GreenGrove Technologies

Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how GreenGrove Technologies ("we", "our", "us") collects, uses, and protects information when you use our services, including:

  • The GreenGrove Technologies marketing website
  • The EstateNotice mobile application
  • The EstateNotice admin portal

This policy applies to all users, including estate residents, administrators, and website visitors.

2. Information We Collect

2.1 Marketing Website

When you visit our marketing website, we may collect:

  • Contact information you voluntarily provide (name, email, phone number, company name)
  • Technical information collected automatically (IP address, browser type, device type, pages visited, date and time)

2.2 EstateNotice Platform

When you use the EstateNotice mobile app or admin portal, we collect:

  • Phone number — Required for authentication. We store phone numbers in E.164 international format (e.g., +27821234567).
  • User account information — Unique identifiers, account creation timestamps, and role assignments (viewer or admin).
  • Estate association — Which estate(s) you have access to and your permission level for each.
  • Activity logs — Actions performed within the platform are logged for security and audit purposes (see Section 8).
  • Access timestamps — When you authenticate and access the platform.

2.3 Data Created by Administrators

Estate administrators may create and manage the following data within their estate:

  • Emergency contacts — Names, phone numbers, and descriptions for security, medical, fire, and other services.
  • Access codes — Gate PINs and facility codes (stored encrypted — see Section 5).
  • Estate notices — Announcements and alerts for residents.
  • Phone allowlist — Phone numbers permitted to access the estate's information, with optional labels.

3. How We Use Information

We use collected information to:

  • Provide the service — Authenticate users, display estate information, and enable administrative functions.
  • Maintain security — Verify access permissions, prevent abuse, and protect against unauthorised access.
  • Audit and compliance — Log changes for accountability and regulatory compliance.
  • Improve our services — Analyse usage patterns and enhance functionality.
  • Communicate — Respond to inquiries and send service-related notifications.

We do not sell personal information.

4. Authentication

EstateNotice uses phone-based OTP (One-Time Password) authentication:

  • You enter your phone number to request access.
  • We verify your phone is on your estate's allowlist before sending an OTP.
  • A 6-digit code is sent via SMS, which you enter to authenticate.
  • No passwords are stored — authentication relies solely on phone verification.

Rate limiting: To prevent abuse, we track authentication attempts by phone number and IP address. Excessive failed attempts may result in temporary lockouts.

5. Data Storage and Security

We implement multiple layers of security to protect your information:

5.1 Access Control

  • Role-based permissions — Users are assigned viewer or admin roles per estate.
  • Row Level Security (RLS) — Database-level security ensures users can only access data for estates they belong to.
  • JWT authentication — All API requests are authenticated using secure tokens.

5.2 Estate Isolation

Each estate operates in complete isolation. There is no cross-estate data access — users can only view information for estates where they have been granted access. This is enforced at the database level.

5.3 Encryption

  • Data in transit — All connections use TLS/HTTPS encryption.
  • Access codes — Sensitive access codes (gate PINs, facility codes) are encrypted at rest using PGP symmetric encryption before storage.

However, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

6. Third-Party Services

We use the following third-party services to provide our platform:

  • Supabase — Database hosting, authentication, and backend infrastructure. Supabase processes phone numbers for OTP delivery and stores platform data.
  • Vercel — Website and admin portal hosting.
  • SMS providers — Delivery of OTP codes via SMS (facilitated through Supabase).

Each third party maintains its own privacy policies and security practices.

7. Cookies

The website and admin portal may use cookies or similar technologies for:

  • Session management and authentication
  • Remembering user preferences
  • Analytics and website improvement

You can control cookie settings through your browser preferences.

8. Audit Logging

For security and compliance purposes, we maintain audit logs that record:

  • What is logged — Creating, updating, and deleting contacts, categories, user roles, and phone allowlist entries.
  • What is captured — The user who performed the action, timestamp, previous values, and new values.
  • Access — Audit logs are accessible only to estate administrators and are scoped to their estate.
  • Retention — Audit logs are retained indefinitely and cannot be modified or deleted.

9. Data Retention

We retain data as follows:

  • Active user accounts — Retained while the account is active and the user has estate access.
  • Removed allowlist entries — When a phone number is removed from an estate's allowlist, we use "soft delete" to retain a record of who removed it and when, for audit purposes.
  • Audit logs — Retained indefinitely for compliance and security.
  • Rate limiting data — Automatically expires after the lockout period.
  • Marketing inquiries — Retained as long as necessary to respond and for legitimate business purposes.

10. International Data Transfers

Our services use cloud infrastructure that may process data in locations outside South Africa. By using our services, you consent to the transfer of your information to these locations.

We ensure that any international transfers comply with applicable data protection requirements and that appropriate safeguards are in place.

11. Your Rights (POPIA)

Under the Protection of Personal Information Act (POPIA) and other applicable laws, you have the right to:

  • Access — Request confirmation of whether we hold your personal information and obtain a copy.
  • Correction — Request correction or deletion of inaccurate, irrelevant, or outdated information.
  • Deletion — Request deletion of your personal information, subject to legal retention requirements.
  • Object — Object to processing of your personal information in certain circumstances.
  • Withdraw consent — Withdraw consent for processing where consent was the legal basis.
  • Lodge a complaint — Lodge a complaint with the Information Regulator if you believe your rights have been violated.

To exercise these rights, contact us at: support@greengrovetech.com

Note: Estate administrators control access to their estate. To be removed from an estate's allowlist, contact your estate administrator directly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be reflected by revising the "Last updated" date above.

For significant changes, we may provide additional notice through the platform or via email.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact:

GreenGrove Technologies
Email: support@greengrovetech.com
Location: Cape Town, South Africa

For POPIA-related inquiries, you may also contact the Information Regulator at inforegulator.org.za.