent banner. We do not use tracking, advertising, or third-party analytics cookies.

3.6 What we do NOT collect

  • Identity documents, biometrics, or copies of ID cards
  • Financial information or payment details
  • Location data beyond the country derived from IP at login
  • Browsing history outside of this platform
  • Health, religious, political affiliation, or other special-category data, except where the organisation explicitly imports it as a custom voter attribute

4. How we use information

We process personal data only to:

  • Issue, deliver, and secure each voter’s individual ballot link
  • Authenticate administrators and enforce role-based access
  • Send invitations, reminders, and recovery codes by email or SMS
  • Tabulate results and produce certified reports for the organisation
  • Maintain an immutable audit trail of administrative actions
  • Detect and prevent abuse (rate limits, account lockouts, dispatch failure logs)
  • Comply with our legal obligations and respond to lawful requests

We do not use voter data for marketing or any purpose unrelated to running the election the data was collected for.

5. Ballot secrecy

Ballot secrecy is the design default for the platform. For each election the organisation selects either a secret ballot or a transparent ballot. In a secret ballot:

  • The cast vote record contains no voter_id and no voter name
  • The ballot reference is a random 20-character string with no relationship to the voter
  • IP address and user agent are cleared from the ballot record at submission
  • Database administrators cannot reconstruct who voted for what from the production data
  • Audit and result exports never include voter-to-choice mappings

In a transparent ballot, the linkage is preserved and disclosed to the voter on the ballot page before they submit.

6. Lawful basis

Where the General Data Protection Regulation (GDPR) or analogous laws apply, we rely on the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)) for processing required to deliver ballots and tabulate results on behalf of the organisation that contracted with us
  • Legitimate interest (Art. 6(1)(f)) for security telemetry, fraud prevention, and platform integrity
  • Legal obligation (Art. 6(1)(c)) where we must retain audit records or respond to lawful requests
  • Consent (Art. 6(1)(a)) for any optional communication channels you opt into

Within the Republic of Namibia we treat personal information consistent with the principles in the Protection of Personal Information Act (POPIA) of South Africa, which we adopt as our regional standard until equivalent Namibian legislation is in force.

7. Sharing and recipients

We do not sell personal data. Data is shared only with:

  • The organisation running the election, for the limited purpose of running and certifying that election
  • Email and SMS providers we use to deliver ballot links and reminders. These providers act as sub-processors and may only process the recipient address and the message body
  • Hosting and database infrastructure providers that store and serve the platform
  • Law enforcement and regulators where we are legally compelled to disclose specific records

A current list of sub-processors is available on request from the contact below.

8. International transfers

Production data is hosted on servers located in the Republic of Namibia or, where capacity is unavailable, on EU servers operated under standard contractual clauses. We do not transfer voter data outside Namibia or the EU without an equivalent safeguard.

9. Retention

Each organisation sets its own retention rules through the “Cleanup Settings” panel in the admin portal. Defaults that apply when an organisation has not customised:

  • Voter list: kept until the organisation deletes the voter or the organisation account is closed
  • Cast votes for completed elections: kept indefinitely as part of the certified result, unless the organisation purges them
  • Ballot issue technical telemetry (IP, user agent) for transparent ballots: 12 months after the election certifies; for secret ballots, redacted at vote time as described in section 5
  • Notification dispatches (email/SMS records): 12 months
  • Failed login attempts and account lockouts: 30 days
  • Audit log: indefinite (immutable, append-only)

10. Security

We protect personal data with:

  • HTTPS / TLS for all traffic
  • SHA-256 hashed ballot tokens, delivery keys, and recovery codes (plaintext is never stored)
  • Bcrypt password hashing for administrator accounts (cost factor 12)
  • Server-side encrypted sessions, secure HTTP-only cookies, SameSite=Lax
  • Database-level unique constraints to prevent double voting
  • Pessimistic row locks during vote submission to prevent race conditions
  • Rate limiting on login, password reset, and ballot recovery
  • Account lockout after five failed login attempts
  • Timing-safe comparison (hash_equals) for all secret token checks
  • Role-based access control with strict organisation scoping
  • Immutable audit trail of every privileged action

Despite these measures, no online system is invulnerable. If we discover a personal data breach that is likely to affect voter rights, we will notify the affected organisation without undue delay and assist with regulator and voter notifications as required by law.

11. Your rights

Subject to the applicable law and the organisation’s instructions, you have the right to:

  • Confirm whether we hold personal data about you
  • Receive a copy of that data in a portable format
  • Correct inaccurate data
  • Request deletion of data, subject to election-integrity and audit-log retention
  • Object to processing on legitimate-interest grounds
  • Withdraw any consent you have given
  • Lodge a complaint with the relevant supervisory authority

Because we act as data processor, requests should be sent in the first instance to the organisation that contracted us to run the election. If you cannot reach the organisation, contact us using the details below and we will route your request appropriately.

Important: we cannot honour a deletion request that would compromise ballot integrity or the right of other voters to a verifiable result. Where this conflict arises we will explain it in writing.

12. Children

eVoting is not directed at people under the age of 16 and we do not knowingly process personal data of children. Where an organisation runs an election in which under-16 voters are eligible (for example a school council), the organisation is responsible for obtaining parental or guardian consent.

13. Automated decisions

eVoting does not make automated decisions that produce legal effects on voters. Vote tabulation is deterministic and audit-reviewable, with the certifying administrator confirming the result.

14. Changes to this policy

We may update this policy when the platform changes or when the law requires. Material changes will be notified to administrators by email and announced on this page at least 14 days before they take effect. The version and last-updated date at the top of this page always reflects the current text.

15. Contact

For privacy questions, data subject access requests, breach notifications, or any other matter related to this policy:

We use cookies

This site uses essential cookies to keep you signed in and remember your preferences. We do not use tracking or advertising cookies. Read our Privacy Policy