Privacy Policy

GoNoGo Ratings and Reviews Ltd.

Effective date: 14 April 2026

This Privacy Policy explains how GoNoGo Ratings and Reviews Ltd ("GoNoGo", "we", "us", or "our") collects, uses, stores, shares, and protects your personal information when you visit or use www.gonogo.co.za (the "Website") and any related services, mobile applications, or digital platforms we may offer (collectively, the "Services").

GoNoGo Ratings and Reviews Ltd is registered in England and Wales (company number 16433454). Although we are a UK-registered entity, this Privacy Policy is designed to comply with the Protection of Personal Information Act 4 of 2013 ("POPIA") of South Africa, which applies because our Website is directed at, and processes personal information of, persons located in South Africa.

By using our Website and Services you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our Services.

Contents

1. Who We Are and How to Contact Us

Responsible Party (Operator under POPIA):
GoNoGo Ratings and Reviews Ltd
Registered in England and Wales, company number 16433454

Contact details for privacy enquiries:
Email: support@gonogo.co.za
Website: www.gonogo.co.za

For all requests relating to your personal information — including access, correction, deletion, or complaints — please contact us at the email address above. We will acknowledge your request within 3 business days and respond fully within 30 days, as required by POPIA.

2. Definitions

In this Privacy Policy, unless the context indicates otherwise:

  • "POPIA" means the Protection of Personal Information Act 4 of 2013, as amended.
  • "personal information" has the meaning given in POPIA: information relating to an identifiable, living, natural person (or identifiable existing juristic person), including but not limited to information relating to race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language, birth, education, identity number, telephone number, email address, physical address, online identifiers, financial information, criminal behaviour, and private correspondence.
  • "processing" means any operation or activity concerning personal information, including collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use, dissemination, transmission, distribution, or deletion.
  • "responsible party" means the entity that determines the purpose and means of processing personal information. GoNoGo is the responsible party in respect of personal information processed through the Website.
  • "operator" means a person or entity that processes personal information for a responsible party in terms of a contract or mandate.
  • "data subject" means the natural person to whom the personal information relates.
  • "Information Regulator" means the Information Regulator of South Africa, established under section 39 of POPIA.

3. Personal Information We Collect

We collect the following categories of personal information, depending on how you interact with our Services:

3.1 Information You Provide Directly

  • Comment and review information: your display name or chosen name, and the text of any comment, rating, or review you submit on the Website.
  • Account registration information: display name, email address, and a password (which is hashed and stored securely — we never store your plain-text password). When you create an account, we also store your region (South Africa or United Kingdom) and a unique account identifier. We may collect account activity history and preferences as the service evolves.
  • Social / Single Sign-On (SSO) login: if you choose to sign in using Google Sign-In or Apple Sign-In, we receive your name and email address from the respective identity provider. We do not receive your password for those accounts.
  • Communications: any information you include when contacting us via email at support@gonogo.co.za, including your name, email address, and the content of your message.
  • Brand portal credentials: if you are an authorised brand or administrator user, we collect your login credentials and associated session data.

3.2 Information Collected Automatically

  • Technical information: IP address, browser type and version, operating system, device type, referring URLs, pages visited on the Website, and timestamps of visits.
  • Session and authentication tokens: JSON Web Tokens (JWTs) and refresh tokens managed by Supabase Auth for authenticated sessions.
  • Analytics information: aggregated and, where possible, anonymised usage data collected via Google Analytics (GA4) — including pages viewed, session duration, geographic region, and browser/device information — but only after you have given your consent through our cookie consent mechanism.
  • Local storage data: certain preference and session data is stored in your browser's local storage (see Section 7 for details).

3.3 Future Data Collection

We may in the future expand our Services to include mobile applications (iOS and/or Android). If and when we do so, this Privacy Policy will be updated to reflect any additional categories of personal information collected through those applications (which may include device identifiers, push notification tokens, and location data if permission is granted). We will notify you of any material changes in accordance with Section 15 of this policy.

4. How We Collect Personal Information

We collect personal information through the following means:

  • Directly from you when you submit a comment or review, register for an account, sign in via a social/SSO provider, contact us by email, or interact with brand portal features.
  • Automatically through your use of the Website, via server logs, Supabase database and authentication services, and (with your consent) Google Analytics.
  • From third-party identity providers (Google, Apple) when you choose to authenticate via SSO.
  • From your browser's local storage, where we write and read certain preference and session values as described in Section 7.
  • In future, from mobile applications should we develop them.

5. Purposes for Which We Process Personal Information

We process your personal information for the following purposes:

5.1 Providing and Operating the Services

  • To display your comments, ratings, and reviews on the Website.
  • To create, manage, and authenticate your user account (including via SSO providers).
  • To manage brand portal and administrator access.
  • To maintain the technical operation, security, and integrity of the Website and its database.
  • To manage user sessions via JWTs and refresh tokens.

5.2 Communications

  • To respond to your queries or support requests submitted via email.
  • To send transactional emails via Resend, including account verification emails, password reset emails, and service notifications. These emails are essential to the operation of your account and are sent on the basis of contract performance.

5.3 Analytics and Service Improvement

  • To understand how visitors use the Website, identify popular content, and improve the user experience — using aggregated, anonymised analytics data collected via Google Analytics (GA4), with your consent.

5.4 Security, Fraud Prevention, and Legal Compliance

  • To detect, investigate, and prevent fraudulent activity, abuse, spam, or other harmful behaviour.
  • To comply with applicable laws and regulations, including POPIA.
  • To establish, exercise, or defend legal claims.

5.5 Remembering Your Preferences

  • To remember your display preferences (e.g., light or dark theme) so that your experience is consistent across visits.
  • To remember your cookie consent choice so we do not ask repeatedly.

6. Lawful Grounds for Processing

POPIA requires that the processing of personal information must be lawful, and one or more of the following conditions for lawful processing must apply. The grounds we rely on are:

  • Consent (section 11(1)(a) POPIA): where you have given specific, informed, and voluntary consent — for example, for Google Analytics tracking, which is only activated after you accept cookies via our consent banner. You may withdraw consent at any time (see Section 7).
  • Performance of a contract (section 11(1)(b) POPIA): where processing is necessary to perform a contract to which you are a party or to take steps at your request prior to entering into a contract — for example, account creation, session management, and sending transactional emails.
  • Compliance with a legal obligation (section 11(1)(c) POPIA): where we are required by law to retain or disclose personal information.
  • Legitimate interests (section 11(1)(f) POPIA): where processing is necessary for pursuing our legitimate interests or those of a third party, provided those interests are not overridden by your interests or fundamental rights — for example, maintaining server logs for security and abuse prevention, and ensuring the integrity and availability of the Website.

7. Cookies, Local Storage, and Tracking Technologies

7.1 What We Use

We use browser local storage (not traditional HTTP cookies) for the following specific purposes:

  • gonogo_theme — stores your display theme preference (dark or light mode). This is a strictly functional preference and is set as soon as you make a theme choice.
  • gonogo_cookie_consent — stores your response to our cookie consent banner (accepted or declined). This ensures we do not repeatedly display the consent prompt.
  • adminUser / adminLoginTime — stores session identifiers for authenticated administrator portal users.
  • brandUser / brandLoginTime — stores session identifiers for authenticated brand portal users.
  • Research date and brand override values — stores temporary UI state for brand research features.

In addition, Supabase Auth sets session-related items in local storage (including JWT access tokens and refresh tokens) when you sign in to your GoNoGo account. These tokens are used to keep you signed in across pages and visits, and are automatically removed when you sign out.

7.2 Google Analytics

We use Google Analytics 4 (measurement ID: G-2C18K0YYXM) to collect aggregated, anonymised information about how visitors use the Website. Google Analytics is loaded only after you have given your consent through our cookie/analytics consent banner. We have enabled IP anonymisation (anonymize_ip: true), which means your IP address is truncated before being processed by Google.

If you decline analytics tracking, Google Analytics scripts will not be loaded and no GA data will be collected about your visit. You may change your consent preference at any time by clearing your gonogo_cookie_consent value from your browser's local storage, which will cause the consent banner to reappear on your next visit.

For more information about how Google processes analytics data, please see Google's Privacy Policy and Google Analytics data practices.

7.3 Managing Your Preferences

You can clear all local storage data stored by this Website by using your browser's developer tools or privacy settings. Note that clearing session tokens will log you out of any active account session, and clearing the theme preference will reset your display settings.

Most modern browsers also allow you to block or restrict the use of local storage and cookies. Please consult your browser's help documentation for instructions.

8. Third-Party Operators and Sub-Processors

We share personal information with the following third-party operators and sub-processors who assist us in providing and operating the Services. Each operator is required to process personal information only for the purposes we specify and to implement appropriate security measures.

8.1 Supabase (Database and Authentication)

Supabase, Inc. provides our database, authentication, and edge function infrastructure. All user account data, comment data, and authentication records (including hashed passwords, JWT tokens, and session information) are stored in Supabase. Our Supabase project is hosted in the EU West 1 (Ireland) AWS region.

Privacy information: supabase.com/privacy

8.2 Vercel (Hosting and Deployment)

Vercel, Inc. hosts and deploys the Website. Vercel may process certain technical information (such as IP addresses and request logs) as part of delivering web content and managing deployments.

Privacy information: vercel.com/legal/privacy-policy

8.3 Resend (Transactional Email)

Resend, Inc. provides our transactional email infrastructure. We use Resend to send account verification emails, password reset emails, and service notifications. To deliver these emails, Resend processes your email address and the content of the emails we send.

Privacy information: resend.com/legal/privacy-policy

8.4 Google Analytics (Analytics)

Google LLC provides Google Analytics (GA4), which we use — with your consent — to analyse Website usage. Google processes analytics data on our behalf subject to a Data Processing Amendment. IP anonymisation is enabled.

Privacy information: policies.google.com/privacy

8.5 Google and Apple (SSO Identity Providers)

If you choose to sign in using Google Sign-In or Apple Sign-In, the respective provider (Google LLC or Apple Inc.) will authenticate you and share your name and email address with us. The use of these services is subject to each provider's own privacy policy. We do not receive your password for those services.

Google privacy: policies.google.com/privacy
Apple privacy: apple.com/za/privacy

8.6 GitHub (Code Hosting)

GitHub, Inc. (a subsidiary of Microsoft Corporation) hosts our application source code. GitHub does not process end-user personal information in the ordinary course of code hosting, but may process personal information of our development team members.

Privacy information: GitHub Privacy Statement

8.7 Disclosure to Authorities

We may disclose personal information to law enforcement, regulatory authorities (including the Information Regulator), or courts if required to do so by applicable law, or where we reasonably believe disclosure is necessary to protect our legal rights, prevent fraud or harm, or comply with a valid legal process.

We will not sell, rent, or otherwise trade your personal information to any third party for their own marketing or commercial purposes.

9. Cross-Border and International Transfers of Personal Information

POPIA section 72 restricts the transfer of personal information outside South Africa unless adequate protections are in place. Because our Services rely on internationally hosted infrastructure, your personal information may be transferred to and processed in countries outside South Africa, including:

  • European Union / Ireland (EU/EEA) — Supabase database and authentication infrastructure is hosted in AWS EU West 1 (Dublin, Ireland), within the EU. The EU maintains data protection standards broadly equivalent to POPIA through the General Data Protection Regulation (GDPR).
  • United Kingdom — GoNoGo is a UK-registered company and certain operational activities may involve processing in the UK. The UK has adopted equivalent data protection standards through UK GDPR.
  • United States — Vercel (hosting/deployment), Resend (transactional email), GitHub (code hosting), and Google (Analytics, SSO) are US-based companies, and your personal information may be processed on servers located in the United States. These companies participate in recognised data transfer frameworks and implement contractual protections (such as Standard Contractual Clauses) where required.

By using the Website, you acknowledge that your personal information may be transferred to, stored in, and processed in jurisdictions outside South Africa as described above. We take reasonable steps to ensure that any such transfers occur only to recipients that are subject to binding agreements or legal frameworks that provide an adequate level of protection for personal information consistent with POPIA.

If you have questions about the specific safeguards applicable to any international transfer, please contact us at support@gonogo.co.za.

10. Data Retention

We retain personal information only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

  • Comment and review data: retained for as long as the comment or review is published on the Website, and for a reasonable period thereafter (up to 3 years) for archival and accountability purposes. You may request deletion at any time (see Section 12).
  • User account data (name, email, hashed password, preferences): retained for the duration of your account's existence and for up to 2 years following account deletion or deactivation, unless a longer period is required by law or for the resolution of disputes.
  • Authentication tokens (JWTs and refresh tokens): access tokens are short-lived (typically minutes to hours) and expire automatically. Refresh tokens are invalidated upon sign-out or expiry as managed by Supabase Auth.
  • Server and access logs (technical/IP data): retained for up to 12 months for security, abuse prevention, and debugging purposes, after which they are deleted or anonymised.
  • Analytics data (Google Analytics): retained in Google Analytics for a default period of 14 months, as configured in our GA4 property settings.
  • Transactional email records: email delivery logs (recipient address, timestamp, delivery status) are retained for up to 12 months.
  • Communications (support emails): correspondence with us via email is retained for up to 3 years, unless a longer period is needed for legal or compliance purposes.
  • Local storage values (browser-side): these persist in your browser until you clear them or they are overwritten. They are not stored on our servers beyond what is described above.

At the end of any applicable retention period, personal information is securely deleted or anonymised. Where anonymisation is not feasible, we apply appropriate access controls to restrict use of the data.

11. Security

We implement appropriate technical and organisational measures to safeguard personal information against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • All data transmitted between your browser and the Website is encrypted using TLS/HTTPS.
  • User passwords are hashed using industry-standard cryptographic algorithms via Supabase Auth before storage — we never store plain-text passwords.
  • Access to personal information stored in our Supabase database is controlled via Row Level Security (RLS) policies, ensuring users can only access their own data.
  • Administrator and brand portal access requires authenticated sessions managed via JWT tokens with defined expiry periods.
  • Our infrastructure providers (Supabase, Vercel) maintain their own security certifications and compliance programmes (including SOC 2).
  • We limit access to personal information to those employees, contractors, and operators who require it for legitimate business purposes.

While we take all reasonable steps to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security. In the event of a security compromise that is reasonably likely to adversely affect your interests, we will notify you and the Information Regulator as required by POPIA section 22.

12. Your Rights as a Data Subject

POPIA grants you, as a data subject, the following rights in relation to your personal information processed by GoNoGo. You may exercise any of these rights by contacting us at support@gonogo.co.za. We will respond within 30 days of receiving your request.

12.1 Right to be Notified

You have the right to be notified when GoNoGo collects personal information about you, including the purposes for which it is collected, and this Privacy Policy fulfils part of that obligation.

12.2 Right of Access

You have the right to request confirmation of whether we hold personal information about you, and to request a copy of that personal information (commonly called a "data access request" or PAIA request). We may charge a reasonable fee for this in accordance with the Promotion of Access to Information Act (PAIA) and any applicable regulations.

12.3 Right to Correction or Deletion

You have the right to request that we correct inaccurate, misleading, or out-of-date personal information we hold about you. You also have the right to request the deletion or destruction of your personal information where:

  • the information is no longer necessary for the purpose for which it was collected;
  • you have withdrawn your consent (where processing was based on consent) and there is no other lawful basis for processing;
  • you have objected to the processing and your interests override our legitimate interests;
  • the personal information has been unlawfully processed.

Note that we may be required to retain certain personal information by law, or where the information is necessary to establish, exercise, or defend legal claims, notwithstanding a deletion request.

12.4 Right to Object

You have the right to object to the processing of your personal information on the grounds of legitimate interest (section 11(3) POPIA). If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests or rights, or the processing is necessary for a legal claim.

12.5 Right to Withdraw Consent

Where we process your personal information based on your consent (e.g., for Google Analytics), you may withdraw that consent at any time without detriment. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. To withdraw consent for analytics, clear the gonogo_cookie_consent value from your browser's local storage, which will re-trigger the consent banner on your next visit.

12.6 Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing of personal information where those decisions have legal or similarly significant effects. GoNoGo does not currently use automated decision-making of this nature in relation to data subjects.

12.7 Right to Lodge a Complaint

If you believe we have handled your personal information in a manner that does not comply with POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa (see Section 16).

13. Children and Minors

Our Website and Services are intended for use by adults only. We do not knowingly collect personal information from persons under the age of 18. POPIA requires that the processing of personal information of children (persons under 18) be subject to additional protections, including the requirement for appropriate consent.

If you are under 18 years of age, please do not use our Website or submit any personal information to us. If you are the parent or guardian of a child and you believe the child has provided us with personal information, please contact us immediately at support@gonogo.co.za and we will take prompt steps to delete such information.

If we become aware that we have inadvertently collected personal information from a person under 18, we will delete that information as soon as reasonably practicable.

14. Links to Third-Party Websites

Our Website may contain links to third-party websites, including brand websites, comparison sources, and social media platforms. These third-party websites have their own privacy policies and we do not accept responsibility or liability for their content, practices, or handling of your personal information. We encourage you to review the privacy policy of any website you visit via a link from our Website.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other legitimate business reasons. When we make material changes, we will:

  • update the "Effective date" at the top of this page;
  • post the revised policy on this page; and
  • where we have your email address and the changes are material, notify you by email before the changes take effect.

Your continued use of the Website after the effective date of any revised Privacy Policy constitutes your acknowledgement of the changes. We encourage you to review this page periodically.

16. Complaints and the Information Regulator

If you have a concern about the way we have handled your personal information, we ask that you first contact us directly at support@gonogo.co.za so that we can attempt to resolve the matter.

If you are not satisfied with our response, or if you believe we are processing your personal information in contravention of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street
Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email (complaints): PAIAComplaints@inforegulator.org.za
Email (POPIA): POPIAComplaints@inforegulator.org.za
Website: www.inforegulator.org.za

You also have the right to seek civil remedies through the South African courts if you have suffered loss as a result of a contravention of POPIA.

This Privacy Policy was last reviewed and updated on 14 April 2026. GoNoGo Ratings and Reviews Ltd, registered in England and Wales, company number 16433454. For enquiries: support@gonogo.co.za.