Privacy Policy

This Privacy Policy explains how G.R.A.I.S. (the “Platform”), operated by Ndondo (Pty) Ltd (“we”, “us”, or “our”), collects, processes, stores, and protects personal data and governance information entrusted to us by our customers and their authorised users.

G.R.A.I.S. is designed for governance, committee management, reporting, resolutions, audit, risk, and executive intelligence. Because of the sensitive nature of the information processed through the Platform, we treat privacy and data protection as core design requirements.

Ndondo (Pty) Ltd is the data controller for information collected and processed through the Platform, unless a customer agreement explicitly designates another party.

For privacy-related questions, you can contact us at hello@grais.co.za.

Account information: name, email address, role, and organisational affiliation when an administrator or user creates an account.

Governance content: reports, agendas, minutes, resolutions, committee records, risk registers, audit findings, documents, and metadata uploaded or generated by authorised users within their organisation's workspace.

Usage information: logins, feature interactions, audit events, and system activity generated for security, debugging, and service improvement.

Technical information: browser type, IP address, device identifiers, and cookies or similar technologies used to maintain sessions and improve experience.

To provide, operate, and improve the Platform and its governance, risk, audit, and AI-assisted features.

To authenticate users, enforce role-based access controls, and maintain audit trails required for accountability.

To respond to support requests, investigate security incidents, and comply with legal obligations.

To generate aggregated, non-identifiable insights for product improvement; we do not use customer data to train third-party AI models.

We do not sell personal data or governance content. We share information only with trusted subprocessors and service providers that help us operate the Platform, subject to contractual confidentiality and security obligations.

Subprocessors may include cloud hosting providers, authentication services, email and notification providers, and security monitoring services. A current list is available on request.

We may disclose information if required by law, regulation, legal process, or to protect the rights, safety, and security of our users, the Platform, or the public.

We implement technical and organisational measures designed to protect data from unauthorised access, alteration, disclosure, or destruction. These include encryption in transit, role-based access controls, audit logging, and regular security reviews.

Access to customer data is limited to authorised personnel with a legitimate need and is governed by least-privilege principles.

Customers control their own user accounts, roles, and permissions within their workspace. Administrators are responsible for promptly removing access for users who no longer require it.

We retain customer data for as long as the customer account is active or as required to provide the service, comply with legal obligations, resolve disputes, or enforce agreements.

When an account is terminated, data is deleted or anonymised in accordance with the customer's instructions and applicable retention requirements, except where backup or legal retention obligations apply.

Customers may request information about retention periods or deletion of specific data by contacting us at hello@grais.co.za.

We use cookies and similar technologies to maintain user sessions, remember preferences, and understand how the Platform is used.

Essential cookies are required for authentication and security. Optional analytics cookies may be used to improve the Platform. Users can manage cookie preferences through their browser settings.

Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port your personal data, as well as the right to object to certain processing.

To exercise these rights, or to ask questions about how your data is handled, please contact us at hello@grais.co.za. We will respond in accordance with applicable law.