Grease

Privacy Policy

Last updated: April 2026

Plain-English summary: Two kinds of personal data live in Grease — your workshop staff (who log in) and your customers (whose vehicles you service). For staff data we are the controller. For customer data your workshop is the controller and we are a processor. We use the data to make the platform work; we never sell it.

1. Who we are

Grease is operated by the entity registered as the data controller for staff accounts on the platform. Contact: privacy@grease.ng.

2. Two distinct relationships

Grease holds two categories of personal data, treated under different legal bases:

  • Workshop staff data (you signed up, you log in): name, email, phone, role, password hash, last-login timestamp, push-notification token. We are the data controller. The legal basis is performance of the contract you accepted at signup.
  • Workshop customer data (the people whose vehicles your workshop services): name, phone, vehicle plate, service history, photos uploaded during inspections. Your workshop is the controller; we are a processor acting on your instructions. The legal basis is your workshop's — you must have your own.

3. What we collect, by category

  • Account & authentication: staff name, email, password hash, role, last-login timestamp.
  • Workshop profile: business name, branding (logo, accent colour), bank details if entered for invoicing, contact email/phone, country.
  • Operational records: jobs, customers, vehicles, inventory items, inspection checklists, invoices, photos.
  • Billing: Paystack/Stripe customer + subscription identifiers. Card numbers are stored by the payment provider, not by us.
  • Telemetry: error reports (via Sentry, scoped to workshop ID + user ID), API request logs, IP addresses (rolling 30-day retention).

4. How we use it

  • To deliver the platform — render your dashboard, send WhatsApp job-status messages, generate invoice PDFs, etc.
  • To bill and collect payments via Paystack and Stripe.
  • To diagnose bugs and crashes (Sentry).
  • To send transactional email (password resets, billing receipts, security alerts) via our SMTP provider.
  • To detect and prevent abuse (rate limiting, suspension of fraudulent accounts).

We do not sell personal data. We do not use it to train any AI/ML models. We do not run targeted advertising.

5. Sub-processors

To run the platform we share data with these vendors. Each is contractually bound to comparable confidentiality and security obligations:

  • MongoDB Atlas — primary database (region: Frankfurt, EU; encryption at rest).
  • Cloudflare R2 — object storage for uploaded photos and logos.
  • Hetzner Cloud — application hosting.
  • Vercel — portal + super-admin hosting.
  • Paystack, Stripe — payment processing.
  • Meta WhatsApp Business — customer notification messages.
  • Sentry — error tracking.
  • Resend / SES / Postmark — transactional email.

6. Retention

  • While your Workshop is active: indefinitely.
  • After Workshop closure: 30 days, then permanent deletion (except where law requires longer retention).
  • Failed-payment + audit logs: 12 months.
  • Telemetry / request logs: 30 days rolling.

7. International transfers

Some sub-processors operate outside Nigeria (notably Vercel and Stripe in the United States, and MongoDB Atlas in the EU). Where personal data is transferred outside Nigeria we rely on the recipient's standard contractual safeguards and the NDPR's adequacy framework. By using Grease you consent to these transfers.

8. Your rights

If you are a workshop staff member, you may:

  • Request a copy of your personal data.
  • Correct inaccurate data via your profile, or by emailing us.
  • Delete your account from the workshop's user-management screen, after which we delete your data within 30 days.
  • Object to processing or withdraw consent — in which case we may no longer be able to provide the service to you.

If you are a workshop's customer, please direct rights requests to the workshop that holds your record. We will assist them in fulfilling the request.

9. Security

Production passwords are hashed with bcrypt (work factor 12). API tokens are JWTs signed with separate secrets for tenant vs platform sessions. Data in transit is encrypted via TLS. Production access is restricted to named operators with mandatory password rotation. Backups are encrypted at rest and tested via dry-run restore quarterly.

If we suffer a breach affecting personal data we will notify affected workshops within 72 hours of confirming the breach.

10. Children

Grease is a B2B tool for businesses. We do not knowingly collect personal data from children under 13. If you believe a child's data is in our system, contact privacy@grease.ng.

11. Changes

We may update this Policy. Material changes are notified by email at least 14 days before they take effect.

12. Contact

Privacy questions, data requests, or breach reports: privacy@grease.ng.