Privacy Policy

Garage Manager ("the Service") is operated by Tunelo (Pty) Ltd (registration number 2026/298503/07), a private company incorporated in South Africa. We are the responsible party for personal information collected directly from our subscribers (the businesses that sign up for Garage Manager).

Our subscribers (auto shops, garages, and service businesses) act as the responsible parties for the personal information of their own end-customers (vehicle owners) that they enter into the Service. We act as their operator for that data.

From subscribers (the auto shops):

• Business name, slug, address, phone, email, registration number, VAT number
• Staff user names, email addresses, hashed passwords (we never store plaintext)
• Payment information (entered directly on Paystack's or Stitch's hosted checkout — we never see or store card numbers; we receive only a transaction reference, amount, and status)
• Login activity, IP addresses, session timestamps

From end-customers (vehicle owners), collected by subscribers and stored on our infrastructure:

• Customer name, contact email, phone, optional WhatsApp number
• Vehicle information (make, model, year, registration plate)
• Invoice and service-history records

• To provide the Service the subscriber signed up for (contractual necessity)
• To send transactional notifications (booking confirmations, invoice reminders)
• To bill subscribers for paid tiers (legal obligation under tax law)
• To detect and prevent abuse, fraud, and security incidents (legitimate interest)
• To respond to support requests (consent and legitimate interest)

We share information only as needed to operate the Service. Our current sub-processors:

• Google Cloud (Cloud Run, Cloud SQL): hosts the application and database (region: africa-south1, Johannesburg)
• Vercel: DNS hosting and edge proxy
• Resend: transactional email delivery
• Paystack (Paystack Payments South Africa): processes invoice and subscription payments on hosted checkout pages. Card details are entered directly on Paystack's servers and never reach ours. We receive only a transaction reference, amount, status, payment method, and the email address used. See Paystack's privacy notice.
• Stitch (Stitch Money (Pty) Ltd, South Africa): alternate payment processor for invoice payments — currently being onboarded. Same scope as Paystack: hosted checkout, no card data on our servers, only transaction metadata returned. See Stitch's privacy notice.

Each sub-processor is contractually bound to handle data securely and only for the specified purpose. We do not sell or rent personal information to third parties.

Your personal information is stored in Google Cloud's africa-south1 region (Johannesburg, South Africa). Backups are retained for 7 days, also in africa-south1.

Paystack and Stitch are South African payment processors and store transaction data locally. Some other sub-processors (Vercel, Resend) operate globally and may process data in other jurisdictions. Where this happens, we rely on standard contractual clauses and the lawful-transfer mechanisms required by POPIA section 72.

• Active accounts: for the duration of the subscription
• After termination: data is exportable for 30 days, then deleted or anonymised
• Billing records: 5 years (SA tax law minimum)
• Server logs: 90 days

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of personal information that is no longer necessary
• Object to processing for direct marketing purposes
• Withdraw consent where processing is based on consent
• Lodge a complaint with the Information Regulator (South Africa)

To exercise any of these rights, contact our information officer at privacy@garagemanager.co.za. We respond within 30 days.

If you are unsatisfied with our handling of your personal information, you may lodge a complaint with the Information Regulator of South Africa:

• Website: inforegulator.org.za
• Email: complaints.IR@justice.gov.za

We use industry-standard security measures including encrypted connections (TLS 1.2+), encrypted database storage, hashed passwords (bcrypt), and role-based access control. We never store payment card numbers. In the event of a security breach affecting your personal information, we will notify you and the Information Regulator as required by POPIA section 22.

We use only essential cookies needed for authentication (NextAuth session cookies). We do not use third-party advertising or tracking cookies on the dashboard. Marketing pages may use anonymous analytics in future — this policy will be updated when that happens, and we will provide a consent banner where required.

The information officer for Tunelo (Pty) Ltd can be contacted at privacy@garagemanager.co.za.

We may update this policy from time to time. Material changes will be announced via email or in-app notice. The "Last updated" date at the top reflects the most recent revision.

General privacy questions can be sent to support@garagemanager.co.za. Formal POPIA requests should go to privacy@garagemanager.co.za.