Privacy Policy

1. Introduction

Welcome to GreenTomato, a Universal Membership POS & Traceability Platform operated by Eyona Software Development (Pty) Ltd ("we", "us", "our"), a company based in Cape Town, South Africa.

GreenTomato is a cloud-enabled Progressive Web Application (PWA) designed for dispensaries, restaurants, retail stores, and specialty shops. Our platform provides point-of-sale processing, membership management, member onboarding and compliance, supplier management, full product traceability from supplier to customer, loyalty and rewards programmes, digital wallets, and store credit functionality.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website, web application, mobile applications (Android and iOS), and related services (collectively, the "Platform"). By accessing or using GreenTomato, you acknowledge that you have read and understood this Privacy Policy.

We are committed to protecting your privacy in accordance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa, the General Data Protection Regulation (GDPR) of the European Union, and other applicable data protection laws.

2. Information We Collect

We collect and process different categories of information depending on how you interact with our Platform.

2.1 Account and Business Information

When you register for a GreenTomato account or contact us, we collect:

• Full name, email address, and phone number
• Business name, industry, and business registration details
• Login credentials (passwords are stored in hashed form only)
• Information submitted through our contact form: full name, email, phone, industry, and message content

2.2 Member Data (Profiles, Compliance Documents, and IDs)

If you operate a membership-based business on our Platform, we process the following data about your members:

• Member profiles including name, contact information, and demographic details
• Government-issued identification numbers and copies of identity documents
• Compliance and onboarding documents (e.g., membership applications, consent forms, regulatory filings)
• Membership status, tier, and history

2.3 Transaction and Payment Data

Our POS system processes and records:

• Transaction amounts, dates, times, and itemised line items
• Payment method type (cash, card, EFT, store credit)
• Card transaction references (we do not store full card numbers; these are handled by our PCI-DSS-compliant payment processors)
• Refund and void records
• Store credit balances and digital wallet activity
• Loyalty points accumulation and redemption history
• POS transaction logs including terminal identifiers and operator details

2.4 Product and Supplier Traceability Data

To enable full traceability from supplier to customer, we collect:

• Supplier names, contact details, registration and licence information
• Product names, descriptions, batch/lot numbers, and SKUs
• Supply chain records: date of receipt, quantities, origin, and chain-of-custody documentation
• Quality and compliance certifications associated with products or batches
• Inventory movement logs linking products to specific sales transactions

2.5 Device and Usage Data

When you access the Platform, we automatically collect:

• Device type, operating system, and browser version
• IP address and approximate geographic location
• Pages visited, features used, and time spent on the Platform
• Error logs and performance data
• Referring URLs and search terms that led you to our Platform

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing our Services: Operating the POS system, processing transactions, managing memberships, tracking product traceability, and maintaining digital wallets and loyalty programmes
• Account Management: Creating and maintaining your account, authenticating your identity, and managing your subscription
• Compliance and Regulatory Obligations: Fulfilling legal requirements for member onboarding, identity verification, and industry-specific record keeping
• Transaction Processing: Facilitating payments via cash, card, EFT, and store credit, and generating receipts and financial records
• Traceability: Maintaining a complete chain of custody for products from supplier receipt to customer sale
• Communication: Responding to your enquiries, sending service-related notifications, and providing customer support
• Security and Fraud Prevention: Monitoring for unauthorised access, detecting fraudulent transactions, and protecting the integrity of the Platform
• Improvement and Analytics: Analysing usage patterns to improve our Platform, fix bugs, and develop new features
• Legal Compliance: Complying with applicable laws, regulations, and legal processes

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Payment Processors

We share transaction data with third-party payment processors to facilitate card, EFT, and electronic payments. These processors are PCI-DSS compliant and process payment data under their own privacy policies. We do not store full credit or debit card numbers on our systems.

4.2 Compliance and Regulatory Authorities

We may disclose member data, compliance documents, and traceability records to regulatory authorities, law enforcement, or government bodies when required by law, regulation, or valid legal process. This includes industry-specific compliance reporting obligations applicable to dispensaries and other regulated businesses.

4.3 Service Providers

We engage trusted third-party providers for hosting, analytics, email delivery, and customer support. These providers access data only as necessary to perform their services and are bound by contractual data protection obligations.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Data Retention

We retain your information for as long as necessary to fulfil the purposes described in this Policy, including:

• Account data: Retained for the duration of your active account and for a reasonable period after account closure to comply with legal obligations
• Transaction and POS data: Retained for a minimum period as required by applicable tax and financial regulations (typically 5 to 7 years)
• Member compliance documents: Retained in accordance with industry-specific regulatory requirements, which may mandate longer retention periods
• Product traceability records: Retained for the period required by applicable supply chain and safety regulations
• Usage and device data: Retained for up to 24 months for analytics and security purposes

When data is no longer required, we securely delete or anonymise it using industry-standard methods.

6. Data Security

We implement robust technical and organisational measures to protect your information, including:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256)
• Secure, access-controlled cloud infrastructure
• Role-based access controls ensuring employees and operators can only access data necessary for their functions
• Regular security assessments and vulnerability testing
• Secure hashing of passwords and authentication tokens
• Audit logging of access to sensitive data including compliance documents and traceability records
• Multi-tenant data isolation at the application and database layers

While we strive to protect your information, no method of electronic transmission or storage is completely secure. We encourage you to use strong passwords and to contact us immediately if you suspect any unauthorised access to your account.

7. Your Rights

Depending on your jurisdiction, you may have the following rights under applicable data protection laws, including the Protection of Personal Information Act (POPIA) and the General Data Protection Regulation (GDPR):

• Right of Access: Request a copy of the personal information we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete personal information
• Right to Erasure: Request deletion of your personal information, subject to legal retention obligations
• Right to Restriction: Request that we limit the processing of your personal information in certain circumstances
• Right to Data Portability: Receive your personal information in a structured, commonly used, machine-readable format
• Right to Object: Object to the processing of your personal information for certain purposes, including direct marketing
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time
• Right to Lodge a Complaint: File a complaint with the Information Regulator (South Africa) or the relevant supervisory authority in your jurisdiction

To exercise any of these rights, please contact us using the details provided in Section 12. We will respond to your request within 30 days, or within the timeframe required by applicable law.

Please note that certain data, particularly transaction records and compliance documentation, may be exempt from deletion requests due to legal retention requirements.

8. Member Data & Compliance

GreenTomato serves businesses that operate membership-based models, including dispensaries and other regulated establishments. This section addresses the special data handling requirements for member compliance data.

8.1 Dispensary and Regulated Business Compliance

Businesses operating in regulated industries may be required to collect and retain specific member information for compliance purposes. GreenTomato facilitates the collection, storage, and management of this data on behalf of the business operator (the data controller). We act as a data processor for member compliance data.

• Identity verification documents are stored with encryption and access restrictions
• Compliance documents are retained for the period mandated by the relevant regulatory framework
• Access to member compliance data is restricted to authorised personnel within the business and, where required, regulatory authorities
• Complete audit trails are maintained for all access to and modifications of compliance records

8.2 Product Traceability Chain

Our traceability system maintains a complete record of product movement from supplier intake to customer sale. This chain of custody data is critical for regulatory compliance and product safety.

• Each product or batch is linked to its supplier, receipt date, and any associated compliance certifications
• Sales records connect specific products to individual transactions, enabling full forward and backward traceability
• Traceability data is retained in accordance with applicable industry regulations and cannot be modified once recorded

8.3 Data Controller and Processor Roles

For member data collected through the Platform, the business operating the GreenTomato account is the data controller. Eyona Software Development (Pty) Ltd acts as the data processor, handling data on the controller's behalf in accordance with a data processing agreement. Business operators are responsible for ensuring they have the appropriate legal basis for collecting and processing their members' personal information.

9. Children's Privacy

GreenTomato is not directed at children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately so that we can take steps to delete such information.

Membership-based businesses using our Platform are responsible for ensuring that they do not onboard members below the minimum age required by applicable laws and regulations.

10. International Data Transfers

GreenTomato is operated from South Africa. Your information may be stored and processed in South Africa or in other countries where our hosting providers and service partners operate.

When we transfer personal information outside of South Africa or the European Economic Area, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Data processing agreements with all third-party service providers
• Ensuring that the receiving jurisdiction provides an adequate level of data protection, or that appropriate supplementary measures are implemented

By using our Platform, you acknowledge that your information may be transferred to and processed in jurisdictions outside your country of residence.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective Date" at the top of this page
• Post the revised policy on our Platform
• Notify you via email or through an in-app notification for significant changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For complaints regarding the handling of your personal information, you may also contact the Information Regulator (South Africa) at inforegulator.org.za.