Privacy Policy
GraceLumiq is a product of Graceworks Group (PTY)(LTD)
Company Registration No: 2025/570769/07
Registered address: 41 Almond Road, De Oude Spruit, Brackenfell, Cape Town, 7560
Information Officer: Lucky Sibanda (PhD) - privacy@gracelumiq.co.za
Email: privacy@gracelumiq.co.za
Effective date: 26 May 2026
Last updated: 26 May 2026
1. Who we are
Graceworks Group (PTY)(LTD) ("Graceworks", "we", "us") operates GraceLumiq, a cloud-based business data analytics platform. We are a responsible partyas defined in the Protection of Personal Information Act 4 of 2013 ("POPIA") in respect of personal information we process about our customers and their contacts.
We have appointed an Information Officer as required by POPIA. Our Information Officer is contactable at Lucky Sibanda (PhD) - privacy@gracelumiq.co.za.
If you use GraceLumiq to process personal information about your own customers or employees, you are the responsible party for that data and Graceworks acts as your operator (data processor). Please see Section 10 for details.
2. What this policy covers
This policy describes how Graceworks collects, uses, stores, and protects personal information in connection with the GraceLumiq platform. It applies to:
- Account holders and users of GraceLumiq (our direct customers)
- Visitors to our website (gracelumiq.co.za)
- Third parties whose personal information appears in Customer Data uploaded to the platform
This policy does not apply to third-party services linked from our platform (Google, Shopify, Xero, etc.). Please refer to their own privacy policies.
3. Personal information we collect
3.1 Information you give us directly
| Category | Examples |
|---|---|
| Identity | Full name, email address |
| Authentication | Password (stored as a one-way hash), Google account ID |
| Organisation | Organisation name, plan tier |
| Billing | Billing contact name, email - payment card details are handled by our payment processor and are never stored by Graceworks |
| Communications | Support emails, feedback messages |
| Profile | Avatar URL (from Google, if you sign in with Google) |
3.2 Information collected automatically
| Category | Examples |
|---|---|
| Usage | Pages visited, queries run, features used, session duration |
| Device | Browser type and version, operating system |
| Network | IP address, approximate location (country/city level) |
| Logs | API request logs, error logs, performance metrics |
3.3 Customer Data you upload
When you upload CSV files, connect integrations (Google Sheets, Shopify, Xero, direct databases), or otherwise provide data for analysis, that data is stored and processed to deliver the Service. This data may contain personal information about your customers, employees, or suppliers. Graceworks processes this data as your operator - see Section 10.
3.4 Data from Shopify (when you connect a store)
If you enable the Shopify integration, you direct Graceworks to retrieve snapshots from your store using the Shopify Admin API (typically including orders, customers, products, and inventory levels, depending on what you sync). Those payloads can include protected retail customer information such as order identifiers, purchaser email addresses, billing or shipping-related fields surfaced by Shopify, and customer profile fields (including name or address elements where Shopify returns them for your authorised scopes).
Purposes of processing:we retain and process this Shopify-sourced data only to provide GraceLumiq features you request (for example analytics, conversational queries, dashboards, alerts, and scheduled reports derived from connected datasets)-not for unrelated marketing by Graceworks to your store's buyers.
Roles:you remain responsible for lawful collection and onward processing of your shoppers' personal information in connection with Shopify; Shopify operates its own commerce platform under Shopify's privacy terms. Graceworks acts as your operator (processor) when we host and analyse the copies you instruct us to import.
Disconnect:you can remove GraceLumiq's Shopify connection at any time from Settings β Integrations inside GraceLumiq, which revokes our active API authorisation tokens for sync. You should also uninstall or adjust the GraceLumiq app in Shopify Admin if you want Shopify to revoke app access altogether. Disconnecting stops new snapshots; datasets already imported follow the retention periods in Section 6, and you may request earlier deletion via Section 8-subject to our legal bookkeeping obligations where they apply solely to GraceLumiq account records, not Shopify's own records (handle those requests with Shopify separately).
4. How we use personal information
Graceworks uses personal information only for the purposes described below, relying on the applicable lawful basis under POPIA:
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account | Contract performance |
| Providing the GraceLumiq Service (data analysis, AI queries, chart generation) | Contract performance |
| Hosting and analysing Shopify-sourced snapshots (orders, customers, products, inventory) that you choose to synchronise via the Shopify Admin API connector | Contract performance |
| Processing subscription payments | Contract performance |
| Sending transactional emails (receipts, reports, anomaly alerts) | Contract performance |
| Sending weekly/monthly digest emails (if opted in) | Legitimate interest / consent |
| Responding to support requests | Contract performance / legitimate interest |
| Product improvement and bug fixing | Legitimate interest |
| Usage measurement and diagnostics (Google Analytics 4, PostHog, Sentry - when you opt in to analytics) | Consent |
| Security monitoring and fraud prevention | Legitimate interest / legal obligation |
| Complying with legal obligations (POPIA, ECT Act, SARS) | Legal obligation |
| Marketing emails to existing customers | Legitimate interest (opt-out available) |
| Sending marketing to non-customers | Consent |
We do not sell your personal information to third parties. We do not use your personal information or Customer Data to train external AI models.
5. Subprocessors and third-party sharing
We share personal information only with the third-party service providers ("subprocessors") necessary to deliver the Service. All subprocessors are bound by contractual obligations to protect your data.
| Subprocessor | Purpose | Data location |
|---|---|---|
| Google Cloud Platform (GCP) | Hosting, file storage, compute | Johannesburg (africa-south1) |
| Shopify Inc. | Stores you choose to integrate with GraceLumiq-your staff authorises read-only Admin API access (subject to Shopify's approvals and scopes). Shopify persists live commerce records on Shopify's systems; GraceLumiq stores synced snapshots you instruct us to import. | Operated globally per Shopify's disclosures (see Shopify's Privacy Policy) |
| Google LLC (Google Analytics 4) | Website and product usage measurement when you opt in to analytics cookies/storage | United States / Google processing locations (see policies.google.com/privacy) |
| PostHog Inc. | Product analytics when you opt in; autocapture disabled, named events only | United States |
| Functional Software Inc. (Sentry) | Client-side error diagnostics when you opt in | United States |
| Payment processor (third-party) | Payment processing | South Africa |
| Resend Inc. | Transactional email delivery | United States |
| OpenRouter Inc. | AI query processing (anonymised queries) | United States |
| Redis (self-hosted on GCP) | Session caching, feature flags | Johannesburg |
We may also disclose personal information where required by law, court order, or regulatory authority (including the South African Police Service, National Prosecuting Authority, or Information Regulator), where we are legally compelled to do so.
6. Data retention
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of account + 3 years after deletion |
| Customer Data (uploaded files, query results) | Duration of account + 30 days after account deletion |
| Shopify-derived synced datasets stored in GraceLumiq | Same timetable as Customer Data above (duration of GraceLumiq account + 30 days after account deletion) |
| Payment and billing records | 5 years (SARS requirement) |
| Support communications | 3 years |
| Server and API logs | 90 days |
| Anomaly and forecast results | Duration of account |
| Anonymised usage analytics | Indefinitely (no personal data) |
After the applicable retention period, data is securely deleted or anonymised. You may request earlier deletion - see Section 8.
Shopify note: disconnecting Shopify in GraceLumiq prevents future synchronisation immediately, but deletes of already-imported dataset files proceed under the timelines above unless you ask us (or delete the datasets yourself in-product where available) sooner.
7. Cookies and tracking
Please see our Cookie Policy (gracelumiq.co.za/legal/cookies) for full details. In summary:
- Essential storage: Required for login sessions, consent choice, and white-label subdomain configuration. Cannot be disabled without breaking core features.
- Analytics (opt-in): If you accept analytics in the cookie banner, we use Google Analytics 4, PostHog, and Sentry as described in our Cookie Policy - used for usage measurement and diagnostics, not for advertising.
- No advertising networks: We do not serve third-party ads or use Meta / TikTok / similar advertising pixels on the GraceLumiq product.
8. Your rights under POPIA
As a data subject, you have the following rights, which you may exercise by contacting us at privacy@gracelumiq.co.za:
| Right | What it means |
|---|---|
| Access | Request a description of the personal information we hold about you |
| Correction | Request correction of inaccurate or incomplete information |
| Deletion | Request deletion of your personal information (subject to our legal retention obligations) |
| Objection | Object to processing based on legitimate interests (including direct marketing) |
| Portability | Request your data in a portable format (CSV/JSON) |
| Withdraw consent | Withdraw consent at any time where processing is based on consent |
We will respond to requests within 30 days of receipt. We may need to verify your identity before processing a request.
Merchants importing Shopify storefront data retain primary responsibility toward their own buyers for notices and data-subject rights at the point of sale. GraceLumiq will cooperate with lawful instructions to erase or export GraceLumiq-hosted Shopify-origin datasets whenever technically feasible-for records maintained only inside Shopify's systems, Shopify Admin remains the authoritative channel after you disconnect integrations there.
If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:
- Website: www.inforegulator.org.za
- Email: inforeg@justice.gov.za
- Tel: 010 023 5207
9. Security measures
We implement the following technical and organisational measures to protect personal information:
- Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher.
- Encryption at rest: Customer Data files stored on Google Cloud Storage are encrypted at rest.
- Access controls: Role-based access limits who within Graceworks can access production data. All access is logged.
- Passwords: Stored using bcrypt hashing. We never store plaintext passwords.
- Authentication tokens: Short-lived JWT tokens with appropriate expiry.
- Integration credentials: OAuth access tokens issued by third-party connectors (such as Shopify, Xero, and Google Sheets) are stored encrypted at rest and used only for synchronisation or API usage you initiate.
- Infrastructure: Production systems run on GCP in Johannesburg with firewall rules and private networking.
- Backups: Daily encrypted backups retained for 7 days.
- Breach response: We will notify affected customers and the Information Regulator within 72 hours of becoming aware of a breach as required by POPIA Section 22.
No system is perfectly secure. We encourage you to use a strong, unique password and to enable Google OAuth where possible.
10. Graceworks as your operator (data processor)
10.1 When you upload Customer Data containing personal information about your own customers, employees, or suppliers, Graceworks processes that data on your behalf as your operator under POPIA. You remain the responsible party.
10.2 Your responsibilities as the responsible party include:
- Ensuring you have a lawful basis to upload and process that personal information;
- Ensuring data subjects are informed their data is being processed;
- Honouring data subject requests relating to their data;
- Notifying Graceworks promptly if a data subject exercises rights that require our cooperation.
10.3 Graceworks' obligations as operator include:
- Processing Customer Data only on your documented instructions (i.e., to deliver the Service);
- Not disclosing Customer Data to third parties except as described in Section 5;
- Implementing the security measures described in Section 9;
- Assisting you in responding to data subject requests where technically feasible;
- Notifying you promptly of any security incident affecting Customer Data.
10.4 If you require a formal Data Processing Agreement (DPA) for compliance purposes (e.g., you are subject to GDPR or have enterprise compliance requirements), contact us at privacy@gracelumiq.co.za.
10.5 Shopify.Customer Data originating from Shopify Admin API synchronisation (including shopper-related identifiers and descriptors revealed for the authorised scopes at the time of each sync job) is processed solely to operate GraceLumiq for your organisation-for example conversational analytics over orders, catalogue, customers, or inventory snapshots. Disconnecting Shopify in GraceLumiq stops renewed synchronisations; uninstall GraceLumiq from Shopify Admin if you also wish to revoke Shopify's application credentials. Sections 3.4, 6, and 8 summarise retention, lawful roles, and data-subject pathways.
11. Children's privacy
The Service is intended for business use by adults aged 18 and over. We do not knowingly collect personal information from persons under 18. If you believe a minor's information has been submitted, please contact us immediately at privacy@gracelumiq.co.za and we will delete it.
12. Cross-border transfers
Third-party storefront platforms (such as Shopify) may process buyer information before you duplicate permitted slices into GraceLumiq; once imported, Shopify-origin datasets reside in GCP Africa-South1 under Section 9. Separately, some of our subprocessors handle personal information outside South Africa-for example analytics and AI vendors in the United States (Google Analytics 4, PostHog, Sentry, Resend, and OpenRouter). Transfers outside South Africa are subject to vendor policies and applicable safeguards.
We take steps to ensure these transfers are conducted with appropriate safeguards as required by POPIA Section 72, including contractual protections with our subprocessors and, where applicable, your consent when you opt in to analytics.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy with a new effective date. Continued use of the Service after the change date constitutes acceptance.
14. Contact us
For any privacy-related questions, requests, or concerns:
Graceworks Group (PTY)(LTD)
Information Officer: Lucky Sibanda (PhD)
Email: privacy@gracelumiq.co.za
Postal address: 41 Almond Road, De Oude Spruit, Brackenfell, Cape Town, 7560
Graceworks Group (PTY)(LTD) | Reg No: 2025/570769/07 | gracelumiq.co.za