Privacy Policy

1. Introduction

Welcome to Gran360, operated by REGO360 Company Limited ("we," "our," or "us"). Gran360 is a community-driven safety and awareness platform that enables users to post, view, and engage with reports about scams, incidents (accidents, fires, disasters, assaults, road blocks, etc.), and missing persons.

Your privacy and trust are fundamental to our mission. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our mobile application ("App") and website ("Web Platform") (collectively, "Services").

Important Notes:

  • Gran360 is operated in Nigeria, and our services are primarily intended for use within Nigeria
  • The mobile app provides full functionality for creating, viewing, and managing reports
  • The web platform provides read-only access—users cannot create, update, or delete content from the web
  • We comply with the Nigeria Data Protection Regulation (NDPR), and where applicable, the EU General Data Protection Regulation (GDPR) and US privacy laws

By using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use immediately.

2. Information We Collect

2.1 Personal Information

When you create an account, we collect:

  • Email address (required for authentication and communication)
  • Password (securely hashed using industry-standard encryption; never stored in plain text)
  • Optional profile information: First name, last name, age group, gender, phone number, social media handles, profile avatar

Third-Party Authentication: If you sign up using Google or Apple, we do not store or access your password. Authentication is handled securely by those providers.

2.2 Report Data

When you submit a report, we collect:

  • Report title, description, and category
  • Media files (photos, videos, or other attachments)
  • Location coordinates (if location services are enabled)
  • Social media handles or external references you provide
  • Timestamps and metadata
  • Law enforcement information (voluntarily provided): Whether reported to authorities, case file/reference number, additional references

You may update or delete your reports at any time. Deleted reports are soft-deleted—removed from public view but retained for operational, audit, security, and legal purposes.

2.3 Location Data

Low-Precision Location

  • Used to show nearby reports and send location-relevant safety alerts
  • Can be disabled anytime in app settings
  • Approximate coordinates only; not used for real-time tracking

High Risks Near Me Notifications

When you enable "High Risks Near Me" in Notification Preferences:

  • We collect approximate low-precision location data rounded to 2 decimal places
  • This ensures your exact location is never collected or stored
  • The recorded location points to a nearby area (neighboring street or further), not your precise position
  • Used solely to alert you about high-risk incidents in your general vicinity
  • Can be disabled anytime in notification settings

High-Precision Location

Powers two critical safety features:

SOS Alerts:

  • Sends precise location as Google Maps link to designated emergency contacts
  • Contact lists and messages stored locally on your device only (not on our servers)
  • Queued messages auto-deleted from device after 14 days
  • We do not access your contact list or store SOS data on our servers

GeoFence Alert Tracking:

  • Allows authorized GeoFence contacts to monitor your journey between designated locations
  • Only users you have added as GeoFence contacts can create GeoFence alerts for you
  • You must explicitly accept each GeoFence alert request before monitoring begins
  • Tracks departure from origin, journey progress, and arrival at destination
  • Full control to pause, stop, or delete alerts at any time
  • Cascading deletion: Deleting or blocking a GeoFence contact immediately deactivates all alerts and removes all associated location data

🔒 Privacy-Protected Location Storage:

  • Area-based locations: When you accept a GeoFence alert request, origin and destination are stored as hexagonal areas (~174m across) instead of precise addresses
  • H3 geospatial indexing: We use Uber's H3 hexagonal grid system (resolution 9) to approximate locations, ensuring your exact address is never stored in the alert configuration
  • Approximate coordinates only: The map shows hexagonal geofence boundaries, not precise pinpoints, until journey begins
  • Precise tracking only during journey: Exact GPS coordinates are collected only during active journey tracking (between departure and arrival)
  • Immediate deletion: All precise location breadcrumbs are automatically deleted upon journey completion
  • Privacy by design: This hexagonal area approach prevents your home, work, or other sensitive locations from being exposed even if someone gains unauthorized access to alert data

Example: Instead of storing "123 Main Street, Lagos" (precise), we store a hexagonal area covering ~174 meters that includes your general neighborhood (approximate). Your exact address remains private.

⏰ Time-Based Privacy Controls:

  • Tracking window: Location tracking only occurs during a defined time window (30 minutes before expected departure until arrival + grace period + 1 hour)
  • No premature tracking: If you accept an alert for tomorrow, tracking does not start until the window opens
  • Automatic geofence activation: Native device geofencing (low battery mode) or precise tracking (normal mode) activates only when the window opens
  • Outside window protection: Location updates submitted outside the tracking window are rejected by our servers to prevent unauthorized tracking
  • Recurring alerts: For recurring alerts (e.g., daily commute), tracking windows reset and activate only on scheduled days

Example: If your morning commute alert is set for 7:30 AM departure, tracking begins at 7:00 AM and ends shortly after arrival. Outside these hours, no location data is collected or transmitted.

Battery Information for GeoFence:

  • Battery level percentage to alert contacts if your device runs low during journey
  • Battery state (charging, discharging, full, unplugged, not charging, unknown)
  • Used for safety alerts when battery drops below configured threshold
  • Battery data collected only during active tracking window

Journey Summary and Data Retention:

  • Upon journey completion, raw geolocation data is converted to a Journey Summary
  • Journey Summary includes: distance covered (km), duration, average/top speed, battery status during journey, departure/arrival times, and on-time status
  • Raw geolocation breadcrumbs are immediately deleted after summary creation
  • No coordinates stored in summaries: Journey Summaries contain aggregated statistics only, with no GPS coordinates
  • Journey Summaries are retained for 90 days for your reference
  • You can delete Journey Summaries at any time by deleting the GeoFence alert or contacting support
  • Cascading deletion: Deleting a GeoFence alert removes all associated data (summaries, logs, location data, monitored location) immediately through automatic cascading deletion

Location Permission Requests for GeoFence:

When you receive a GeoFence alert request, the app will prompt you to allow location tracking if you haven't already granted permission. By tapping "Allow" or "Request Permission," you will be directed to your device's system settings where you can enable location permissions for Gran360. The exact steps may vary depending on your device (iOS or Android). Location permissions are only requested when needed and can be revoked at any time through device settings.

Automatic Batch Location Updates:

In cases where your device is unable to send real-time location updates during an active GeoFence alert (due to network issues, app background restrictions, or device settings), the app will automatically store location data locally on your device.

  • Local Storage: Location data is temporarily stored locally on your device when real-time updates fail
  • Tracking window enforcement: Batch uploads are only accepted if they fall within the alert's active tracking window
  • User Notification: You will be notified when location tracking resumes and prompted to upload stored data
  • Consent Required: Batch uploads only occur with your explicit consent when prompted by the app
  • Data Minimization: Only location data from the active alert period is stored
  • Automatic Cleanup: Stored location data is automatically deleted after 7 days if not uploaded
  • Manual Control: You can choose to upload stored data, deactivate the alert, or keep data locally
  • Privacy Protection: Batch uploads are processed securely and data is handled according to our standard retention policies
  • Journey completion: Upon arrival, batched data is included in Journey Summary calculation, then immediately deleted

This feature ensures journey completeness while maintaining your privacy and control over location data sharing.

2.4 GeoFence Alert Requests

When a GeoFence contact creates an alert request for you, we collect:

  • Alert configuration (name, type, origin/destination locations)
  • Schedule details (expected departure/arrival times, grace period, timezone)
  • Recurrence settings (if applicable)
  • Notification preferences
  • Optional message from the requester

Privacy Protection:

  • Declined or expired requests: All location coordinates and location names are immediately nullified and removed from our systems for your privacy
  • Automatic cleanup: Pending requests that expire are automatically deleted with all associated data
  • No retention: We do not retain location information from requests you decline

2.5 Engagement and Activity Data

We automatically collect: Reports viewed, bookmarked, confirmed, or flagged; helpful votes and community feedback; gamification progress (points, badges, levels); report contests or disputes; notification interaction metrics.

2.6 Device and Technical Information

Device identifiers, type, and OS; device tokens for push notifications (no personal identifiers embedded); app version; IP address; error logs and crash reports.

2.7 Subscription and Payment Data

Through RevenueCat and Paystack: subscription tier/status, renewal dates, payment amounts, transaction IDs. We never store your full payment card details.

2.8 Security Audit Data

To protect your privacy and security, we maintain comprehensive audit logs:

Contact Actions:

  • When you delete, block, or unblock contacts, we log: timestamp, IP address, user agent, and affected data counts
  • This helps detect unauthorized account access and suspicious activity patterns
  • Logs include number of alerts deactivated, locations deleted, and requests cancelled

Location Access:

  • Every time someone views your GeoFence location, we log: who accessed it, when, from what IP address, and which alert
  • You can request your access logs to see who has viewed your location data
  • Helps detect potential misuse or unauthorized monitoring

Rate Limiting:

  • Location access is rate-limited to 100 requests per hour per user
  • Prevents mass scraping or abuse of location tracking features
  • Ensures system stability and protects against automated attacks

3. Automated Evaluation and Machine Learning

Gran360 uses automated machine learning systems to evaluate and assign risk levels to reports (low, medium, high), assess credibility, detect spam/fraud, and improve abuse detection.

Important Clarifications:

  • Risk assessments are not manually reviewed in routine operations
  • Human review occurs only for user-initiated reassessment requests, community flags, or anomaly detection
  • Users may contest automated decisions through the app
  • You have the right to request human review of any automated decision that significantly affects you

4. How We Use Your Information

Service Delivery:

  • Provide and maintain reporting and safety services
  • Enable posting, viewing, and engagement with community reports
  • Deliver SOS alerts and GeoFence alert tracking
  • Display relevant nearby reports with location-based filters
  • Process GeoFence alert requests and journey monitoring
  • Generate Journey Summaries from completed trips

Communications:

  • Send push notifications about incidents, alerts, and updates
  • Communicate about account security and support
  • Deliver promotional messages (opt-out available)
  • Alert GeoFence contacts about journey events (departure, arrival, delays, low battery)

Improvement and Analysis:

  • Improve credibility models and risk evaluation algorithms
  • Optimize alert targeting and notification delivery
  • Enhance app performance and user experience
  • Analyze anonymized usage data for service improvements

Safety and Compliance:

  • Detect, prevent, and respond to fraud and security threats
  • Comply with legal obligations and protect legal rights
  • Cooperate with law enforcement where legally required

5. Data Sharing and Disclosure

We do not sell your personal information to third parties.

We may share limited information only in these circumstances:

  • With Your Consent: When you accept GeoFence alert requests or authorize specific purposes
  • GeoFence Contacts: Location and battery data shared only with contacts you have explicitly authorized, and only during active alert periods. When you delete or block a GeoFence contact, all active monitoring is immediately terminated and all associated location data is automatically removed from our systems.
  • Public Reports: Approved reports are visible to all platform users
  • Service Providers: With AWS, RevenueCat, Paystack, and analytics/ML providers (bound by strict confidentiality and data processing agreements)
  • Law Enforcement: When required by law, court order, or necessary for public safety. For missing persons/high-risk incidents, we may request proof of law enforcement reporting
  • Emergency Situations: SOS alerts sent to chosen contacts automatically, even if they don't have the app
  • Business Transfers: In event of merger, acquisition, or sale (with notification)

6. Data Storage, Security, and International Transfers

Hosting and Storage

All backend services are securely hosted on Amazon Web Services (AWS) infrastructure located in the Africa (Cape Town) region (af-south-1). We maintain industry-standard security practices including:

  • AWS security groups with strict access controls
  • VPC (Virtual Private Cloud) network isolation
  • Encryption of data at rest using AWS KMS (Key Management Service)
  • Encryption of data in transit using TLS 1.2+
  • Regular security audits and vulnerability assessments
  • Multi-factor authentication for administrative access

Our employees and contractors receive regular training on data protection principles and security best practices. All personnel with access to personal data are bound by confidentiality agreements and undergo background checks where appropriate.

Security Measures

  • HTTPS encryption for all data transmission
  • Encryption of data at rest and in transit (AES-256)
  • Secure password hashing using modern algorithms (bcrypt)
  • Role-based access controls
  • Regular security audits and continuous monitoring
  • Automated threat detection systems
  • Data minimization practices

However, no digital service is entirely risk-free. Users are responsible for maintaining account security with strong passwords and secure devices.

International Data Transfers

While our primary infrastructure is located in Africa (Cape Town), data may be transferred to other AWS regions or third-party service providers in other countries (e.g., United States, European Union) for specific processing purposes. By using our Services, you consent to this transfer.

We ensure international data transfers comply with applicable laws including NDPR requirements for cross-border transfers and, where applicable, GDPR-approved mechanisms such as Standard Contractual Clauses (SCCs).

7. Data Retention

  • Account Data: Retained while account is open. After deletion, 30-day grace period (logging in cancels deletion). After 30 days, personal identifiers permanently removed.
  • Reports: Remain visible even after account deletion but attributed to "Deleted User." Soft-deleted reports retained for operational, audit, security, and legal purposes.
  • Temporary Data: SOS messages deleted from device after 14 days.
  • GeoFence Location Data: Raw geolocation breadcrumbs and MonitoredUserLocation entries are immediately deleted upon journey completion when the Journey Summary is created. Orphaned location data older than 7 days is automatically deleted as a safety measure.
  • Batched Location Data: Location data stored locally on devices due to network or technical issues during GeoFence alerts is automatically deleted after 7 days if not manually uploaded. Uploaded batch data follows the same retention policy as regular GeoFence location data.
  • Declined/Expired Requests: When you decline a GeoFence alert request or it expires, all location coordinates and names are immediately nullified to protect your privacy. The request record (without location data) may be retained briefly for operational purposes before automatic deletion.
  • Contact Deletion: When you delete or block a GeoFence contact, all active alerts are immediately deactivated and all associated location data (real-time positions, journey summaries, logs) is removed through cascading deletion.
  • Audit Logs: Contact action logs (delete, block, unblock) and location access logs are retained for 180 days for security monitoring and dispute resolution, then automatically deleted.
  • Journey Summaries: Retained for 90 days, then automatically deleted. You can delete earlier via app or by contacting support.
  • GeoFence Alert Requests: Pending requests expire after configured period. Expired/declined requests automatically removed.
  • Inactive GeoFence Alerts: Alerts inactive for more than 7 days, along with all associated data, are automatically deleted.
  • Alert Logs: GeoFence alert event logs retained for 90 days for your reference, then deleted.
  • Session Data: Expired sessions deleted after 7 days.
  • Logs and Analytics: May be retained longer for security, compliance, and improvement, in anonymized form where possible.

8. Your Rights and Choices Under NDPR and Other Regulations

Under the Nigeria Data Protection Regulation (NDPR), GDPR (where applicable), and other privacy laws, you have the following rights:

Right to Access and Data Portability

  • Request copy of your personal data (within 14 days)
  • Export data in common machine-readable format (CSV, JSON)
  • View your Journey Summaries, reports, and activity logs in-app
  • Access your complete data profile upon request

Right to Rectification

  • Update and correct inaccurate personal information
  • Edit or update reports you have submitted
  • Modify GeoFence alert settings and preferences
  • Complete incomplete data where appropriate

Right to Erasure (Right to be Forgotten)

  • Delete individual reports you have created
  • Delete entire account with 30-day grace period
  • Delete GeoFence alerts and all associated location data
  • Request deletion of Journey Summaries and activity logs
  • Request erasure of specific personal data

Right to Restrict Processing

  • Accept or decline GeoFence alert requests
  • Pause/stop GeoFence tracking at any time
  • Temporarily restrict processing while accuracy is verified
  • Restrict processing when data is unlawfully processed

Right to Object

  • Object to processing based on legitimate interests
  • Opt out of direct marketing communications
  • Object to automated decision-making and profiling
  • Object to processing for research or statistical purposes

Rights Related to Automated Decision Making

  • Challenge automated risk assessments
  • Request human review of automated decisions
  • Express your point of view regarding automated processing
  • Contest the outcome of automated evaluations

Right to Withdraw Consent

  • Withdraw consent for location tracking at any time
  • Revoke consent for GeoFence monitoring
  • Withdraw marketing consent through unsubscribe options
  • Manage communication preferences in settings

Right to Transparency and Information

  • Request information about data processing activities
  • Access your location access logs and audit trails
  • View who has accessed your GeoFence location data
  • Receive clear information about data sharing practices

Control Over Batch Uploads

  • Choose whether to upload stored location data when prompted
  • Review number of stored location points before uploading
  • Delete locally stored location data without uploading
  • Configure app settings for background location updates
  • Control automatic batch upload behavior in app settings

How to Exercise Your Rights

You can exercise your NDPR rights through the following methods:

  • Use in-app settings and privacy controls
  • Contact us at support@rego360.com
  • Submit a formal data subject request via email
  • Use the "Delete Account" feature in app settings

We will respond to all valid requests within 14 business days (or 30 days for complex requests). There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive.

Control Over Features

  • Manage Location Permissions: Enable or disable location access through your device settings. If you initially denied location permissions, you can enable them manually. Depending on your device, you will be taken to the system settings page for Gran360 to adjust your location preferences.
  • Manage GeoFence Contacts: Add, remove, block, or unblock GeoFence contacts
  • Manage SOS Contacts: Configure and update emergency contact lists
  • Disable low-precision location: Turn off location-based features in settings
  • Manage Notification Preferences: Control which notifications you receive
  • Enable/disable High Risks Near Me alerts: Toggle location-based safety alerts
  • Control alert frequency: Adjust how often you receive notifications

To exercise your rights, contact us at support@rego360.com or use in-app settings. We will respond within 14 business days (or 30 days for complex GDPR requests).

9. Missing Persons Reports: Special Guidelines

When reporting a missing person, you confirm that:

  • At least 24 hours have passed since disappearance (unless immediate danger)
  • Law enforcement has been notified and you have permission to share publicly
  • The missing person is a minor, vulnerable, or potentially in danger
  • You will not interfere with ongoing investigations

We may request proof of law enforcement involvement. You are solely responsible for ensuring proper authorization and accuracy.

10. User Responsibility and Content Liability

Gran360 does not verify the accuracy of user-submitted reports. Users are solely responsible for truthfulness, legality, and safety of their posts. We encourage independent verification.

Users may flag inappropriate reports, mark as helpful/confirmed, or contest through dispute mechanism.

REGO360 Company Limited is not liable for:

  • False, defamatory, or misleading user reports
  • Actions taken based on unverified community reports
  • Harm from reliance on user-generated content
  • Interference with investigations due to unauthorized disclosures
  • Technical failures in GeoFence tracking or SOS alerts

11. Third-Party Services and Emergency Helplines

Integrated Services

Gran360 integrates with Google Maps, RevenueCat, Paystack, Apple, and Google authentication. Each operates under their own privacy policies. We encourage you to review their policies.

Emergency Helplines

The app provides public emergency helplines (fire, health, gender-based violence, disaster response).

Disclaimer: We do not verify or guarantee accuracy of these numbers and are not liable for disconnected numbers, response failures, or delays. Confirm helplines with local authorities.

12. Advertising, Promotions, and Gamification

  • Advertising: May display third-party ads. While we avoid harmful content, we don't independently verify all advertisers. Users can report inappropriate ads.
  • Gamification: Points, badges, and levels have no real-world monetary value. Gran360 may adjust, pause, or remove rewards at any time.
  • Subscription Pricing: May change with reasonable notice. Current subscribers notified before renewal at new price.

Quizzes and Leaderboard

Gran360 offers safety quizzes designed strictly for knowledge and safety awareness purposes.

Public Leaderboard Information:

  • The quiz leaderboard is publicly visible to all users
  • Leaderboard displays: score, number of attempts, and average quiz completion time
  • Personal details shown include: display name, email address, and profile picture
  • If you do not wish to appear publicly on the leaderboard, contact support@rego360.com to request removal
  • We reserve the right to remove users from the leaderboard for internal reasons without notice

Prize Disclaimer:

  • Leaderboard placement does not automatically translate to prizes
  • Quizzes are strictly for knowledge and safety education
  • We may, at our sole discretion, present tokens in physical or virtual form to top placements
  • Any announced prizes may be retracted at our discretion without prior notice
  • No user is entitled to prizes based solely on leaderboard position

13. Children's Privacy

Gran360 is not intended for children under 13 years old. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected data from a child under 13, contact us immediately at support@rego360.com for prompt removal.

Minors aged 13-17 may use the app only with verified parental or guardian consent. Parents/guardians can use GeoFence features to monitor their children's safety with the child's knowledge and consent.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Significant changes will be communicated via in-app notification or email at least 30 days before taking effect. The updated policy will always display a revised "Last Updated" date. Continued use after changes constitutes acceptance.

15. Legal Basis for Processing

For users in jurisdictions with data protection laws (e.g., GDPR, NDPR, CCPA), we process your data based on:

  • Contractual necessity: To provide our Services as agreed in our Terms of Service
  • Legitimate interests: In improving, securing, and analyzing our platform (balanced against your rights)
  • Legal compliance: With applicable laws and regulations
  • Consent: Where explicitly obtained for specific activities (e.g., marketing, GeoFence monitoring)
  • Vital interests: To protect life and safety in emergencies

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

16. Data Protection Officer

In accordance with NDPR requirements, we have designated a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and compliance. You can contact our DPO at dpo@rego360.com.

17. Complaints and Regulatory Authority

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with:

  • Nigeria: National Information Technology Development Agency (NITDA)
  • EU/EEA: Your local Data Protection Authority
  • Other jurisdictions: The relevant data protection authority in your location

NDPR Regulatory Authority Contact Information

For NDPR compliance issues, you may contact:

National Information Technology Development Agency (NITDA)

📧 Email: info@nitda.gov.ng

🌐 Website: https://nitda.gov.ng

📞 Phone: +234 9 461 7200

🏢 Address: NITDA Headquarters, Garki, Abuja, Nigeria

We encourage you to contact us first at support@rego360.com so we can address your concerns directly before escalating to regulatory authorities.

18. Contact Us

For questions, data requests, complaints, or to exercise your privacy rights, please contact:

Gran360 Privacy Team

REGO360 Company Limited

📧 Email: support@rego360.com

📧 DPO: dpo@rego360.com

🌐 Website: https://www.getgran.com

🏢 Address: Lagos, Nigeria

Response Time: We will respond to all privacy inquiries within 14 business days (30 days for complex GDPR requests).

19. Governing Law

This Privacy Policy is governed by the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Regulation (NDPR). Any disputes arising from this policy shall be subject to the exclusive jurisdiction of Nigerian courts, without prejudice to your rights under GDPR or other applicable data protection laws in your jurisdiction.

By using Gran360, you acknowledge that you have read, understood, and agree to this Privacy Policy.

REGO360 Company Limited © 2025. All rights reserved.

Last Updated: December 24, 2025