ALTOLEVEL
Sign inSign up

Privacy Policy

Last updated: 23 May 2026

Template — not yet legal advice. This document is a working draft prepared for the Altolevel MVP launch in the European Union. Before relying on it in production, have it reviewed and finalised by a Portugal / EU-qualified lawyer.

This Privacy Policy explains how Altolevel (“we”, “us”) collects, uses, shares and protects personal data when you use altolevel.co.za (the “Platform”). It is written to comply with Regulation (EU) 2016/679 (the “GDPR”).

1. Data controller

The data controller for the personal data processed via the Platform is [Legal entity name & address to be confirmed]. You can contact us about any privacy matter at info@altolevel.co.za.

2. What data we collect

2.1 Data you give us

  • Account data — name, email address, password hash (or Google OAuth identifier), preferred language, role (renter, provider, admin).
  • Profile data — avatar image, short bio, business or farm name.
  • Listing data (Providers) — photos, descriptions, breed and headcount, pricing, geographic location of the goats, what is included (transport, handler, feed).
  • Booking data — start and end dates, number of goats, communications relating to a booking, reviews left or received.
  • Payment data — limited card data is transmitted directly from your browser to Stripe; we never receive or store full card numbers. We do store Stripe customer and PaymentIntent identifiers, the last 4 digits of the card, and the country of issue for fraud and accounting purposes.
  • Identity-verification data (Providers) — for KYC, Stripe collects identifying information (e.g. name, address, date of birth, ID document, tax identifier) directly within Stripe Connect Express onboarding. Altolevel sees only the verification status, not the underlying documents.

2.2 Data collected automatically

  • Device & connection data — IP address, user agent, screen size, approximate location derived from IP.
  • Usage data — pages visited, listings viewed, searches run, referring URL, timestamps.
  • Cookies & similar technologies — strictly necessary cookies for session and security, and (after consent where required) analytics and performance cookies. See section 8.
  • Error and performance data — when enabled, Sentry collects exception traces and limited request context to help us diagnose bugs.

3. How we use your data & the lawful basis

We process personal data on the following bases:

  • Performance of a contract (GDPR art. 6(1)(b)) — to create your account, take and fulfil bookings, process payments and payouts, handle refunds and cancellations, and provide customer support.
  • Legitimate interests (GDPR art. 6(1)(f)) — to operate, maintain and secure the Platform, prevent fraud, moderate listings and reviews, and improve our product. We balance these interests against your rights and freedoms.
  • Legal obligation (GDPR art. 6(1)(c)) — to comply with accounting, tax, VAT, anti-money-laundering and consumer-rights laws.
  • Consent (GDPR art. 6(1)(a)) — for non-essential cookies and any marketing communications. You can withdraw consent at any time without affecting prior processing.

4. Who we share data with

We share personal data only with processors who help us run the Platform, and only to the minimum extent necessary:

  • Supabase (database, authentication, file storage) — EU region.
  • Stripe (payment processing, Connect Express onboarding, KYC) — Stripe is an independent controller for payment data; its privacy policy applies.
  • Resend (transactional email delivery).
  • Mapbox (map tiles, geocoding) — IP address is sent when map tiles load.
  • Vercel (hosting and CDN) — EU edge regions.
  • Google — only if you sign in with Google OAuth.
  • Sentry — if enabled, for error monitoring.

Between users: when a booking is created we share with the Provider the Renter’s name and the booking details, and we share with the Renter the Provider’s public profile and listing details.

We may disclose data to public authorities where required by law, to enforce these Terms, or to protect the rights, property or safety of Altolevel, our users or the public.

5. International transfers

Personal data is primarily processed in the European Economic Area. Some sub-processors (notably Stripe and Sentry) may transfer data to the United States. Such transfers are covered by Standard Contractual Clauses approved by the European Commission, supplementary safeguards where required, and by the EU–US Data Privacy Framework where applicable.

6. How long we keep your data

  • Account data — for as long as your account is open, and up to 30 days after closure to allow recovery and dispute handling.
  • Booking and transaction records — at least 10 years to satisfy Portuguese tax and accounting rules.
  • Marketing-consent records — until consent is withdrawn plus 12 months for audit purposes.
  • Logs — 90 days, except where retained longer for a security investigation.

7. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have data deleted (“right to be forgotten”), subject to legal retention obligations;
  • restrict or object to certain processing;
  • receive your data in a portable, machine-readable format;
  • withdraw any consent you previously gave;
  • lodge a complaint with the Portuguese data-protection authority CNPD (cnpd.pt) or your local supervisory authority.

To exercise any of these rights, email info@altolevel.co.za. We aim to respond within 30 days.

8. Cookies

We use three categories of cookies:

  • Strictly necessary — keep you signed in, remember your language, and protect against CSRF. These cannot be disabled.
  • Functional — remember your search filters and recent listings. Used only after consent where required.
  • Analytics & performance — anonymised measurement of which pages and features are used. Set only after consent where required.

You can change your cookie choices at any time via your browser settings. Disabling strictly necessary cookies will prevent core Platform functionality from working.

9. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS), encryption at rest for databases and backups, role-based access control, Postgres row-level security, secret rotation, and regular review of third-party access. No system is perfectly secure; please notify us promptly at info@altolevel.co.za if you suspect a breach.

10. Children

The Platform is not directed at children under 18. If you believe a child has provided personal data to us, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app notice at least 14 days before they take effect. The “Last updated” date at the top of the page always shows the current version.

12. Contact

Questions about this Privacy Policy or our handling of personal data can be sent to info@altolevel.co.za.

Privacy policy | Altolevel