Privacy Policy

Transparent data processing principles, security commitments, and GDPR-compliant user rights management.

  1. Home
  3. Privacy Policy
  • Privacy Policy for Grievance.app
  • How We Collect Data
  • Purposes of Processing and
    Lawful Bases
  • Data Storage and Protection
  • Third-Party Processors and
    Data Sharing
  • Data Retention and Anonymization
  • International Data Transfers and
    Data Sovereignty
  • User Rights and Choices
  • Special Provisions for Sensitive &
    Anonymous Grievances
    (Survivor-Centered Approach)
  • Security Measures Summary
  • Changes to this Privacy Policy
  • Contact Us

Privacy Policy for Grievance.app

Grievance.app (the “Platform”) is a software-as-a-service (SaaS) grievance management system operating in Africa, the European Union (EU), and the United States. We are committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use and protect it, the lawful bases for processing, our third-party processors, data retention practices, international data transfers, security measures, and your rights. It covers the core Grievance.app platform and optional modules (e.g. Gender-Based Violence (GBV) workflow, SMS/IVR submissions, offline access), and is intended to meet the strict requirements of enterprise clients and global donors (e.g. World Bank, African Union). If you have any questions or concerns about this policy, please contact us at privacy@grievance.app.

Scope and Roles

This policy applies to personal data processed by Grievance.app in providing our services. In many cases, our client organizations (e.g. NGOs, government agencies, donor-funded projects) act as Data Controllers of the grievances and related personal data, while Grievance.app acts as a Data Processor on their behalf. For personal data that Grievance.app collects and determines the purposes for (such as website visitor analytics or account registration details), Grievance.app is the Data Controller. We adhere to privacy laws in all regions we operate, including the EU General Data Protection Regulation (GDPR), relevant African data protection laws, and U.S. federal and state privacy regulations. We do not sell personal information and we process data only as outlined in this policy or as instructed by our clients.

Information We Collect

We collect various types of personal data through our Platform and its modules, as described below:

  • User Account Information: When you or your organization register an account or user profile, we may collect identifiers such as name, job title, organization, email address, phone number, and login credentials. For authentication, we may use phone-based verification (e.g. one-time passcodes via SMS) which involves collecting your phone number.
  • Grievance Submission Data: When a grievance or complaint is submitted through the core Platform (via web or mobile app), we collect the information provided by the complainant. This typically includes descriptive details of the issue, names or identities of parties involved, dates, locations, and any evidence or attachments uploaded. A unique grievance ID is generated for each case. If the GBV module is used for reporting gender-based violence incidents, the information may include sensitive personal data about health, sexual orientation, or other protected characteristics of survivors and perpetrators, as provided by the reporter. We strive to minimize the personal data required – for example, the GBV workflow allows anonymous or pseudonymous submissions to protect survivor identity whenever possible.
  • Communication Channel Data (SMS/IVR): Our Platform offers the option to submit grievances via SMS text messages and interactive voice response (IVR) phone calls for accessibility. If you use SMS, we collect your mobile phone number and the content of the text messages. If you use a phone hotline/IVR, we collect your phone number and the audio recordings or transcriptions of your voice responses. These services are facilitated through our telephony provider Twilio, which processes the call and message data on our behalf. Twilio may log metadata such as call duration or SMS timestamps as needed for message delivery.
  • Offline Usage Data: For projects operating in areas with limited internet connectivity, the Platform may be used in an offline mode (e.g. via a mobile app or offline-enabled web application). In offline mode, grievance data entered by users is stored locally on the device. This may include any of the above submission data and is encrypted on the device. Once an internet connection is available, the data will sync to our servers. During offline use, no new data is transmitted to us until synchronization occurs.
  • Support and Correspondence: If you contact us for support or with inquiries (through web forms, email, or in-app support channels), we will collect the contact information you provide (e.g. name, email) and the content of your communications.
  • Automated Technical Data: When users interact with the Platform (including our website and web application), we automatically collect certain technical data. This includes device and browser information, IP address, login dates/times, and usage logs (actions taken in the system). We also use cookies or similar technologies for session management and to remember user preferences. For analytics purposes, we use Google Analytics which tracks user interactions such as page views, clicks, and time spent on pages. Google Analytics may collect information like your IP address (which we configure to anonymize where required) and set cookies or identifiers to analyze how users use our site. We disclose our use of Google Analytics to all users and obtain cookie consent where applicable, as required by Google’s terms and privacy laws. You can opt out of Google Analytics tracking (see Your Rights and Choices below).
  • Special Categories of Data: In general, we do not seek to collect sensitive personal data unless necessary for the grievance process. However, in modules like the GBV workflow, information about an individual’s health, sexual life, or criminal victimhood may be provided by the complainant. Such data is considered “special category” under GDPR and other laws. We only process this data with extra care and lawful basis (e.g. explicit consent or substantial public interest – see Lawful Bases below). Moreover, such sensitive records are subject to heightened security and access controls, as described later in this policy.

Anonymous Submissions: Our Platform supports anonymous grievance submissions to encourage reporting without fear of identification. If you submit a complaint anonymously, we will not require your name or contact details – only the grievance details themselves. Keep in mind that truly anonymous complaints mean we may not be able to follow up with you for additional information or provide individualized updates. Anonymous complaint data is still treated as personal data if it can indirectly identify someone (for example, details of an incident might indirectly identify a victim). We will never attempt to discover the identity of anonymous reporters, and such submissions are handled with the highest confidentiality.

How We Collect Data

We collect personal data through several channels:

  • Directly from You: Most data is provided directly by users. This happens when you fill in forms on the web platform, use our mobile app, send us an SMS, respond to IVR prompts, or otherwise communicate with us. For example, when you open a grievance via the web portal, you enter information into the form; when you send an SMS grievance, the text you send is captured by our system; when you call our IVR line, your voice responses are recorded. In all cases, you choose what information to provide in the grievance description and whether to include optional personal details.
  • Through Your Organization: If your employer or the organization managing the grievance mechanism creates an account for you (e.g. as a case officer or if they preload some complainant data), they may input your personal data into the Platform. We process that data as instructed by the organization.
  • Automated Collection: As you interact with our services, we use technical methods to collect usage data. Cookies and similar technologies record your preferences and activity on our website. Server logs automatically record information like IP addresses and device identifiers when you access the system. Our Google Analytics tool also automatically collects usage metrics as described above (with user consent where required).
  • Third-Party Integrations: In some cases, we collect data via third-party integrations authorized by our clients. For instance, if the Platform is integrated with an SMS gateway (Twilio) or messaging apps (such as WhatsApp or social media chatbots) for grievance intake, those services pass the content and metadata of messages to us. Similarly, if clients integrate single sign-on or HR systems, we might receive user data from those sources. All such integrations are configured to ensure data is collected and transferred lawfully and securely.

We will always endeavor to collect the minimum amount of data necessary for the purposes described. We also provide notice and obtain appropriate permissions at the point of collection when required (for example, showing a cookie banner for analytics cookies, or requesting your consent before recording an IVR call if required by law).

Purposes of Processing and Lawful Bases

We process personal data for specific purposes in accordance with the lawful bases allowed under GDPR and other data protection laws. The main purposes for which Grievance.app processes personal data, and their corresponding legal bases, are:

  1. Providing and Operating the Service: We use personal data to set up and maintain user accounts, authenticate users, and enable you to submit and track grievances through our Platform. We process grievance details in order to route them to the appropriate organization or department, facilitate investigations and resolutions, and allow authorized users (such as grievance officers) to manage cases. Lawful basis: Performance of a contract (GDPR Art. 6(1)(b)) – for example, where we have a contract with a client to provide the grievance platform, processing users’ data is necessary to fulfill that service. In some contexts, our clients may have a legal obligation or mandate to run a grievance mechanism, in which case our processing may also be necessary for compliance with a legal obligation (Art. 6(1)(c)). For government or public-sector deployments, processing may be in the public interest or exercise of official authority (Art. 6(1)(e)). In all cases, processing is also in the legitimate interests of the complainants and the client organization to address and resolve issues raised (Art. 6(1)(f)), and these interests are considered to not override the rights of data subjects.
  2. Handling Sensitive GBV Cases: For the GBV module and similar sensitive grievance workflows, personal data (including any special category data about health, sex life, etc.) is processed solely to assist survivors in reporting incidents and to enable appropriate support and response. We apply a survivor-centered approach focusing on confidentiality and safety. Lawful basis: Depending on the context, we will obtain the explicit consent of the survivor/complainant for processing sensitive data (GDPR Art. 9(2)(a)), except where the complainant is truly anonymous. In cases where consent is not practical (e.g. an anonymous report that still contains sensitive details), we rely on other conditions such as that the processing is necessary for the establishment, exercise or defense of legal claims (Art. 9(2)(f)), vital interests (if a person’s life or safety is at risk, Art. 9(2)(c)), or substantial public interest under appropriate laws (Art. 9(2)(g)) – for example, NGOs addressing GBV may fall under frameworks that allow processing of such data with safeguards. The general lawful basis for handling these cases is typically consent or legitimate interests aligned with protecting individuals from harm. We ensure any processing of special data is also subject to additional safeguards (encryption, restricted access, etc.) in line with legal requirements.
  3. Communications and Notifications: We process contact information (like email addresses and phone numbers) to send transactional communications related to the service. This includes notifications about grievance status updates, alerts for new incoming grievances to officials, OTP codes for login verification, and responses to inquiries or support requests. Lawful basis: Legitimate interests (Art. 6(1)(f)) – it is in our users’ and clients’ interest that we communicate effectively about the grievances and account security. In some cases, it may also be contractual necessity (for example, sending an OTP is necessary to provide a secure login). For any optional or marketing communications (such as a newsletter or product updates not directly related to a grievance), we will rely on consent (Art. 6(1)(a)) or give an easy opt-out, in accordance with applicable anti-spam laws.
  4. Improving the Platform and Analytics: We analyze usage data (including Google Analytics information about how users navigate the site) to understand platform performance, user engagement, and areas for improvement. This helps us fix bugs, optimize user experience, and develop new features. Wherever possible, we use aggregated or anonymized data for analytics. Lawful basis: Legitimate interests (Art. 6(1)(f)) – specifically our interest in improving our service quality and user experience. In jurisdictions where analytics cookies or tracking require consent, we will obtain consent before collecting analytics data (which then makes Art. 6(1)(a) the basis for those particular data points). Users can withdraw consent at any time (see Your Rights).
  5. Security and Fraud Prevention: We process data to maintain the security of the Platform and users. This includes monitoring login activity and audit logs to detect unauthorized access, using audit trails of user actions within the system to detect misuse, and deploying anti-abuse measures. We may also use personal data (like IP addresses or user account info) to investigate potential violations of our Terms or fraudulent activity. Lawful basis: Legal obligation (Art. 6(1)(c)) in some cases (e.g. compliance with cybersecurity regulations) and legitimate interests (ensuring the integrity and security of our service, which benefits all users).
  6. Legal Compliance and Advocacy: If we are required to produce information in response to a lawful request by authorities (e.g. a court order or donor audit), or to comply with applicable laws and regulations (such as mandatory reporting of certain incidents), we will process and disclose data as needed. We also retain and use data as necessary to resolve disputes, enforce our agreements, or defend against legal claims. Lawful basis: Legal obligation (Art. 6(1)(c)) for compliance with laws; or legitimate interests (Art. 6(1)(f)) for protecting our legal rights, ensuring accountability, and cooperating with oversight by donor organizations or regulators.

We determine the appropriate lawful basis for each processing activity before it begins, and we only rely on those bases permitted by law. Where consent is our basis, you have the right to withdraw consent at any time, and we will not continue that processing (with no impact on the lawfulness of processing already done). Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms to ensure no disproportionate impact. We are happy to explain our specific legal basis for any processing on request.

Data Storage and Protection

We understand that the data you entrust to Grievance.app may be highly sensitive (especially in cases of GBV or whistleblowing), and we employ robust measures to protect its confidentiality and integrity. We store and process personal data on secure cloud servers and take industry-standard precautions as well as additional safeguards:

  • Hosting and Data Location: We utilize reputable cloud infrastructure providers to host our Platform. Depending on the region and client requirements, data is stored either with DigitalOcean, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or similar providers. We aim to store data in a location geographically close to our clients or end-users to respect data sovereignty preferences. For example, an EU-based project’s data can be hosted in EU data centers, a project in Africa may be hosted on an AWS Africa (Cape Town) or Azure South Africa region, and U.S. data is typically in U.S. data centers. Our primary hosting partners maintain high compliance standards (ISO 27001, SOC 2, etc.) and underwent GDPR readiness assessments. We have Data Processing Agreements in place with each provider, ensuring they act only on our instructions and protect personal data.
  • Encryption: All data in transit between your device and our servers is encrypted using HTTPS/TLS. We enforce strong cipher suites and HSTS to prevent any unencrypted access. Likewise, data at rest in our databases and storage is encrypted (using industry-standard encryption such as AES-256). This includes any backups or replicas. If our optional offline mode is used, the local data store on the device is also encrypted. Sensitive fields (such as personal identifiers in GBV cases) may be additionally encrypted or hashed in the database for an extra layer of security.
  • Access Controls: We restrict access to personal data strictly to those personnel and system processes that require it to perform their duties. Grievance.app personnel (employees or contractors) access client data only for troubleshooting or support purposes and only when authorized. All staff with such access are bound by confidentiality agreements and receive training on data privacy. Access to production systems is controlled via multi-factor authentication and logged. Within the Platform, role-based access controls ensure that users (e.g., grievance officers, managers) only see data relevant to their role. Particularly sensitive cases (such as GBV complaints) can be permissioned so that only a designated subset of trained users can view the full details, with others seeing anonymized or redacted information as appropriate (survivor identity may be protected even internally).
  • Audit Trails: The Platform maintains detailed audit logs of key activities, such as user logins, grievance submissions, updates to records, and data exports. These audit trails are time-stamped and identify the user or process involved. We regularly review audit logs to detect any unauthorized or unusual access. Maintaining audit trails is an important organizational measure for accountability and helps us and our clients provide an audit trail in case of investigations or donor reviews.
  • Network and System Security: Our servers are protected by firewalls and network monitoring to guard against external attacks. We use security tools to detect and prevent malware or intrusions. Software updates and patches are applied promptly to mitigate vulnerabilities. We also perform periodic security assessments and penetration testing through qualified professionals to continually evaluate and improve our security posture. Any vulnerabilities identified are remediated on a priority basis.
  • Data Minimization: We follow the principle of data minimization and purpose limitation. We do not collect more personal data than is necessary for the stated purposes, and we do not use it for new, incompatible purposes without updating this policy or obtaining consent. For example, we do not use grievance data for advertising or profiling individuals, and we will never sell or rent your personal information.
  • Organizational Policies: We have internal policies and incident response plans to handle any data security or privacy incident. In the unlikely event of a data breach involving personal data, we will promptly notify affected clients and individuals as required by law (for example, GDPR requires breach notification to authorities and affected persons within 72 hours of discovery in certain cases). We also conduct regular staff training on data protection, including handling of sensitive GBV information under a survivor-centered approach (confidentiality, “do no harm” principles, etc.).

While we employ strong security controls and strive to protect your data, no method of electronic storage or transmission is 100% infallible. However, we continually update and refine our security measures in line with evolving threats and best practices. We also encourage clients and users to play a role in security by choosing strong passwords, safeguarding login credentials, and immediately reporting any suspected unauthorized access to us.

Third-Party Processors and Data Sharing

Grievance.app does not sell personal data to anyone. We only share or disclose personal data in the following circumstances:

  • Client Organizations: If you submit a grievance or are associated with a grievance, the content of that grievance and relevant personal data will be shared with the organization responsible for addressing it (the client that set up the grievance mechanism). For example, if you file a complaint about a project, the project implementation unit or relevant authority will receive your submission in order to take action. Those entities are bound to handle your data according to their own privacy commitments and, in many cases, under confidentiality rules (especially for GBV or whistleblower complaints). We simply facilitate the transfer and storage of information on their behalf.
  • Authorized Personnel: Within a client organization, only authorized users (grievance officers, case managers, etc.) will have access to your personal data, and then only what they need for case management. These permissions are configured by the client administrators. Grievance.app as a platform enforces those access controls but is not responsible for how a client’s internal users may further use the data (clients typically have their own privacy and ethics policies for handling grievances).
  • Our Service Providers (Sub-Processors): We rely on certain trusted third-party companies to support our services. These providers act under our instruction (as “processors” or sub-processors) and are bound by contractual agreements to protect your data. The main third-party processors we use are:
  • Twilio Inc.: We use Twilio to power our SMS and IVR (phone call) features. Twilio will process the phone numbers, SMS messages, call recordings, and related metadata as necessary to deliver messages and calls through telecom networks. Twilio acts solely as a processor on our behalf and does not use this data for any other purpose. Twilio is a U.S.-based company but has committed to GDPR compliance (including Binding Corporate Rules for data transfers). In our privacy agreements, we list Twilio as a sub-processor handling messaging data.
  • Google LLC (Google Analytics): We use Google Analytics (a web analytics service) to collect anonymous statistics about how users find and use our website. Google Analytics uses cookies and similar tracking technologies to gather data such as website visitor IP addresses, device information, and user interactions (e.g. pages viewed, clicks). This information is transmitted to Google’s servers (which may be globally distributed, including in the U.S.). We have configured Google Analytics to anonymize IP addresses where applicable and we do not send Google any directly identifying information (like names or emails). Google acts as our data processor for analytics data, meaning they are contractually forbidden from accessing or using the data except to provide analytics services. Google is certified under frameworks like the EU-U.S. Data Privacy Framework and offers Standard Contractual Clauses for data transfers as needed. You can opt out of Google Analytics as described in Your Rights and Choices. Please note, Google Analytics is only used on our marketing website and not within the secure grievance management portal.
  • Cloud Hosting Providers: As noted, we use cloud infrastructure such as DigitalOcean, AWS, Azure, or GCP to host our application and databases. These providers inevitably process any data stored on our systems, but only in a passive capacity (storing and computing under our control). For example, if we host on DigitalOcean, your data resides on DigitalOcean’s servers in a specified data center, but DigitalOcean does not access the content of that data except as needed for infrastructure maintenance. We have DPAs in place with each provider. DigitalOcean, for instance, publishes a Privacy Policy and GDPR FAQs and is known to comply with data protection requirements (they performed compliance analyses when GDPR took effect). AWS, Azure, and GCP likewise maintain strict security and compliance standards. We ensure that whichever provider is used for your project, they meet our security requirements and, where applicable, have the necessary certifications (ISO 27001, SOC 2, etc.). These providers may install necessary cookies or use monitoring tools for service reliability (for example, DigitalOcean might use certain cookies for load balancing), but such usage is covered under our agreements and does not include selling your data.
  • Other Tools: We may use additional third-party tools or services in running our business (for example, an email service for sending support or notification emails, like SendGrid which is also provided by Twilio, or Mailgun; or collaboration tools for customer support). Any such tools are carefully vetted for security and privacy. They will only receive the minimum data required (e.g. just an email address and template content for sending an email alert). An up-to-date list of sub-processors can be provided upon request, and we update our clients when we add or change sub-processors as per our contractual obligations.

We require all third-party processors to protect personal data with appropriate security measures and to process it only for the purposes we specify. We remain liable for the processing performed by our sub-processors and ensure they uphold standards at least as stringent as ours.

  • Legal Disclosures: We may disclose personal data to third parties (such as courts, law enforcement or regulatory agencies, or funders like the World Bank) if required to do so by law or legal process. For example, if a law enforcement authority lawfully requests data in relation to a criminal investigation, or if a donor’s anti-fraud policy requires access to certain grievance records for audit, we will comply to the extent the law requires. Wherever possible and lawful, we will notify the affected clients or individuals before disclosing such information. We will also ensure any requesting party has proper jurisdiction and rights to obtain the data.
  • Business Transfers: If Grievance.app (or its operating company) is involved in a merger, acquisition, or sale of all or part of its assets, personal data may be transferred to the acquiring entity. In such an event, we will ensure the new owners continue to be bound by privacy obligations at least equivalent to those in this policy, and we will provide notice to clients and users before any data is transferred under a different privacy regime.
  • Aggregated or Anonymized Data: We may share aggregated, anonymized insights that do not identify any individual. For instance, we might publish reports on the number of grievances logged in a certain period, the average resolution time, or trends in types of complaints, for transparency or research purposes. Such reports will never include personal identifiers. This kind of data may be shared with donors, policymakers, or publicly to demonstrate impact, but it will be stripped of personal details (and often even aggregated at a high level like by region or sector). Anonymized incident data can sometimes be shared between agencies for learning, but only with stringent protocols ensuring no survivor can be re-identified.

Aside from the above, Grievance.app will not disclose personal data to any unauthorized third party. We do not sell, trade, or rent your information for marketing purposes. All our employees and partners are subject to confidentiality duties.

Data Retention and Anonymization

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by our clients or applicable law. Our retention approach is as follows:

  • No Fixed Retention Period by Default: Because our Platform is used in diverse projects, we generally do not impose a one-size-fits-all retention period for grievance data. Instead, we configure retention according to the client’s needs and legal obligations. Many of our enterprise and donor clients have their own record retention policies (for example, a project might require keeping grievance records for at least 5 years for auditing purposes). We provide tools and settings to accommodate these policies. By default, in line with GDPR’s storage limitation principle, personal data should be kept in identifiable form no longer than necessary for the purposes for which it was collected. We encourage all our clients to periodically review the data in the system and delete or anonymize records that are no longer needed.
  • Active Case Data: Personal data related to active grievances is retained throughout the lifecycle of the case so that the issue can be addressed and all parties can track the status. This may include keeping the data while an investigation or remedy is ongoing, which could span weeks or months depending on complexity.
  • After Case Closure: Once a grievance is resolved/closed, the data may be retained for a period for accountability and learning purposes – for example, to generate reports, identify patterns, or demonstrate compliance with environmental and social safeguards. However, we encourage minimizing this period. In many cases, identifying details (names, contact info) can be anonymized after closure, while retaining non-identifiable information for statistical analysis. Our system supports anonymization features, whereby specific fields can be permanently masked or removed after a set time while keeping the rest of the record for aggregate metrics. If a client does not specify, we typically suggest a standard archival period (e.g. 2 years after closure) before anonymization, but this can be tailored.
  • User Accounts: If an individual user (e.g. a complainant with an account or a grievance officer) requests deletion of their data or closes their account, we will delete or anonymize personal information associated with that user, subject to any legal requirements to retain it. For example, if a complainant account is deleted, we may still retain the grievance record but without the user’s identifying information, or we may replace the user’s name with an anonymous label while keeping the grievance content (especially if it’s needed for ongoing resolution). If a staff user account is deleted, their actions in audit logs may be retained (as they are part of system audit history) but will be disassociated from personal identity where possible.
  • Legal Requirements: Certain laws may require longer retention. For instance, if grievances form part of legal claims or reports to funders, we might need to retain those records until the legal requirement is fulfilled. Also, anti-fraud and compliance rules (especially for donor projects) might mandate storing records for a number of years. We will comply with such requirements. Conversely, if law mandates deletion or anonymization (such as GDPR’s right to erasure under conditions, or if a supervisory authority orders deletion), we will do so.
  • Backups and Archives: Our systems perform routine backups for reliability. Backup copies of data might be retained for a short period (typically encrypted and stored separately) and are deleted or overwritten on a rolling schedule. We ensure that when production data is deleted or anonymized, the same changes propagate to backups within a reasonable time frame or that backups age out and are destroyed. We avoid retrieving personal data from backups except for disaster recovery.
  • Anonymization/Pseudonymization: Where feasible, we prefer to anonymize rather than outright delete data, so that the remaining information can support analysis without impacting individual privacy. Anonymization involves irreversibly stripping personal identifiers (like names, contact info, ID numbers) from the dataset so individuals can no longer be identified. Pseudonymization (replacing identifiers with codes) may be used internally to separate identity from case content. For example, the GBV module may assign a survivor a unique code and refer to them by that code in case tracking, with their actual identity stored separately with extra protection. We use these techniques to enhance privacy, especially for long-term use of data for monitoring trends.

In summary, our policy is to retain personal data only as long as it serves its purpose and legal requirements, then delete or anonymize it. By default, if you request account or data deletion, we will honor it (after verifying your identity and provided that no overriding legal basis for retention exists). Even if you do not make a specific request, we implement measures so that data is not kept indefinitely without purpose. Personal data that is no longer needed is securely deleted or irreversibly anonymized.

Please note that when we act as a Data Processor for a client, the client’s instructions on data deletion will take precedence. We assist our clients in fulfilling their data retention obligations. If you have submitted a grievance to a particular organization and seek deletion of that grievance, we may refer you to contact that organization (the Data Controller) to ensure proper authorization, but we will assist them in erasing your data from our systems as required.

International Data Transfers and Data Sovereignty

Grievance.app is used in multiple jurisdictions, including across Africa, the EU, and the U.S. Consequently, personal data may be transferred across national borders in the course of our operations. We recognize the importance of protecting data when it moves to a country with different data protection laws, and we take steps to ensure compliance with international transfer rules:

  • Regional Hosting Options: Whenever possible, we host data within the region of its origin. For example, data for EU-based projects is stored on EU servers to comply with GDPR’s data residency preferences. Data for African organizations can be hosted in Africa (where suitable data centers exist) or in Europe, depending on client comfort and local law. By keeping data regional, we reduce cross-border transfers. We also understand some African nations have or are developing data protection laws that restrict sending data abroad; we will work with clients to meet any such local requirements (including possibly using in-country servers if necessary in the future).
  • Standard Contractual Clauses (SCCs): When personal data from the EU/EEA, UK, or other jurisdictions with transfer restrictions is transferred to countries not deemed to have “adequate” data protection (such as to the U.S. for our use of Twilio or Google services), we rely on the European Commission’s Standard Contractual Clauses (SCCs) as an approved legal mechanism. These clauses are contractual commitments that bind the recipient of the data to protect it to EU standards. All our relevant contracts with sub-processors include SCCs or an equivalent transfer mechanism. This means, for instance, that when we transfer EU personal data to Twilio in the U.S., the SCCs impose EU-level privacy obligations on Twilio. In addition, Twilio has adopted Binding Corporate Rules (BCRs) for internal transfers within the Twilio group, which have been approved by EU regulators, further safeguarding data moving through Twilio’s global infrastructure.
  • Privacy Frameworks: We monitor and make use of recognized transfer frameworks where available. For example, if transferring data to the U.S., we check if the recipient is certified under the EU-U.S. Data Privacy Framework (the successor to Privacy Shield) or similar frameworks, which can facilitate compliant transfers. Google, for instance, is certified under the EU-U.S. framework. While we primarily rely on SCCs, these certifications provide an added layer of assurance.
  • African Union Convention Compliance: We support the spirit of the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) which encourages member states to implement strong data protection measures. Although few African countries have fully implemented it yet, our practices of obtaining consent for cross-border transfers and ensuring contractually binding safeguards align with its principles of protecting personal data across borders. We treat data from African users with the same level of care as EU data, applying robust safeguards for any international handling.
  • Data Sovereignty Accommodations: For certain sensitive projects (for example, data collected on behalf of a government or a donor project with strict requirements), we can agree to specific data residency and access clauses. This might include ensuring data remains within a certain country or that only personnel of a certain nationality support the project. We will transparently communicate where data is stored. If an international support staff needs to access data (e.g. our EU support engineer assisting an African client), that is also considered a transfer – in those cases, we ensure such access is temporary, secure, and covered by confidentiality and transfer safeguards.
  • Transparency and Individual Rights: If your personal data is collected in the EU, you have a right to be informed of its potential international transfers. We hope this section provides clarity. If you have concerns about a particular transfer (for example, if you are in the EU and want to ensure your data isn’t accessed from outside the EU), please contact us. In some cases, we can make special arrangements or provide additional assurances. Ultimately, any cross-border transfer we perform will have adequate safeguards in place to protect your data so that it remains protected to the standards of your home jurisdiction.

By using our Platform or submitting information to us, you understand that your personal data may be transferred or stored in servers located in different countries. However, such transfers will always be done in compliance with applicable laws, and we will protect your data no matter where it is processed. We remain responsible for its safety during international transfer and storage.

User Rights and Choices

We are committed to upholding the rights of individuals (“data subjects”) over their personal data. Depending on your location and applicable law (such as GDPR in Europe, UK Data Protection Act, South Africa’s POPIA, Nigeria’s NDPR, California’s CCPA/CPRA, etc.), you may have some or all of the following rights. We extend these rights to all users as a best practice, even if not mandated in every jurisdiction:

  • Right to Access: You have the right to request a copy of the personal data we hold about you, as well as information on how we are processing it. For example, if you have submitted grievances, you can request to see what data of yours is on the Platform. We can provide this in a commonly used electronic form. For EU users, this corresponds to GDPR Art. 15 (Data Subject Access Request). We will respond within a reasonable timeframe (within 30 days, or as required by law).
  • Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request its correction. This could apply to your contact information or any factual mistakes in a grievance. In many cases, you can directly edit your profile information via account settings. For other data, you can contact us or the relevant client organization to have it amended. We will promptly correct verified inaccuracies.
  • Right to Erasure (Right to be Forgotten): You may request the deletion of your personal data in certain circumstances. For instance, if you created an account or submitted a complaint as a private individual and now wish to withdraw it and have your data removed, you can ask us to erase your data. We will do so provided there is no overriding need to keep it (e.g., a legal obligation or an unresolved serious grievance). If complete deletion is not feasible (for example, if the data is needed to fulfill contractual obligations or legal claims), we will inform you and may offer to anonymize the data instead. Account holders can also typically delete their accounts through the interface, which triggers removal of personal info from active systems. Once deleted, data cannot be reinstated, so please be sure before requesting this. (Note: If your data was provided to us by a client organization, we may need to coordinate with them, as they might be the controller who must approve the deletion.)
  • Right to Restrict Processing: You have the right to ask us to limit the processing of your data in certain scenarios – for example, while a complaint about data accuracy or our processing basis is being resolved. When processing is restricted, we will store the data but not actively use it until the issue is resolved.
  • Right to Object: You may object to our processing of your personal data when we base it on legitimate interests, including any profiling (which we do not really perform except basic analytics). You also have an unconditional right to object to your data being used for direct marketing purposes (though we currently do not use data for unsolicited marketing). If you object, we will evaluate your request and unless we have a compelling legitimate ground to continue processing (or a legal requirement), we will stop processing the data in question.
  • Right to Data Portability: For data you provided to us, you have the right to receive it in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible (GDPR Art. 20). In practice, if you request it, we can provide your submitted grievance details or account information in a CSV or JSON file. This might be useful if you want to port your data to another system. Our Platform also has built-in data export features (for example, you can export a grievance log).
  • Right to Withdraw Consent: If we are processing your data based on consent (e.g. you consented to a survey, or to Google Analytics cookies), you have the right to withdraw that consent at any time. You can do so by changing your settings (for cookies, you can update your cookie preferences or use the opt-out mechanisms described below) or by contacting us. Once consent is withdrawn, we will cease the related processing. Note that withdrawal does not affect the lawfulness of processing before the withdrawal.
  • Rights related to Automated Decision-Making: Our Platform does not make any legally significant decisions about individuals purely by automated means (no automated profiling or decisions without human involvement). In the event that changes and we introduce such features (for example, an AI-based risk rating for a grievance), you would have the right not to be subject to a decision based solely on automated processing that significantly affects you, and to request human intervention. We would also update this policy to reflect such processing.
  • California Privacy Rights: If you are a California resident, in addition to the above rights, you have the right to know what categories of personal information we have collected about you in the past 12 months, the categories of sources, the business purpose for collection, the categories of third parties with whom we shared it, and if applicable, the categories of information sold (we do not sell data, so none in our case). You also have the right to request deletion of your personal information (as described above), and the right not to receive discriminatory treatment for exercising your privacy rights. While our services are primarily B2B and not directed to California consumers, we will honor CCPA requests as applicable.
  • Other Jurisdictions: If you are in a jurisdiction with additional rights (e.g., the right to lodge a complaint with an authority, or rights under Africa-specific laws), know that we respect all applicable rights. For instance, EU and many other regions give you the right to lodge a complaint with a supervisory data protection authority if you believe we have infringed your privacy rights. We ask that you first give us the chance to address your concerns, but you are entitled to contact your local Data Protection Authority (DPA) or regulator (e.g. in the EU, your country’s DPA; in Kenya, the Office of the Data Protection Commissioner; in Nigeria, NITDA for NDPR; in the UK, the ICO; etc.).

Exercising Your Rights: To exercise any of your rights, please contact us at privacy@grievance.app with your request. Because we take privacy seriously, we will need to verify your identity to ensure that we do not disclose or alter data for an impostor. For certain requests (access, portability), if the data involves a grievance managed by a client, we may consult the client organization (the controller) to ensure proper handling. We will respond to your request as soon as possible and in any event within the timeframe required by law (for example, within one month for GDPR, which can be extended by two further months if necessary with notice to you). There is normally no fee for exercising rights, but excessive or unfounded requests may incur a reasonable fee or be declined as permitted by law.

Opt-Out of Communications: If we send any non-essential communications (such as a newsletter or event announcement), you can opt out by using the “unsubscribe” link in the email or by adjusting your account preferences. Transactional communications (like grievance status updates or security alerts) are necessary for the service, but if you believe you are receiving communications in error, let us know.

Opt-Out of Analytics and Cookies: You can refuse or disable cookies through your browser settings. You can also use tools like the Google Analytics Opt-Out Browser Add-on which prevents Google Analytics from collecting your data on any site. On our site, you can also find a cookie settings link to adjust preferences at any time. Note that blocking certain cookies (like our session cookie) might affect functionality of the Platform.

We are dedicated to respecting your rights. Our goal is to be transparent and fair in how we handle personal data. If you have any questions about your rights or how to exercise them, please contact us and we will guide you.

Special Provisions for Sensitive & Anonymous Grievances (Survivor-Centered Approach)

Some types of grievances require extra precautions due to their sensitive nature – notably those involving Gender-Based Violence (GBV), Sexual Exploitation or Abuse, Sexual Harassment (SEA/SH), whistleblower reports of corruption, or other cases where the reporter or victim faces significant personal risk. Grievance.app is designed to incorporate survivor-centered and confidential handling protocols for such cases, and this is reflected in how we protect privacy:

  • Anonymous Reporting: As mentioned, we allow anonymous submissions. No one is required to identify themselves when reporting sensitive incidents if they are not comfortable. We recognize anonymity can be crucial for safety. When a complaint is submitted anonymously, we treat it with the same seriousness. The data is logged without any personal identifiers. We do not attempt to track or identify anonymous reporters (e.g., we do not use hidden trackers or source tracing beyond general network logs) – in fact, our system explicitly marks these cases as anonymous and limits any collection of metadata that could identify the reporter. For example, if an anonymous SMS report is received, we might still see the phone number as part of the SMS metadata; in such scenarios, if anonymity is requested, we can configure our system or procedures so that the phone number is masked or not revealed to case managers (only a unique code). We make sure that participants’ data remains anonymous and protected, given the sensitive nature of GBV and abuse information.
  • Confidentiality and Need-to-Know Access: For GBV/SEA grievances, only a restricted “GBV squad” or designated officials who have been trained and vetted will have access to the case details. These users often have additional agreements or codes of conduct binding them to maintain confidentiality. Within the Platform, such cases can be segregated so that general grievance officers cannot see the content. We also encourage practices like using unique identifiers instead of real names in system workflows for these cases. Any sharing of data with outside referral services (e.g., referring a survivor to a support NGO) is done with consent and through secure channels.
  • Survivor Safety Measures: We avoid any action that could inadvertently expose a survivor’s identity or the fact they filed a complaint. For instance, we will not send a confirmation message or email for a GBV report if the person indicated it’s unsafe to do so. We will not include identifying information in subject lines or external communications. Our notifications are discreet. The Platform also allows the reporter to specify preferred contact methods or to request no contact (except via safe channels).
  • Data Handling Protocols: Data about GBV cases is considered highly sensitive. We store it with heightened security (as described, encryption, etc.). When data is exported or shared in reports, we ensure redaction of personal info. If we ever need to analyze GBV data to improve our services, we do so on an aggregated level. We also implement longer retention of audit logs for these cases to ensure we can trace any access. Additionally, we can implement additional encryption (sometimes called “encryption at field level”) for especially sensitive fields, meaning that even our database admins cannot read the raw data without going through the application layer.
  • Do No Harm & Ethical Standards: We align our approach with international best practices for handling GBV data (such as those from the UN Spotlight Initiative and GBVIMS guidelines) which emphasize Do No Harm, informed consent, safety, confidentiality, and non-discrimination. This means, for example, that if a survivor shares information, it’s their decision how it’s used; we will not share it further unless it’s necessary and with consent. They can also choose to withdraw or modify their report. We respect their agency in the process. All personnel involved are trained on trauma-informed responses and data privacy ethics.
  • Survivor and Whistleblower Protections: We acknowledge that improper handling of data in these cases can lead to retaliation or further harm. Thus, we have built-in measures like non-editable timestamps (to prevent tampering with evidence), secure communication channels for follow-up that don’t expose identity, and two-factor authentication for users accessing these cases (to prevent account compromise). We also ensure that any data sharing is protocol-based – for example, if a GBV case must be shared with law enforcement or a donor, it should be only done with the survivor’s consent unless legally mandated, and via secure transfer. We log all such access.

In summary, when it comes to anonymous and survivor-sensitive grievances, Grievance.app goes above and beyond standard privacy measures. Our goal is to create a safe digital space where people can report issues without fear, knowing their personal information is guarded with the utmost care. This commitment not only protects individuals but also builds trust in the grievance mechanism, which is essential for its effectiveness.

Security Measures Summary

(For ease of reference, we summarize our key security and data protection measures, combining technical and organizational protections):

  • Data encryption in transit (TLS) and at rest on servers.
  • Hosting on secure cloud infrastructure with compliance certifications (ISO 27001, SOC 2 etc.).
  • Regular security updates, vulnerability scanning, and penetration tests.
  • Strict access control, least privilege principle for both our staff and within client user roles.
  • Multi-factor authentication (MFA) for administrative access and available for client users.
  • Continuous infrastructure monitoring and 24/7 uptime management to quickly address any issues.
  • Detailed audit logs of system access and data changes, reviewed periodically.
  • Business continuity and disaster recovery plans (with encrypted backups).
  • Staff training on data protection and confidentiality, with specialized training on GBV/SEA case handling for relevant staff.
  • Contracts and DPAs in place with all sub-processors to enforce equivalent security standards.
  • Pseudonymization and anonymization techniques applied where appropriate to limit exposure of personal identities.
  • Incident response procedure: if an incident occurs, immediate containment, investigation, notification, and remediation steps are executed. We also would communicate honestly about any impacts and how we are addressing them.
  • Periodic audits and assessments, possibly including independent audits if required by clients (we can support external audits by client’s security teams as part of enterprise due diligence).

Our security program is continually improved and overseen by our leadership to ensure we meet the expectations of enterprise and institutional clients. Protecting user data is fundamental to our mission of fostering trust through grievances redressal.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services or legal obligations. When we make significant changes, we will notify our clients and/or users through appropriate channels (e.g., via email or through the Platform interface) and update the “Effective Date” at the top. We encourage you to review this Policy periodically to stay informed about how we protect your data. Historical versions of the policy can be provided upon request for reference.

If we intend to process your personal data for a new purpose not covered by this Policy, we will provide you with notice and, if required, request your consent before doing so.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how your personal data is handled, please contact us:

Grievance.app – Privacy Office
Email: privacy@grievance.app
Website: https://grievance.app/contact 

We will respond as promptly as possible to address your inquiry. If you are an end-user of our Platform (e.g., you submitted a grievance) and you reach out to us, please note we may also coordinate with the organization to which you submitted the grievance to assist with your query.

By using Grievance.app, you acknowledge that you have read and understood this Privacy Policy. We are dedicated to protecting your privacy and ensuring that your grievance data is handled securely and lawfully. Thank you for trusting Grievance.app with these important matters.

This Privacy Policy is intended to be comprehensive and transparent. Grievance.app values privacy, accountability, and the trust of those who use our Platform. We believe that a strong privacy policy is not just a legal requirement but a cornerstone of good governance and user trust.

Get started

Empower your team with grievance.app

Begin transforming your grievance processes. Our platform offers tools to enhance efficiency and transparency.

Get started
Contact sales
Screenshot of the Grievance application's getting started page. Forum. privacy policy. Terms and Conditions.