Ngenani← Back to home
Legal

Privacy Policy

Effective: 29 May 2026

1. Who we are

Ngenani is a visitor management service for residential and business complexes, operated by Impaque LLC, a company registered in Illinois, United States (“Ngenani”, “we”, “our”, “us”). This policy explains the personal data we process, why, and your rights.

2. Who this policy covers

It covers four groups of users:

  • Residents who pre-register visitors and receive notifications.
  • Visitors whose details are recorded so a complex can let them in.
  • Guards who check visitors in and out at the gate.
  • Admins who manage residents, guards and complexes on behalf of a body corporate or estate operator.

3. Data we collect

  • Account data: name, phone number, WhatsApp number, email (admins), role, complex and unit assignment.
  • Authentication data: one-time codes sent via WhatsApp or email, session tokens, password hashes (admins only).
  • Visit data: visitor name, national ID number where collected, vehicle plate, expected arrival time, host resident, check-in/out timestamps, approval mode, and free-text notes recorded by the guard.
  • Visitor identification documents:a photograph of the visitor’s ID document where the complex policy requires it. Stored encrypted at rest and accessible only to admins of that complex.
  • Operational data: notification delivery status, audit logs of approvals and overrides, and device information needed for offline sync.
  • Billing data (admins only): Stripe customer reference, plan tier, invoice history. We do not store card numbers — they live with Stripe.

4. Why we process it

  • To run the service the complex has signed up for.
  • To authenticate residents, guards and admins.
  • To send transactional notifications (visit pre-registrations, arrival alerts, OTP codes, walk-up approval requests) via WhatsApp or email.
  • To maintain a visitor history for the complex’s security and audit needs.
  • To bill admin organisations and collect payment.
  • To investigate abuse, fraud, or violations of the acceptable-use policy.
  • To comply with legal obligations.

Our legal bases include contract (delivering the service the complex has subscribed to), legitimate interests (security, fraud prevention, service operation), consent (where required for marketing communications, which are off by default), and legal obligation.

5. Who acts as controller

The complex (its admin organisation) is the controller of resident and visitor data it enters into Ngenani. Ngenani acts as processor for that data, on the complex’s instructions. For account data of admin users, Ngenani is the controller. If you are a resident or visitor and want to exercise data rights, please contact your complex first; we will support them in responding.

6. Sub-processors and third parties

We use the following sub-processors. Each is bound by a data processing agreement and appropriate safeguards.

  • Vercel Inc. — application hosting, edge delivery, runtime logs.
  • Neon, Inc. — managed Postgres database.
  • Meta Platforms, Inc. — WhatsApp Business Platform for delivering notifications and OTP codes.
  • Resend, Inc. — transactional email delivery.
  • Cloudflare, Inc. — object storage (R2) for visitor ID document images.
  • Stripe, Inc. — subscription billing for admin organisations.

7. International transfers

Ngenani operates a US-registered company and processes data on infrastructure primarily located in the United States and the European Union. Where data is transferred outside its country of origin (including from Zimbabwe), we rely on the sub-processor’s standard contractual safeguards.

8. Retention

  • Account data: retained while the account is active and for up to 12 months after closure for dispute resolution.
  • Visit history: retained for the period set by the complex admin, typically 12 to 36 months, after which records are anonymised.
  • Visitor ID images: retained for a maximum of 90 days unless the complex specifies a shorter period.
  • Billing records: retained for 7 years to meet tax and accounting obligations.
  • Audit logs: retained for at least 12 months for security investigations.

9. Your rights

Subject to applicable law you have the right to access, correct, delete, restrict, port and object to the processing of your personal data, and to withdraw consent at any time. To exercise these rights, contact us using the details below. If you are a resident or visitor at a complex, please also notify the complex admin so we can coordinate the response.

10. Data deletion requests

To request deletion of your personal data from Ngenani, email privacy@ngenani.com from the email or phone associated with your account, with the subject “Data deletion request” and the role under which you registered (resident, guard, admin, visitor). We will confirm receipt within 7 days and complete deletion within 30 days, except where retention is required by law (for example billing records). If the request originates from a resident or visitor at a complex, we will notify the complex admin as part of fulfilment.

11. Security

All traffic is encrypted in transit with TLS. Database contents and ID document images are encrypted at rest. Access to production systems is limited to authorised personnel and protected by two-factor authentication. We perform regular dependency and platform security updates.

12. Children

Ngenani is not intended for use by children under 16. A resident may register a minor as part of their household but the minor does not hold an account in their own right.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to admin organisations in advance. The “Effective” date above shows the latest revision.

14. Contact

Impaque LLC, Illinois, United States.
Privacy: privacy@ngenani.com
General: support@ngenani.com