Privacy Policy

2.1 Personal Information

When you create an account, we collect:

• Email address (required for authentication and communication)
• Password (securely hashed using bcrypt with salt; never stored in plain text)

Third-Party Authentication: If you sign up using Google or Apple Sign-In, we collect:

• Name provided by the authentication provider
• Email address
• Profile picture URL (optional)
• Unique provider ID

We do not store or access your password when using third-party authentication. Authentication is handled securely by those providers using OAuth 2.0 protocols.

Optional Profile Information (added during onboarding or later):

• Full name
• Phone number (for SMS features and verification)
• Date of birth (for age verification)
• Profile picture
• Bio and personal description
• Privacy settings and notification preferences
• SOS emergency contacts (stored locally on your device, not on our servers)
• GeoFence contact relationships (mutual consent required - both parties must add each other)
• Gamification profile: Experience points (XP), user level, achievements, badges, leaderboard rankings
• Subscription tier and payment preferences

2.2 Report Data

When you submit a report, we collect:

• Report title, description, and category
• Media files (photos, videos, or other attachments)
• Exact location coordinates (precise GPS location where incident occurred, if location services are enabled)
• Location displayed as H3 hexagon area on public map (for reporter privacy)
• Social media handles or external references you provide
• Timestamps and metadata
• Law enforcement information (voluntarily provided): Whether reported to authorities, case file/reference number, additional references

You may update or delete your reports at any time. Deleted reports are soft-deleted—removed from public view but retained for operational, audit, security, and legal purposes.

2.3 Location Data

2.4 GeoFence Alert Requests

When a GeoFence contact creates an alert request for you, we collect:

• Alert configuration (name, type, origin/destination locations stored as H3 hexagonal areas)
• Schedule details (expected departure/arrival times, grace period, timezone)
• Recurrence settings (if applicable)
• Notification preferences
• Optional message from the requester

2.5 Engagement and Activity Data

We automatically collect: Reports viewed, bookmarked, marked as "Found Helpful", or flagged; community feedback; gamification progress (XP points, badges, levels); report contests or disputes; notification interaction metrics.

2.6 Device and Technical Information

Device identifiers, type, and OS; device tokens for push notifications (managed by Expo Push Notifications, no personal identifiers embedded); app version; IP address (truncated for privacy); error logs and crash reports (via Sentry, anonymized).

2.7 Subscription and Payment Data

Through RevenueCat and Paystack: subscription tier/status, renewal dates, payment amounts, transaction IDs. We never store your full payment card details. Payment card information is tokenized and handled securely by PCI-DSS compliant payment processors.

2.8 Security Audit Data

To protect your privacy and security, we maintain comprehensive audit logs:

Service Delivery:

• Provide and maintain reporting and safety services
• Enable posting, viewing, and engagement with community reports
• Deliver SOS alerts and GeoFence alert tracking
• Display relevant nearby reports with location-based filters
• Process GeoFence alert requests and journey monitoring
• Generate Journey Summaries from completed trips
• Calculate ETA and display signal strength indicators during active tracking

Communications:

• Send push notifications about incidents, alerts, and updates
• Communicate about account security and support
• Deliver promotional messages (opt-out available)
• Alert GeoFence contacts about journey events (departure, arrival, delays, low battery)

Improvement and Analysis:

• Improve credibility models and risk evaluation algorithms
• Optimize alert targeting and notification delivery
• Enhance app performance and user experience
• Analyze anonymized usage data for service improvements

Safety and Compliance:

• Detect, prevent, and respond to fraud and security threats
• Comply with legal obligations and protect legal rights
• Cooperate with law enforcement where legally required

Hosting and Storage

All backend services are securely hosted on Amazon Web Services (AWS) infrastructure located in the Africa (Cape Town) region (af-south-1). We maintain industry-standard security practices including:

• AWS security groups with strict access controls
• VPC (Virtual Private Cloud) network isolation
• Encryption of data at rest using AWS KMS (Key Management Service) with AES-256
• Encryption of data in transit using TLS 1.3
• Regular security audits and vulnerability assessments
• Multi-factor authentication for administrative access
• Role-Based Access Control (RBAC) for employees
• JWT token authentication with short expiration (15 minutes access, 7 days refresh)

Our employees and contractors receive regular training on data protection principles and security best practices. All personnel with access to personal data are bound by confidentiality agreements and undergo background checks where appropriate.

Security Measures

• HTTPS/TLS 1.3 encryption for all data transmission
• Encryption of data at rest and in transit (AES-256)
• Secure password hashing using bcrypt with salt (never stored in plain text)
• Role-based access controls (RBAC)
• Rate limiting: 100 location requests per hour per user
• Regular security audits and continuous monitoring
• Automated threat detection systems (AWS GuardDuty)
• DDoS protection via Cloudflare
• Data minimization practices
• H3 hexagonal geofencing for location privacy
• Comprehensive audit logging for location access

However, no digital service is entirely risk-free. Users are responsible for maintaining account security with strong passwords and secure devices. You assume inherent risk when sharing location data with GeoFence contacts.

International Data Transfers

While our primary infrastructure is located in Africa (Cape Town), data may be transferred to other AWS regions or third-party service providers in other countries (e.g., United States, European Union) for specific processing purposes. By using our Services, you consent to this transfer.

We ensure international data transfers comply with applicable laws including NDPR requirements for cross-border transfers and, where applicable, GDPR-approved mechanisms such as Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework.

How Journey Safety Alerts Work

When you are traveling with an active GeoFence alert, Gran360 monitors your route in real-time and may send notifications if you are approaching or entering areas where community members have recently reported incidents.

Community-Generated Content Limitations

What This Means for You:

• Unverified Information: Reports may contain inaccurate locations, exaggerated descriptions, outdated information, or deliberate misinformation
• False Positives: You may receive alerts for areas that are actually safe, causing unnecessary anxiety or route changes
• False Negatives: Dangerous areas may NOT trigger alerts if no community members have reported incidents there recently
• Confirmation Bias: Even reports marked as "confirmed by other users" only mean multiple users submitted similar reports—this does NOT guarantee accuracy or truthfulness
• Incomplete Picture: Journey alerts show only a snapshot of reported incidents in the last 3 days and may miss ongoing threats, emerging dangers, or chronic safety issues
• Subjective Assessments: Risk level classifications (medium, high, critical) are automated algorithmic determinations based on limited community data, not professional threat assessments

Technical Limitations and System Failures

Real-Time Processing Delays: Even under optimal conditions, there may be delays of several seconds between your location changing and receiving an alert. At high speeds, you may enter a flagged area before receiving notification.

Your Responsibility and Independent Judgment

Gran360 journey alerts are meant to supplement—never replace—your own judgment, awareness, and decision-making abilities.

No Liability for Actions Taken or Not Taken

Intended Use and Scope

Journey safety alerts are designed as a supplementary awareness tool for individuals traveling through areas with recent community-reported incidents. This feature is NOT:

• A comprehensive crime prevention system
• A real-time emergency response service
• A replacement for professional security or law enforcement
• A guarantee of safety in any location
• A verified or authoritative source of threat intelligence
• Medical, legal, or professional safety advice
• An insurance policy against harm or criminal activity

Recommendation: Use Multiple Information Sources

Disabling Journey Safety Alerts

You can disable journey safety alerts at any time through:

• App Settings → Notifications → Journey Safety Alerts (toggle off)
• Individual GeoFence alert settings when creating or editing alerts
• Device notification settings to block alert notifications entirely

Disabling alerts does NOT affect other GeoFence tracking functionality (departure/arrival notifications, low battery alerts, emergency contact updates).

Acknowledgment and Acceptance of Risk

Integrated Services

Gran360 integrates with Google Maps, RevenueCat, Paystack, Apple, and Google authentication. Each operates under their own privacy policies. We encourage you to review their policies.

Emergency Helplines

The app provides public emergency helplines (fire, health, gender-based violence, disaster response).

Website Cookies

Our website (https://www.gran360.app) uses cookies and similar tracking technologies:

Mobile App Tracking

Our mobile application uses the following tracking technologies:

• Mixpanel: Product analytics and user behavior tracking (anonymized)
• Firebase Analytics: App usage analytics and crash reporting
• Sentry: Error tracking and performance monitoring (anonymized data only)
• AppsFlyer: Attribution tracking for marketing campaigns

All analytics data is anonymized and aggregated. We do not sell analytics data to third parties.

Managing Cookies and Tracking

• Website: Use our cookie banner to manage preferences or adjust browser settings
• Mobile App: Manage analytics preferences in app settings under Privacy
• Push Notifications: Control via device settings or in-app notification preferences
• Advertising ID: Reset or disable in your device's privacy settings (iOS/Android)

Types of Communications

How to Opt Out

• Email: Click "Unsubscribe" link at bottom of any marketing email
• Push Notifications: Manage in device settings or app notification preferences
• SMS (if applicable): Reply "STOP" to opt out of promotional SMS
• In-App Settings: Go to Settings → Notifications → Manage preferences

Changes to communication preferences take effect within 48 hours. You will continue to receive transactional emails necessary for account operation.

Third-Party Marketing

We do NOT share your email address or phone number with third parties for their marketing purposes. Exception: Co-branded campaigns with explicit opt-in consent where clearly disclosed at the time of collection.

Notification Timelines

What We Tell You

Our breach notification will include:

• Nature of the breach (unauthorized access, data leak, etc.)
• Categories of data affected (emails, location data, etc.)
• Approximate number of affected users
• Likely consequences of the breach
• Measures we've taken to address the breach
• Recommended actions for affected users
• Contact information for further questions (dpo@gran360.app)

What You Should Do

Breach Logging

All security incidents and data breaches are documented in our breach log, which is retained for 7 years in compliance with NDPR requirements. You may request information about past breaches that affected your data by contacting our Data Protection Officer.

California Residents (CCPA/CPRA Rights)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

California "Shine the Light" Law: You may request information about our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes without your explicit consent.

European Economic Area (EEA) and UK Residents

If you are located in the EEA or UK, your data processing is governed by GDPR. In addition to the rights described elsewhere in this policy:

Other International Users

Users from other jurisdictions have rights under applicable local laws. We commit to honoring data protection rights equivalent to those described in this Privacy Policy, regardless of your location. If your jurisdiction has specific data protection laws not addressed here, please contact us at dpo@gran360.app to discuss how we can accommodate your rights.

Exercising Your Rights

To exercise any of the rights described above, contact us at:

• Email: support@gran360.app or dpo@gran360.app
• In-app: Settings → Privacy → Data Rights
• Response time: 14 days (NDPR), 30 days (CCPA), 30 days (GDPR)

We may verify your identity before processing requests to protect your privacy and security.

Key Definitions

Governing Law

This Privacy Policy is governed by the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Regulation (NDPR) 2019 and Nigeria Data Protection Act (NDPA) 2023. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of Nigerian courts, without prejudice to your rights under GDPR or other applicable data protection laws in your jurisdiction.