Privacy Policy
Last updated: April 2026
1. Introduction
The Greater Lombardy East Residents Association ("GLERA", "we", "us", "our") is committed to protecting the personal information of our community members. This Privacy Policy explains what personal information we collect, why we collect it, how long we retain it, and your rights under the Protection of Personal Information Act 4 of 2013 ("POPIA").
This policy applies to the GLERA Reporter App, the Booming Fundraiser App, the GLERA Community Policing Forum page, and all related services accessible at glera.co.za.
2. What Personal Information We Collect
We collect the following categories of personal information:
| Category | Examples | Purpose |
|---|---|---|
| Identity | Full name | Account registration and verification |
| Contact | Email address, phone number | Account communication, security enquiries |
| Address | Physical home address | Residency verification, payment reference |
| Verification document | Municipal account statement photo | Proof of residency verification |
| Location | GPS coordinates | Pinpointing reported infrastructure faults |
| Financial | Payment amounts, PayFast transaction IDs | Processing and recording fundraising contributions |
| Date of birth | Day and month of birth | Community birthday celebration emails (opt-in only) |
3. Lawful Basis for Processing (POPIA s11)
We process your personal information on the following lawful grounds:
- Contractual necessity — processing your name, email, address, and verification document is necessary to provide you with access to the GLERA Reporter App and Booming Fundraiser App.
- Legitimate interest — GPS coordinates and report photos are processed to fulfil the core purpose of the Reporter App: identifying and escalating infrastructure faults to the relevant authorities.
- Consent — birthday data is collected and processed only with your explicit opt-in consent. You may withdraw consent at any time via the unsubscribe link in any birthday email.
- Legal obligation — financial transaction records are retained to comply with applicable South African financial record-keeping requirements.
4. How Long We Retain Your Information
| Data Category | Retention Period |
|---|---|
| Account profile (name, email, address) | Until account deletion is requested |
| Verification documents | Until account deletion is requested |
| Infrastructure reports and photos | Until account deletion is requested |
| Financial contribution records | 5 years (South African financial record-keeping requirements) |
| Birthday data | Until unsubscribed or account deleted |
5. How We Share Your Information
We do not sell your personal information. We share it only with the following service providers who process it on our behalf:
- Supabase — database and file storage. Your data is stored on Supabase infrastructure located in EU West (Ireland). Ireland is subject to the EU General Data Protection Regulation (GDPR), which the South African Information Regulator recognises as providing adequate protection for cross-border transfers under POPIA section 72. Supabase is SOC 2 Type II certified. Their Data Processing Agreement is available at supabase.com/privacy.
- PayFast — payment processing. Card details are handled directly by PayFast and are never stored on GLERA systems. PayFast is PCI-DSS compliant.
- Resend — transactional email delivery (verification notifications, birthday emails, security enquiry forwarding).
- Vercel — application hosting. Function execution logs may contain non-sensitive operational data.
We may also share information where required by South African law or a court order.
6. Your Rights Under POPIA
As a data subject under POPIA, you have the right to:
- Access — request a copy of the personal information we hold about you.
- Correction — request that inaccurate or incomplete information be corrected.
- Deletion (erasure) — request that your personal information be deleted. See Section 7 below.
- Objection — object to the processing of your personal information on grounds of legitimate interest.
- Withdraw consent — withdraw consent for processing based on consent (e.g. birthday emails) at any time.
- Lodge a complaint — lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.
To exercise any of these rights, contact us at secretary@glera.co.za.
7. How to Request Deletion of Your Data
You can permanently delete your account and all associated personal information directly from the platform. Once deleted, your data cannot be recovered.
To delete your account, log in and visit Dashboard → Delete Account.
Note: Financial contribution records may be retained for up to 5 years as required by South African law, even after account deletion.
8. Cookies and Local Storage
The GLERA platform uses a service worker for Progressive Web App (PWA) functionality, which caches application assets locally on your device to enable offline access. We do not use tracking cookies or third-party advertising cookies.
Authentication sessions are managed via secure, HttpOnly cookies set by Supabase Auth. These are strictly necessary for the platform to function and cannot be disabled.
9. Data Security
We protect your personal information through the following measures:
- Row Level Security (RLS) policies on all database tables — users can only access their own data.
- Verification documents stored in a private, access-controlled storage bucket.
- All data transmitted over HTTPS (TLS).
- Passwords are never stored — authentication is handled by Supabase Auth.
- HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options) applied to all responses.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of our services after changes constitutes acceptance of the updated policy.
11. Contact Us
For any privacy-related questions, requests, or complaints, please contact us at secretary@glera.co.za.