Privacy Policy

GrimmGear (Pty) Ltd ("GrimmGear", "we", "us", or "our") is committed to protecting your personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) and other applicable South African privacy legislation.

This Privacy Policy describes how we collect, use, store, and protect your information when you use ComplyGear ("the Service").

1. Information We Collect

We collect the following categories of personal information:

Account Information

• Full name
• Email address
• Firm/company name
• Phone number (optional, for WhatsApp alerts)
• Password (stored in hashed form only)

Client and Company Data

• Company names, registration numbers, and tax numbers
• Director names and identification numbers
• Financial year-end dates
• B-BBEE scores and certificates
• Compliance obligation records
• Uploaded documents (certificates, filings, correspondence)

Usage Analytics

• Pages visited and features used (via Google Analytics)
• Browser type and device information
• IP address and approximate location
• Session duration and frequency of use

2. Why We Collect Your Information

We process your personal information for the following purposes:

• Provide the Service: To create and manage your account, track compliance obligations, send alerts and reminders, and generate reports.
• Improve the platform: To understand how the Service is used, identify issues, and develop new features.
• Communicate with you: To send service-related notifications, compliance alerts, billing information, and customer support responses.
• Legal compliance: To comply with applicable laws and regulations, respond to legal requests, and protect our rights.

Our legal bases for processing under POPIA are: your consent (Section 11(1)(a)), contractual necessity (Section 11(1)(b)), and our legitimate interest in operating and improving the Service (Section 11(1)(f)).

3. How We Store Your Data

Your data is stored in a PostgreSQL database hosted on a secured virtual private server (VPS) in a professional data centre. We implement the following security measures:

• TLS/SSL encryption for all data in transit (HTTPS)
• Passwords are hashed using bcrypt with a cost factor of 12
• Database access is restricted to application-level credentials only
• Daily automated database backups with 14-day retention
• Server access controlled via SSH key authentication
• Regular security updates applied to all server software

4. Data Retention

We retain your personal information for as long as your account is active and you continue to use the Service. After account cancellation:

• Your data is retained for 1 year after cancellation to allow for account reactivation and data export.
• After the 1-year period, all personal information and client data is permanently deleted from our systems, including backups.
• Anonymised, aggregated usage statistics may be retained indefinitely for analytics purposes.

5. Third-Party Sharing

We do not sell, rent, or trade your personal information to any third party.

We may share your data only in the following limited circumstances:

• Payment processors: Billing information shared with payment service providers to process subscription payments.
• Analytics: Anonymised usage data processed by Google Analytics for service improvement.
• Legal requirements: If required by law, court order, or regulatory authority in South Africa.
• Service providers: Trusted hosting and infrastructure providers who process data on our behalf under strict data processing agreements.

6. Your Rights as a Data Subject

Under POPIA, you have the following rights regarding your personal information:

• Right of access: Request a copy of the personal information we hold about you.
• Right to correction: Request that inaccurate or incomplete information be corrected.
• Right to deletion: Request that your personal information be deleted, subject to our legal obligations.
• Right to object: Object to the processing of your personal information in certain circumstances.
• Right to data portability: Export your data in a machine-readable format (CSV).

To exercise any of these rights, please email us at support@grimmgear.com. We will respond to your request within 30 days.

7. Information Officer

8. Cookies

ComplyGear uses session cookies only to maintain your login state and ensure the security of your session. We do not use tracking cookies, advertising cookies, or any third-party cookies beyond those required by Google Analytics.

Google Analytics uses cookies to collect anonymised usage data. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

9. Children's Privacy

ComplyGear is a business service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect and update the "Last updated" date at the top of this page.

11. Contact

For any privacy-related questions or concerns, please contact us at: