Privacy Policy

1. Introduction

This Privacy Policy describes how OnPoint App ("Company," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the OnPoint mobile application ("App") and related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, you must not access or use our Services.

Company Information

Company Name: OnPoint App
Contact Email: contact@onpointapp.net
Country of Registration: South Africa

2. Scope and Applicability

This Privacy Policy applies to all users of the OnPoint App worldwide, including users in:

South Africa (governed by POPIA)
European Union and European Economic Area (governed by GDPR)
United Kingdom (governed by UK GDPR)
Australia (governed by the Privacy Act 1988)
United States, including California (governed by CCPA/CPRA)
All other jurisdictions where the App is available

3. Information We Collect

3.1 Information You Provide Directly

Category	Data Elements	Purpose
Account Information	Name, email address, phone number	Account creation, authentication, communication
Business Information	Company name, business name, registration number, VAT number, business address, business email, business phone	Invoice generation, job card creation
Job Data	Client names, job descriptions, notes, materials lists	Core app functionality
User-Generated Content	Photos, signatures, receipts, notes	Job documentation and record-keeping
Payment Information	Subscription status	Subscription management (processed by RevenueCat)
Feedback	Messages, suggestions, bug reports	Service improvement

3.2 Information Collected Automatically

Category	Data Elements	Purpose
Device Information	Device type, operating system, unique device identifiers	App functionality, push notifications
Usage Data	Features accessed, interaction patterns, session duration	Service improvement, analytics
Crash Data	App state, error logs, stack traces at time of crash	Bug fixing, stability improvement
Authentication Tokens	Firebase tokens, FCM tokens	Secure authentication, push notifications

3.3 Information We Do NOT Collect

Location Data: We do not collect GPS coordinates, location history, or track your location in any way
Biometric Data: We do not process photos or signatures as biometric identifiers
Health Information: We do not collect any health-related data
Financial Account Details: Bank account numbers, credit card numbers, and payment credentials are NOT stored on our servers (payment processing is handled entirely by third-party providers)

4. How We Use Your Information

Purpose	Legal Basis (GDPR/UK GDPR)	Legal Basis (POPIA)
Providing and maintaining the Services	Contract performance	Contract performance
User authentication and account security	Contract performance, Legitimate interests	Contract performance
Sending service-related notifications	Contract performance	Contract performance
Processing subscriptions and payments	Contract performance	Contract performance
Responding to support requests	Contract performance, Legitimate interests	Contract performance
Improving and developing new features	Legitimate interests	Legitimate interests
Analyzing usage patterns and crash reports	Legitimate interests	Legitimate interests
Ensuring security and preventing fraud	Legitimate interests, Legal obligation	Legitimate interests, Legal obligation
Complying with legal obligations	Legal obligation	Legal obligation

5.1 We Do NOT Sell Your Data

We do not sell, rent, lease, or trade your personal information to any third party for monetary or other valuable consideration.

5.2 Third-Party Service Providers

We share data with the following categories of service providers who process data on our behalf:

Provider	Purpose	Data Shared	Privacy Policy
Google Firebase	Authentication, database, cloud storage, cloud functions	Account data, job data, user content	Firebase Privacy
Google Analytics / Firebase Analytics	Usage analytics	Anonymized usage data, device info	Google Privacy
Firebase Crashlytics	Crash reporting	Device info, crash logs	Crashlytics Data
Firebase Cloud Messaging	Push notifications	Device tokens	FCM Privacy
Google Cloud Platform	Infrastructure hosting	All data (encrypted)	Google Cloud Privacy
RevenueCat	Subscription management	User ID, purchase history	RevenueCat Privacy
Google Speech-to-Text	Voice dictation feature (Android)	Audio recordings (processed, not stored)	Google Privacy
Apple Speech Recognition	Voice dictation feature (iOS)	Audio recordings (processed, not stored)	Apple Privacy
Apple Text-to-Speech	Read-aloud feature (iOS)	Text content (processed, not stored)	Apple Privacy
Google Places API	Address autocomplete	Search queries (addresses you type)	Google Privacy

5.3 How We Process Your Data (Technical Details)

To help you understand exactly how your data is handled, here is a detailed explanation of our data processing infrastructure:

5.3.1 Firebase Authentication (How You Log In)

When you create an account or log in, we use Google Firebase Authentication:

Authentication Method	How It Works	Data Processed
Email & Password	Your email and password are sent to Firebase Auth servers. Passwords are hashed (one-way encrypted) and never stored in plain text.	Email, hashed password
Phone Number	Your phone number receives an SMS verification code from Firebase. The code is verified server-side.	Phone number, verification code
Google Sign-In	You authenticate directly with Google. We receive only your email, name, and a unique ID — never your Google password.	Email, name, Google user ID

Firebase Auth stores: Your email/phone, authentication tokens, last sign-in time, and account creation date. This data is stored on Google's servers (primarily in the United States).

5.3.2 Firestore Database (How Your Data Is Stored)

All your app data (jobs, time entries, notes, etc.) is stored in Google Cloud Firestore, a NoSQL document database:

Data Type	How It's Stored	Who Can Access
Your Profile	Stored as a document in the `users` collection, identified by your unique user ID	Only you (and your linked owner/employees)
Jobs	Stored in the `jobs` collection with subcollections for photos, notes, receipts, materials	Only the job owner and assigned employees
Time Entries	Stored in the `timeEntries` collection, linked to your employee ID	Only you and your linked owner
Team Relationships	Stored in `joinRequests`, `invitations`, and `teamRelationships` collections	Only the owner and relevant employee

Security Rules: We implement strict Firestore Security Rules that enforce access controls at the database level. These rules ensure that:

You can only read/write your own data
Employees can only access jobs they're assigned to
Owners can only access data for their own team

Physical Location: Firestore data is stored on Google Cloud servers. For most users, data is stored in the United States (us-central1) region, with automatic replication for reliability.

5.3.3 Cloud Storage (How Photos & Files Are Stored)

Photos, receipts, signatures, and other files are stored in Firebase Cloud Storage:

File Type	Storage Path	Retention
Job Photos	`/jobs/{jobId}/photos/{photoId}`	Until deleted by user or account deletion
Receipts	`/jobs/{jobId}/receipts/{receiptId}`	Until deleted by user or account deletion
Signatures	`/jobs/{jobId}/signatures/{signatureId}`	Until deleted by user or account deletion
Profile Photos	`/users/{userId}/profile/{filename}`	Until deleted by user or account deletion

Encryption: All files are encrypted at rest using AES-256 encryption. Files are encrypted in transit using TLS 1.2+.

Access Control: Storage Security Rules ensure only authorized users (job owner or assigned employees) can read or write files for a specific job.

5.3.4 Cloud Functions (Server-Side Processing)

Some operations are processed by Firebase Cloud Functions (serverless code running on Google Cloud):

Function	What It Does	Data Processed
Push Notifications	Sends notifications when events occur (new note, photo uploaded, etc.)	Notification content, recipient device tokens
Account Deletion	Permanently deletes all user data across Firestore and Storage	User ID, all associated data
Photo Sync	Processes uploaded photos and creates database entries	Photo metadata, job ID, uploader ID

Cloud Functions run in Google's data centers and have the same security and encryption standards as other Firebase services.

5.3.5 Data Flow Summary

Here is how your data flows through our system:

┌─────────────────┐    TLS Encrypted    ┌─────────────────────┐
│   Your Device   │ ◄─────────────────► │  Firebase Services  │
│   (App)         │                     │  (Google Cloud)     │
└─────────────────┘                     └─────────────────────┘
                                                  │
                    ┌─────────────────────────────┼─────────────────────────────┐
                    │                             │                             │
                    ▼                             ▼                             ▼
          ┌─────────────────┐          ┌─────────────────┐          ┌─────────────────┐
          │ Firebase Auth   │          │ Firestore DB    │          │ Cloud Storage   │
          │ (Login/Signup)  │          │ (App Data)      │          │ (Photos/Files)  │
          │                 │          │                 │          │                 │
          │ • Email/Pass    │          │ • User profiles │          │ • Job photos    │
          │ • Phone auth    │          │ • Jobs          │          │ • Receipts      │
          │ • Google auth   │          │ • Time entries  │          │ • Signatures    │
          └─────────────────┘          │ • Notes         │          │ • Documents     │
                                       │ • Receipts      │          └─────────────────┘
                                       │ • Materials     │
                                       └─────────────────┘
            

All connections are encrypted. Data at rest is encrypted. Access is controlled by security rules verified on every request.

5.4 Other Disclosures

We may disclose your information:

With your consent: When you explicitly authorize disclosure
Team members: Data is shared with team members (owners/employees) you explicitly connect with through the App
Legal requirements: When required by law, court order, or governmental authority
Protection of rights: To protect our rights, property, safety, or the rights of others
Business transfers: In connection with a merger, acquisition, or sale of assets (you will be notified)

6. Data Retention

Data Type	Retention Period
Active account data	Retained while your account is active
Deleted account data	Permanently deleted immediately upon account deletion request
Crash logs	90 days
Analytics data	Anonymized and aggregated; raw data deleted after 14 months

We do not maintain backup copies of deleted user data. When you delete your account, all associated data is permanently and irreversibly removed from our systems.

7. Your Rights

7.1 Rights for All Users

Right	Description	How to Exercise
Access	Request a copy of your personal data	In-app settings or email us
Correction	Request correction of inaccurate data	Edit in-app or email us
Deletion	Request deletion of your data	In-app account deletion or email us
Data Portability	Receive your data in a portable format	Email us
Withdraw Consent	Withdraw previously given consent	In-app settings or email us

7.2 Additional Rights by Region

European Union / UK (GDPR/UK GDPR):

Right to restrict processing
Right to object to processing based on legitimate interests
Right to lodge a complaint with a supervisory authority
Right not to be subject to automated decision-making

South Africa (POPIA):

Right to request correction or deletion
Right to object to processing for direct marketing
Right to submit a complaint to the Information Regulator
Right to institute civil proceedings for breach

California, USA (CCPA/CPRA):

Right to know what personal information is collected
Right to delete personal information
Right to opt-out of sale (we do not sell data)
Right to non-discrimination for exercising rights
Right to correct inaccurate information
Right to limit use of sensitive personal information

Australia (Privacy Act):

Right to access personal information
Right to request correction
Right to complain to the OAIC

7.3 Exercising Your Rights

To exercise any of your rights, contact us at: contact@onpointapp.net

We will respond to your request within:

30 days (GDPR, UK GDPR, POPIA)
45 days (CCPA)
30 days (Australian Privacy Act)

8. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security)
Encryption at Rest: Data stored on Firebase servers is encrypted at rest
Authentication: Secure authentication via Firebase Authentication with support for multi-factor authentication
Access Controls: Strict access controls limit who can access your data
Security Rules: Comprehensive Firestore and Storage security rules prevent unauthorized data access

IMPORTANT DISCLAIMER: While we implement reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You acknowledge and accept this inherent risk when using our Services.

8.1 Data Breach Notification

In the event of a personal data breach that affects your information, we will:

Detection & Response:

Promptly investigate and contain the breach
Assess the nature, scope, and potential impact
Take immediate steps to mitigate any harm

Notification to Authorities:

We will notify relevant supervisory authorities as required by law:

GDPR (EU/UK): Within 72 hours of becoming aware of the breach
POPIA (South Africa): As soon as reasonably possible
Australian Privacy Act: Within 30 days of becoming aware (or sooner if assessed earlier)
CCPA (California): Without unreasonable delay

Notification to You:

If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly via:

Email to the address associated with your account
In-app notification

Our notification will include:

A description of the breach in clear, plain language
The types of personal data affected
The likely consequences of the breach
The measures we have taken or propose to take
Recommendations for steps you can take to protect yourself
Contact information for further questions

No Notification Required When:

The data was encrypted or otherwise unintelligible to unauthorized parties
We have taken measures that ensure the high risk is no longer likely to materialize
Notification would involve disproportionate effort (in which case we will make a public communication)

9. Children's Privacy

The OnPoint App is a business management application and is not intended for use by children.

We do not knowingly collect personal information from children under the age of:

16 years in the European Union and United Kingdom
13 years in the United States
18 years in South Africa (without parental consent under POPIA)

If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information immediately. If you believe a child has provided us with personal information, please contact us at contact@onpointapp.net.

10. International Data Transfers

Your data may be transferred to, stored, and processed in countries other than your country of residence, including but not limited to the United States (where Google/Firebase servers are located).

For EU/UK Users: When we transfer your data outside the EEA/UK, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
The recipient's participation in recognized data protection frameworks

For South African Users: Cross-border transfers are conducted in compliance with Section 72 of POPIA, ensuring adequate protection of your personal information.

By using our Services, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.

11. Third-Party Links and Services

Our App may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

Notification: We will notify you via in-app notification
Material Changes: For material changes that significantly affect your rights or how we use your data, we will require your acknowledgment before you can continue using the Services
Effective Date: The updated policy will be effective as of the "Last Updated" date shown at the top

Your continued use of the Services after any changes constitutes acceptance of the updated Privacy Policy.

13. Limitation of Liability

13.1 Disclaimer of Warranties

THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, OR ACCURACY.

We do not warrant that:

The Services will be uninterrupted, secure, or error-free
Any defects will be corrected
The Services will meet your specific requirements
Any data you store will be accurate, reliable, or complete

13.2 Limitation of Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL ONPOINT APP, ITS DIRECTORS, EMPLOYEES, PARTNERS, AGENTS, SUPPLIERS, OR AFFILIATES BE LIABLE FOR:

Any indirect, incidental, special, consequential, or punitive damages
Loss of profits, revenue, data, business opportunities, or goodwill
Cost of procurement of substitute services
Any damages arising from your use or inability to use the Services
Any damages arising from unauthorized access to or alteration of your data
Any damages arising from third-party service provider failures (including but not limited to Firebase, Google, RevenueCat)

THE TOTAL LIABILITY OF ONPOINT APP FOR ANY CLAIM ARISING OUT OF OR RELATING TO THESE SERVICES SHALL NOT EXCEED THE GREATER OF:

(A) THE AMOUNT YOU PAID TO US IN THE TWELVE (12) MONTHS PRIOR TO THE CLAIM, OR
(B) ONE HUNDRED SOUTH AFRICAN RAND (R100).

13.3 Data Accuracy Disclaimer

You are solely responsible for the accuracy, completeness, and legality of all data you input into the Services. We are not responsible for any consequences arising from inaccurate, incomplete, or unlawful data entered by users.

13.4 Jurisdictional Limitations

Some jurisdictions do not allow the exclusion of certain warranties or limitation of liability for certain damages. In such jurisdictions, our liability shall be limited to the maximum extent permitted by applicable law.

FOR EU/UK USERS: Nothing in this Privacy Policy excludes or limits our liability for death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded under applicable law.

14. Indemnification

You agree to indemnify, defend, and hold harmless OnPoint App and its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

Your use or misuse of the Services
Your violation of this Privacy Policy or any applicable law
Your violation of any third-party rights
Any data or content you submit to the Services
Your negligent or wrongful conduct

15. Dispute Resolution

15.1 Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of South Africa, without regard to its conflict of law provisions.

15.2 Mandatory Arbitration (United States Users)

FOR USERS LOCATED IN THE UNITED STATES:

Any dispute, claim, or controversy arising out of or relating to this Privacy Policy or the Services shall be resolved exclusively through binding arbitration administered by a mutually agreed-upon arbitration service, rather than in court.

Arbitration shall be conducted on an individual basis only
The arbitrator's decision shall be final and binding
Judgment on the arbitration award may be entered in any court of competent jurisdiction

YOU WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT OR CLASS-WIDE ARBITRATION.

15.3 Class Action Waiver

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, YOU AGREE THAT ANY DISPUTES SHALL BE RESOLVED ON AN INDIVIDUAL BASIS ONLY, AND NOT AS PART OF ANY CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION.

If this class action waiver is found to be unenforceable, then the entirety of the arbitration agreement shall be null and void.

15.4 Jurisdiction for Non-US Users

For users outside the United States, any disputes shall be subject to the exclusive jurisdiction of the courts of the Republic of South Africa, specifically the courts located in the jurisdiction where OnPoint App is registered.

16. Severability

If any provision of this Privacy Policy is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent.

17. Entire Agreement

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and OnPoint App regarding privacy and data protection practices in relation to the Services.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Questions or Concerns?

OnPoint App

Email: contact@onpointapp.net

For GDPR/UK GDPR inquiries: Data Protection Contact: contact@onpointapp.net

For POPIA inquiries: Information Officer: contact@onpointapp.net

For CCPA inquiries: Privacy Contact: contact@onpointapp.net

19. Regulatory Authorities

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

Region	Authority	Website
South Africa	Information Regulator	inforegulator.org.za
European Union	Your local DPA	edpb.europa.eu
United Kingdom	Information Commissioner's Office	ico.org.uk
Australia	Office of the Australian Information Commissioner	oaic.gov.au
California, USA	California Privacy Protection Agency	cppa.ca.gov