Grease Back home

Privacy Policy

Effective 1 May 2026

This Privacy Policy explains how Grease ("we", "us") handles personal information when you use the Grease portal at app.grease.ng, the Grease mobile app on Android and iOS, and the marketing website at grease.ng (together, the "Service").

In Grease, the workshop is the controller of the records it creates about its own customers and vehicles. Grease is a processor for that workshop data — we hold it on the workshop's behalf and only use it to operate the Service. For data we collect directly from workshop staff (signup details, login activity, support tickets), Grease is the controller.

1. Information we collect

From workshop staff (admins, supervisors, technicians, store officers)

  • Account data — full name, work email, phone number (Nigerian or international, in E.164 format), hashed password, role.
  • Workshop data — workshop name, slug, address, business phone, country, currency, plan / billing mode.
  • Login activity — IP address and timestamp of each sign-in, device type for the mobile app push token.
  • Audit log — actions you take in the portal (creating jobs, editing inventory, issuing invoices) recorded against your user ID for security and dispute resolution.

From the workshop's customers (entered by workshop staff, not by us)

  • Customer record — name, phone number, optional email, address.
  • Vehicle record — make, model, plate number, VIN if provided, mileage, service history.
  • Job records — fault description, parts used, labour, approval state, photos uploaded by technicians during inspection.
  • Invoice + payment records — amounts, partial payments, receipts.

From your device when you use the mobile app

  • Camera + Photos — only when you tap to attach an inspection photo. We do not access your camera roll silently.
  • Push notification token — to send job-status alerts to the device. You can disable this in OS settings.
  • Crash reports + diagnostics — anonymised stack traces sent to Sentry to help us fix bugs.

2. How we use the information

  • To operate the Service: authenticate you, render your workshop's data, dispatch WhatsApp / push notifications you have configured.
  • To provide customer support and respond to your questions.
  • To detect abuse, prevent fraud, and enforce our Terms.
  • To improve product reliability — diagnostic and crash data are aggregated and not used for advertising.
  • To send transactional emails (password resets, invoices, receipts). We do not send marketing email unless you opt in.

We do not sell your data. We do not use customer or vehicle records to train AI models.

3. Sub-processors we share data with

To operate the Service we rely on the following third-party processors. Each is bound by contract to use the data only for the purpose for which it was shared.

  • Hetzner (Germany) — hosts the Grease application server and primary database; encrypted at rest and in transit.
  • Cloudflare R2 — stores inspection photos and PDF invoices, served through cdn.grease.ng.
  • Resend — sends transactional email (password resets, receipts).
  • Meta WhatsApp Business — delivers customer-facing job-status messages (only when the workshop enables it).
  • Sentry — receives anonymised crash reports and performance traces.
  • Paystack / Stripe — processes subscription payments. We never see or store your full card number.
  • Vercel — hosts the marketing website and the portal frontend.

4. International data transfers

Some sub-processors operate outside Nigeria (United States, European Union, United Kingdom). Where data leaves Nigeria, it does so under Standard Contractual Clauses or equivalent safeguards that match Nigerian Data Protection Act requirements.

5. How long we keep your data

  • Active workshop data — for as long as your subscription is active.
  • Suspended / cancelled accounts — kept for 30 days, then permanently deleted unless you ask for an export sooner.
  • Audit logs — kept for 12 months.
  • Crash reports — kept for 90 days.
  • Transactional email logs — kept for 30 days for delivery debugging.

6. Your rights

Under the Nigeria Data Protection Act 2023 and analogous laws (GDPR, CCPA), you have the right to:

  • Access a copy of the personal data we hold about you.
  • Correct data that is inaccurate or out of date.
  • Delete your account and the associated data — see /delete-account.
  • Object to or restrict processing in specific circumstances.
  • Receive your data in a portable format (JSON or CSV).

Exercise any of these by emailing hello@grease.ng from the address on file. We respond within 30 days.

7. Security

  • Passwords are stored as bcrypt hashes — we cannot read them.
  • All traffic to the Service is encrypted in transit using HTTPS / TLS 1.2 or higher.
  • Database backups are encrypted and stored in a separate region.
  • Access to production systems is restricted to a small set of authenticated engineers, with all administrative actions audit-logged.

No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you within 72 hours of confirmation, in line with the Nigeria Data Protection Act.

8. Children

The Service is for workshop staff aged 18 or above. We do not knowingly collect personal information from children under 13. If a parent or guardian believes a child has provided data to us, please contact us and we will delete it.

9. Changes to this Policy

We may update this Policy as the Service evolves. Material changes will be notified at least 14 days in advance via email and an in-app banner. The "Effective" date at the top of this page always reflects the latest revision.

10. Contact

For privacy questions, data requests, or to file a complaint, write to hello@grease.ng. We aim to reply within 5 business days.