Privacy Policy
Last updated: 10 April 2026
This Privacy Policy explains how Nanamantis Investment Holdings ("LoveLock", "we", "us", "our") collects, uses, stores, and shares personal information when you use the LoveLock platform. This policy is written to comply with POPIA (South Africa), UK GDPR, EU GDPR, and CCPA/CPRA (California).
1. Who We Are
Responsible Party / Data Controller: Nanamantis Investment Holdings. Information Officer: legal@nanamantis.com. Physical address: [PHYSICAL ADDRESS].
2. What Personal Information We Collect
2.1 Account Data
Full name, email address, password (stored as a cryptographic hash), and timezone.
2.2 Capsule Content
Content you create and seal in a capsule: letters, photos, voice notes, videos, and captions. This content is stored securely and encrypted at rest. It is accessed only for the purpose of delivering your capsule.
2.3 Recipient Data
When you create a capsule: recipient name, email address, WhatsApp number (optional), and delivery date. This data is provided by you and used solely to deliver the capsule on your behalf.
2.4 Payment Data
Payment is processed by Stripe. LoveLock does not receive or store your card number, expiry date, or CVV. We retain transaction amount, date, and Stripe reference for accounting compliance.
2.5 Technical Data
IP address (used to determine your pricing region), browser and device type (standard web server logs), and access timestamps including when a recipient first opens a capsule.
3. How We Use Your Personal Information
We use your personal information to create and manage your account (contract); store and deliver capsule content (contract); process payments (contract); send delivery notifications (contract); detect your pricing region via IP address (legitimate interests); respond to support enquiries (legitimate interests); and comply with legal obligations.
We do not use your personal information for automated decision-making that produces legal effects. We do not sell your personal information. We do not use your personal information for third-party advertising.
4. Recipient Data: Roles and Responsibilities
When you provide your recipient's contact details, you are acting as a data controller for that recipient's personal information. LoveLock acts as a data processor on your behalf. By providing recipient contact details, you confirm you have a lawful basis to do so and that the recipient can reasonably expect to receive a message from you.
5. Data Retention
Account data is retained until you delete your account, then for 30 days. Draft capsule content is retained until you delete the draft. Sealed capsule content is retained indefinitely. Once a capsule is sealed, its content cannot be deleted — this is an intrinsic feature of the product and you consent to indefinite storage at the point of sealing. Payment records are retained for 7 years. Server logs are retained for 90 days. Support correspondence is retained for 3 years.
6. Sharing Your Personal Information
We share personal information only with the following processors, all contractually bound to process data only on our instructions:
- Supabase — database, authentication, file storage (United States)
- Stripe — payment processing (United States)
- Twilio — WhatsApp delivery notifications (United States)
- Resend — email delivery (United States)
- DigitalOcean / Vercel — cloud hosting infrastructure (United States)
We may also disclose personal information to law enforcement or regulators where required by applicable law. If Nanamantis Investment Holdings is acquired or merges with another entity, we will notify users before any transfer of personal information takes effect.
7. International Data Transfers
All processors listed above are based in the United States. Transfers from South Africa are made under contractual safeguards that provide protection substantially similar to POPIA, as required by section 72 of POPIA. Transfers from the UK and EU are made under Standard Contractual Clauses as adopted by the European Commission.
8. Security
We implement HTTPS/TLS for all data in transit; AES-256-GCM encryption for capsule content at rest; Supabase Row Level Security; Stripe PCI DSS compliance for payment data; and restricted access to production systems. In the event of a data breach posing a risk to your rights, we will notify you and the relevant supervisory authority as required by law.
9. Cookies
We use session cookies for authentication and no advertising or tracking cookies. See our Cookie Policy for full details.
10. Your Rights
10.1 All Users
Access to personal information we hold about you; correction of inaccurate information; and objection to direct marketing at any time.
10.2 GDPR / UK GDPR (EU and UK Users)
Erasure of personal information where there is no legitimate reason to continue processing (note: sealed capsule content cannot be deleted); restriction of processing; data portability; withdrawal of consent where processing is consent-based; and the right to lodge a complaint with your local supervisory authority.
10.3 POPIA (South African Users)
Rights under sections 23 (access), 24 (correction), 11(2)(c) (objection to processing), 11(3) (objection on legitimate interests grounds), and 69 (direct marketing) of POPIA. Submit requests to legal@nanamantis.com. We will respond within 30 days.
10.4 CCPA / CPRA (California Users)
The right to know what personal information is collected; the right to delete personal information; the right to correct inaccurate information; the right to opt out of sale or sharing (we do not sell or share personal information for advertising); and the right to non-discrimination. To exercise California rights, contact legal@nanamantis.com. We will respond within 45 days.
11. Children
The Platform is not directed at children under 18. We do not knowingly collect personal information from children under 18. If you believe a child under 18 has provided personal information to us, contact legal@nanamantis.com and we will delete it promptly.
12. Changes to This Policy
We will notify registered users of material changes by email at least 14 days before they take effect.
13. Contact and Complaints
Information Officer, Nanamantis Investment Holdings. Email: legal@nanamantis.com. Physical address: [PHYSICAL ADDRESS].
If you are not satisfied with our response, you may contact: the Information Regulator, South Africa (inforeg.org.za); the ICO, UK (ico.org.uk); your national data protection authority in the EU; or the California Privacy Protection Agency (cppa.ca.gov).