Privacy Policy

1. Who we are

Overberg Double Glazing & Aluminium is a Crealco-accredited window, door, balustrade and pergola fabricator based in the Overberg region of the Western Cape, South Africa. For the purposes of the Protection of Personal Information Act, 2013 (POPIA), ODG is the "responsible party" for personal information processed by the App.

2. Scope of this policy

This policy applies to:

• Data accessed by the App through Google APIs (Gmail, Google Sheets, Google Drive, Google Calendar) on ODG's own overberg.alu@gmail.com Google account;
• Customer correspondence received by ODG (email, WhatsApp) that is processed by the App for classification, quoting, invoicing or follow-up; and
• Any personal information stored locally by the App on ODG's own servers.

This policy does not apply to third-party services or websites that we link to but do not operate.

3. Google API data — what we access and why

The App uses the following Google API scopes against ODG's own business Google account. It does not request access to any other user's Google account.

Gmail (read, modify, compose, send)

Used to: classify incoming customer enquiries by type (quote request, invoice query, complaint, supplier mail, general enquiry); draft suggested replies for Gareth to review and send; attach generated quote or invoice PDFs to drafts; apply organisational labels to triaged messages. The App does not auto-send email to any customer; every outbound email requires Gareth's explicit approval before it is sent from our Gmail account.

Google Sheets

Used to read and write ODG's internal business ledgers (jobs, clients, leads, triage log, rate card, bank reconciliation). These sheets contain customer names, contact details, site addresses, quote totals, invoice numbers, and payment status — the same data we would keep in any conventional accounting system.

Google Drive

Used only to the extent required by the Google Sheets API (metadata lookups for the files listed above). The App does not index, download, or search the broader contents of ODG's Drive.

Google Calendar

Reserved for planned site-visit scheduling features. Where accessed, it is only to read and write calendar events owned by ODG's own account.

4. Other personal information we process

In the course of running the business, we collect and store information customers provide to us:

• Contact details — name, email, phone number, physical address, optional VAT number.
• Project details — the type and quantity of windows, doors, balustrades or related products requested, together with measurements, finishes and site photographs supplied by the customer.
• Correspondence — emails, WhatsApp messages, and call notes exchanged with the customer about their enquiry or project.
• Financial records — quotes, invoices, deposits received, balances outstanding, bank reconciliations.

5. How we use this information

We use personal information for the following purposes:

1. To respond to enquiries, prepare quotes, issue invoices and fulfil orders placed with us.
2. To schedule site visits, installations and related fieldwork.
3. To process payments and reconcile them against outstanding invoices.
4. To send operational communications related to an active enquiry or project (e.g. "your quote is ready", "the deposit has been received", "we're on our way").
5. To meet our legal obligations, including tax records, VAT reporting and accounting requirements under South African law.

We do not use personal information for advertising. We do not sell personal information to any third party. We do not share it with any party other than the sub-processors listed in section 6.

6. Sub-processors and data sharing

The App uses a small number of trusted third-party services to function. Each is a "sub-processor" under POPIA and each has its own privacy commitments:

• Google LLC — hosts our business Gmail account, Google Sheets and Google Drive. Google Privacy Policy.
• Anthropic PBC — provides the Claude AI models used to classify email content, draft suggested reply text, and extract window/door specifications from customer-provided plans or photographs. Email content, customer plan images and similar material may be sent to Anthropic's API for this processing. Anthropic states that data sent via the API is not used to train their models. Anthropic Privacy Policy.
• Twilio Inc. — provides the WhatsApp messaging channel used for (a) operational alerts sent to Gareth's own phone and (b) customer communications that Gareth has explicitly initiated or approved. Twilio Privacy Policy.

Google, Anthropic and Twilio are based in the United States. Personal information processed by the App is therefore transferred internationally. We only use sub-processors that we reasonably consider to provide an adequate level of data protection.

7. How long we keep your information

• Customer project records (quotes, invoices, correspondence) are kept for at least seven (7) years from the date of the last transaction, to comply with South African tax and accounting requirements.
• Triage metadata (which emails were processed, when) is kept indefinitely to avoid duplicate processing, but is not used for any purpose other than deduplication.
• Working-copy caches (geocode caches, rate-card caches, AI inference caches) are kept only as long as operationally useful, typically days or weeks, and are routinely overwritten.
• Google OAuth tokens are stored only as long as required to operate the App and are rotated on re-authentication.

8. How we keep your information secure

• The App runs on a dedicated, restricted-access Linux server under Gareth's direct control.
• API credentials and passwords are stored in a root-owned, 0600-permission environment file and are never committed to source control.
• Remote administrative access is via keyed SSH and an authenticated private overlay network (Tailscale) only. No administrative interface is exposed to the public internet.
• Daily backups of business state are retained on the server and rotated regularly.
• We will notify affected data subjects and the Information Regulator without undue delay if we become aware of any unauthorised access to personal information, as required by POPIA section 22.

9. Your rights

Under POPIA (and, where applicable, comparable legislation such as the EU GDPR), you have the right to:

• Ask what personal information we hold about you and how we are using it.
• Ask us to correct inaccurate personal information.
• Ask us to delete personal information we no longer need (subject to our legal retention obligations — see section 7).
• Object to any processing you consider unlawful or unjustified.
• Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, contact our information officer using the details in section 1. We will respond within 30 days.

10. Revoking Google API access

If you are a Google user and you want to revoke the App's access to your Google account, you can do so at any time at https://myaccount.google.com/permissions. The App will stop functioning against that account immediately thereafter.

11. Children

The App is not directed at children. We do not knowingly collect personal information from children under 18.

12. Changes to this policy

We may update this policy from time to time. The effective date at the top of this page will always reflect the date of the most recent update. Material changes will be communicated through the channel you have with us (typically email or WhatsApp).

13. Contact

Questions, concerns or requests regarding this policy or the processing of your personal information should be directed to: