Privacy Policy

1. Introduction

Welcome to Gran360, operated by REGO360 Company Limited ("we," "our," or "us"). Gran360 is a community-driven safety and awareness platform that enables users to post, view, and engage with reports about scams, incidents (accidents, fires, disasters, assaults, road blocks, etc.), and missing persons.

Your privacy and trust are fundamental to our mission. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our mobile application ("App") and website ("Web Platform") (collectively, "Services").

Important Notes:

  • Gran360 is operated in Nigeria, and our services are primarily intended for use within Nigeria
  • The mobile app provides full functionality for creating, viewing, and managing reports
  • The web platform provides read-only access—users cannot create, update, or delete content from the web
  • We comply with the Nigeria Data Protection Regulation (NDPR), and where applicable, the EU General Data Protection Regulation (GDPR) and US privacy laws

By using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use immediately.

2. Information We Collect

2.1 Personal Information

When you create an account, we collect:

  • Email address (required for authentication and communication)
  • Password (securely hashed using industry-standard encryption; never stored in plain text)
  • Optional profile information: First name, last name, age group, gender, phone number, social media handles, profile avatar

Third-Party Authentication: If you sign up using Google or Apple, we do not store or access your password. Authentication is handled securely by those providers.

2.2 Report Data

When you submit a report, we collect:

  • Report title, description, and category
  • Media files (photos, videos, or other attachments)
  • Location coordinates (if location services are enabled)
  • Social media handles or external references you provide
  • Timestamps and metadata
  • Law enforcement information (voluntarily provided): Whether reported to authorities, case file/reference number, additional references

You may update or delete your reports at any time. Deleted reports are soft-deleted—removed from public view but retained for operational, audit, security, and legal purposes.

2.3 Location Data

Low-Precision Location

  • Used to show nearby reports and send location-relevant safety alerts
  • Can be disabled anytime in app settings
  • Approximate coordinates only; not used for real-time tracking

High Risks Near Me Notifications

When you enable "High Risks Near Me" in Notification Preferences:

  • We collect approximate low-precision location data rounded to 2 decimal places
  • This ensures your exact location is never collected or stored
  • The recorded location points to a nearby area (neighboring street or further), not your precise position
  • Used solely to alert you about high-risk incidents in your general vicinity
  • Can be disabled anytime in notification settings

High-Precision Location

Powers two critical safety features:

SOS Alerts:

  • Sends precise location as Google Maps link to designated emergency contacts
  • Contact lists and messages stored locally on your device only (not on our servers)
  • Queued messages auto-deleted from device after 14 days
  • We do not access your contact list or store SOS data on our servers

GeoFence Alert Tracking:

  • Allows authorized GeoFence contacts to monitor your journey between designated locations
  • Only users you have added as GeoFence contacts can create GeoFence alerts for you
  • You must explicitly accept each GeoFence alert request before monitoring begins
  • Tracks departure from origin, journey progress, and arrival at destination
  • Full control to pause, stop, or delete alerts at any time
  • Cascading deletion: Deleting or blocking a GeoFence contact immediately deactivates all alerts and removes all associated location data

Battery Information for GeoFence:

  • Battery level percentage to alert contacts if your device runs low during journey
  • Battery state (charging, discharging, full, unplugged, not charging, unknown)
  • Used for safety alerts when battery drops below configured threshold

Journey Summary and Data Retention:

  • Upon journey completion, raw geolocation data is converted to a Journey Summary
  • Journey Summary includes: distance covered (km), duration, average/top speed, battery status during journey, departure/arrival times, and on-time status
  • Raw geolocation breadcrumbs are immediately deleted after summary creation
  • Journey Summaries are retained for 90 days for your reference
  • You can delete Journey Summaries at any time by deleting the GeoFence alert or contacting support
  • Cascading deletion: Deleting a GeoFence alert removes all associated data (summaries, logs, location data, monitored location) immediately through automatic cascading deletion

2.4 GeoFence Alert Requests

When a GeoFence contact creates an alert request for you, we collect:

  • Alert configuration (name, type, origin/destination locations)
  • Schedule details (expected departure/arrival times, grace period, timezone)
  • Recurrence settings (if applicable)
  • Notification preferences
  • Optional message from the requester

Privacy Protection:

  • Declined or expired requests: All location coordinates and location names are immediately nullified and removed from our systems for your privacy
  • Automatic cleanup: Pending requests that expire are automatically deleted with all associated data
  • No retention: We do not retain location information from requests you decline

2.5 Engagement and Activity Data

We automatically collect: Reports viewed, bookmarked, confirmed, or flagged; helpful votes and community feedback; gamification progress (points, badges, levels); report contests or disputes; notification interaction metrics.

2.6 Device and Technical Information

Device identifiers, type, and OS; device tokens for push notifications (no personal identifiers embedded); app version; IP address; error logs and crash reports.

2.7 Subscription and Payment Data

Through RevenueCat and Paystack: subscription tier/status, renewal dates, payment amounts, transaction IDs. We never store your full payment card details.

2.8 Security Audit Data

To protect your privacy and security, we maintain comprehensive audit logs:

Contact Actions:

  • When you delete, block, or unblock contacts, we log: timestamp, IP address, user agent, and affected data counts
  • This helps detect unauthorized account access and suspicious activity patterns
  • Logs include number of alerts deactivated, locations deleted, and requests cancelled

Location Access:

  • Every time someone views your GeoFence location, we log: who accessed it, when, from what IP address, and which alert
  • You can request your access logs to see who has viewed your location data
  • Helps detect potential misuse or unauthorized monitoring

Rate Limiting:

  • Location access is rate-limited to 100 requests per hour per user
  • Prevents mass scraping or abuse of location tracking features
  • Ensures system stability and protects against automated attacks

3. Automated Evaluation and Machine Learning

Gran360 uses automated machine learning systems to evaluate and assign risk levels to reports (low, medium, high), assess credibility, detect spam/fraud, and improve abuse detection.

Important Clarifications:

  • Risk assessments are not manually reviewed in routine operations
  • Human review occurs only for user-initiated reassessment requests, community flags, or anomaly detection
  • Users may contest automated decisions through the app
  • You have the right to request human review of any automated decision that significantly affects you

4. How We Use Your Information

Service Delivery:

  • Provide and maintain reporting and safety services
  • Enable posting, viewing, and engagement with community reports
  • Deliver SOS alerts and GeoFence alert tracking
  • Display relevant nearby reports with location-based filters
  • Process GeoFence alert requests and journey monitoring
  • Generate Journey Summaries from completed trips

Communications:

  • Send push notifications about incidents, alerts, and updates
  • Communicate about account security and support
  • Deliver promotional messages (opt-out available)
  • Alert GeoFence contacts about journey events (departure, arrival, delays, low battery)

Improvement and Analysis:

  • Improve credibility models and risk evaluation algorithms
  • Optimize alert targeting and notification delivery
  • Enhance app performance and user experience
  • Analyze anonymized usage data for service improvements

Safety and Compliance:

  • Detect, prevent, and respond to fraud and security threats
  • Comply with legal obligations and protect legal rights
  • Cooperate with law enforcement where legally required

5. Data Sharing and Disclosure

We do not sell your personal information to third parties.

We may share limited information only in these circumstances:

  • With Your Consent: When you accept GeoFence alert requests or authorize specific purposes
  • GeoFence Contacts: Location and battery data shared only with contacts you have explicitly authorized, and only during active alert periods. When you delete or block a GeoFence contact, all active monitoring is immediately terminated and all associated location data is automatically removed from our systems.
  • Public Reports: Approved reports are visible to all platform users
  • Service Providers: With Vultr, AWS, RevenueCat, Paystack, and analytics/ML providers (bound by strict confidentiality and data processing agreements)
  • Law Enforcement: When required by law, court order, or necessary for public safety. For missing persons/high-risk incidents, we may request proof of law enforcement reporting
  • Emergency Situations: SOS alerts sent to chosen contacts automatically, even if they don't have the app
  • Business Transfers: In event of merger, acquisition, or sale (with notification)

6. Data Storage, Security, and International Transfers

Hosting and Storage

Securely stored on Vultr and Amazon Web Services (AWS) servers, complying with industry-standard security practices and international data protection standards.

Security Measures

  • HTTPS encryption for all data transmission
  • Encryption of data at rest and in transit (AES-256)
  • Secure password hashing using modern algorithms (bcrypt)
  • Role-based access controls
  • Regular security audits and continuous monitoring
  • Automated threat detection systems
  • Data minimization practices

However, no digital service is entirely risk-free. Users are responsible for maintaining account security with strong passwords and secure devices.

International Data Transfers

Data may be transferred to countries outside Nigeria (e.g., United States, European Union). By using our Services, you consent to this transfer.

We ensure international data transfers comply with applicable laws including NDPR requirements for cross-border transfers and, where applicable, GDPR-approved mechanisms such as Standard Contractual Clauses (SCCs).

7. Data Retention

  • Account Data: Retained while account is open. After deletion, 30-day grace period (logging in cancels deletion). After 30 days, personal identifiers permanently removed.
  • Reports: Remain visible even after account deletion but attributed to "Deleted User." Soft-deleted reports retained for operational, audit, security, and legal purposes.
  • Temporary Data: SOS messages deleted from device after 14 days.
  • GeoFence Location Data: Raw geolocation breadcrumbs and MonitoredUserLocation entries are immediately deleted upon journey completion when the Journey Summary is created. Orphaned location data older than 7 days is automatically deleted as a safety measure.
  • Declined/Expired Requests: When you decline a GeoFence alert request or it expires, all location coordinates and names are immediately nullified to protect your privacy. The request record (without location data) may be retained briefly for operational purposes before automatic deletion.
  • Contact Deletion: When you delete or block a GeoFence contact, all active alerts are immediately deactivated and all associated location data (real-time positions, journey summaries, logs) is removed through cascading deletion.
  • Audit Logs: Contact action logs (delete, block, unblock) and location access logs are retained for 180 days for security monitoring and dispute resolution, then automatically deleted.
  • Journey Summaries: Retained for 90 days, then automatically deleted. You can delete earlier via app or by contacting support.
  • GeoFence Alert Requests: Pending requests expire after configured period. Expired/declined requests automatically removed.
  • Inactive GeoFence Alerts: Alerts inactive for more than 7 days, along with all associated data, are automatically deleted.
  • Alert Logs: GeoFence alert event logs retained for 90 days for your reference, then deleted.
  • Session Data: Expired sessions deleted after 7 days.
  • Logs and Analytics: May be retained longer for security, compliance, and improvement, in anonymized form where possible.

8. Your Rights and Choices

Under NDPR, GDPR (where applicable), and other privacy laws, you have the following rights:

Access and Portability

  • Request copy of your data (within 14 days)
  • Export data in common machine-readable format
  • View your Journey Summaries in-app

Correction and Updates

  • Update profile information
  • Edit or update reports
  • Modify GeoFence alert settings

Deletion

  • Delete individual reports
  • Delete entire account (30-day grace)
  • Delete GeoFence alerts and all associated data
  • Request deletion of Journey Summaries
  • Request deletion of specific data

Control Over Features

  • Accept or decline GeoFence alert requests
  • Pause/stop GeoFence tracking anytime
  • Disable low-precision location
  • Manage GeoFence contacts
  • Manage SOS contacts

Communication Preferences

  • Manage notification settings
  • Enable/disable High Risks Near Me alerts
  • Opt out of promotions
  • Control alert frequency

Contest Decisions

  • Challenge risk assessments
  • Request human review of automated decisions
  • Object to processing based on legitimate interests

Transparency and Audit

  • Request your location access logs
  • View who has accessed your GeoFence location data
  • See audit trail of contact management actions
  • Report suspicious access patterns

To exercise your rights, contact us at support@rego360.com or use in-app settings. We will respond within 14 business days (or 30 days for GDPR requests).

9. Missing Persons Reports: Special Guidelines

When reporting a missing person, you confirm that:

  • At least 24 hours have passed since disappearance (unless immediate danger)
  • Law enforcement has been notified and you have permission to share publicly
  • The missing person is a minor, vulnerable, or potentially in danger
  • You will not interfere with ongoing investigations

We may request proof of law enforcement involvement. You are solely responsible for ensuring proper authorization and accuracy.

10. User Responsibility and Content Liability

Gran360 does not verify the accuracy of user-submitted reports. Users are solely responsible for truthfulness, legality, and safety of their posts. We encourage independent verification.

Users may flag inappropriate reports, mark as helpful/confirmed, or contest through dispute mechanism.

REGO360 Company Limited is not liable for:

  • False, defamatory, or misleading user reports
  • Actions taken based on unverified community reports
  • Harm from reliance on user-generated content
  • Interference with investigations due to unauthorized disclosures
  • Technical failures in GeoFence tracking or SOS alerts

11. Third-Party Services and Emergency Helplines

Integrated Services

Gran360 integrates with Google Maps, RevenueCat, Paystack, Apple, and Google authentication. Each operates under their own privacy policies. We encourage you to review their policies.

Emergency Helplines

The app provides public emergency helplines (fire, health, gender-based violence, disaster response).

Disclaimer: We do not verify or guarantee accuracy of these numbers and are not liable for disconnected numbers, response failures, or delays. Confirm helplines with local authorities.

12. Advertising, Promotions, and Gamification

  • Advertising: May display third-party ads. While we avoid harmful content, we don't independently verify all advertisers. Users can report inappropriate ads.
  • Gamification: Points, badges, and levels have no real-world monetary value. Gran360 may adjust, pause, or remove rewards at any time.
  • Subscription Pricing: May change with reasonable notice. Current subscribers notified before renewal at new price.

Quizzes and Leaderboard

Gran360 offers safety quizzes designed strictly for knowledge and safety awareness purposes.

Public Leaderboard Information:

  • The quiz leaderboard is publicly visible to all users
  • Leaderboard displays: score, number of attempts, and average quiz completion time
  • Personal details shown include: display name, email address, and profile picture
  • If you do not wish to appear publicly on the leaderboard, contact support@rego360.com to request removal
  • We reserve the right to remove users from the leaderboard for internal reasons without notice

Prize Disclaimer:

  • Leaderboard placement does not automatically translate to prizes
  • Quizzes are strictly for knowledge and safety education
  • We may, at our sole discretion, present tokens in physical or virtual form to top placements
  • Any announced prizes may be retracted at our discretion without prior notice
  • No user is entitled to prizes based solely on leaderboard position

13. Children's Privacy

Gran360 is not intended for children under 13 years old. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected data from a child under 13, contact us immediately at support@rego360.com for prompt removal.

Minors aged 13-17 may use the app only with verified parental or guardian consent. Parents/guardians can use GeoFence features to monitor their children's safety with the child's knowledge and consent.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Significant changes will be communicated via in-app notification or email at least 30 days before taking effect. The updated policy will always display a revised "Last Updated" date. Continued use after changes constitutes acceptance.

15. Legal Basis for Processing

For users in jurisdictions with data protection laws (e.g., GDPR, NDPR, CCPA), we process your data based on:

  • Contractual necessity: To provide our Services as agreed in our Terms of Service
  • Legitimate interests: In improving, securing, and analyzing our platform (balanced against your rights)
  • Legal compliance: With applicable laws and regulations
  • Consent: Where explicitly obtained for specific activities (e.g., marketing, GeoFence monitoring)
  • Vital interests: To protect life and safety in emergencies

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

16. Data Protection Officer

In accordance with NDPR requirements, we have designated a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and compliance. You can contact our DPO at dpo@rego360.com.

17. Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with:

  • Nigeria: National Information Technology Development Agency (NITDA)
  • EU/EEA: Your local Data Protection Authority
  • Other jurisdictions: The relevant data protection authority in your location

We encourage you to contact us first so we can address your concerns directly.

18. Contact Us

For questions, data requests, complaints, or to exercise your privacy rights, please contact:

Gran360 Privacy Team

REGO360 Company Limited

📧 Email: support@rego360.com

📧 DPO: dpo@rego360.com

🌐 Website: https://www.getgran.com

🏢 Address: Lagos, Nigeria

Response Time: We will respond to all privacy inquiries within 14 business days (30 days for GDPR requests).

19. Governing Law

This Privacy Policy is governed by the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Regulation (NDPR). Any disputes arising from this policy shall be subject to the exclusive jurisdiction of Nigerian courts, without prejudice to your rights under GDPR or other applicable data protection laws in your jurisdiction.

By using Gran360, you acknowledge that you have read, understood, and agree to this Privacy Policy.

REGO360 Company Limited © 2025. All rights reserved.

Last Updated: November 27, 2025