Privacy Policy

Your Privacy Matters

We believe in transparency. This policy explains exactly what data we collect, how we use it, and the rights you have over your information.

Last updated: March 1, 2026

Contents

1. Who We Are

Logable is an IoT monitoring and telemetry platform operated by TipThing (Pty) Ltd, a company registered in South Africa under registration number 2025/400138/07.

We provide tools that allow you to connect devices, visualize real-time data on customizable dashboards, configure automated alerts, and manage multi-tenant organizations.

Information Officer (POPIA)

Email: privacy@logable.app

Address: Pretoria, South Africa

2. Information We Collect

2.1 Account Information (provided by you)

  • Full name (required for account creation)
  • Email address (required, used for login and notifications)
  • Username (optional)
  • Profile image URL (optional)
  • Company name (via contact form, optional)
  • Password (hashed using industry-standard algorithms, never stored in plaintext)

2.2 Device and Telemetry Data (provided by your devices)

  • Device metadata: name, type, description, physical location, serial number
  • Device configuration: capacity settings, units, custom metadata
  • Telemetry metrics: JSON key-value pairs (e.g., temperature, pressure, fill level) — the specific data depends entirely on what you configure your devices to send
  • Device status: online, offline, or error state with timestamps
  • Data streams: named data channels with typed field schemas and JSON event payloads

2.3 Organization Data (provided by team administrators)

  • Organization name and logo
  • Team member email addresses (via invitations)
  • Member roles (owner, admin, member)
  • Organization settings and limits

2.4 Data Collected Automatically

  • IP address (stored with auth sessions for security)
  • Browser user agent (stored with auth sessions)
  • Session tokens (encrypted, httpOnly cookies)
  • Sidebar preference cookie (sidebar_state, 7-day expiry, UI preference only)

2.5 Data We Do NOT Collect

  • We do not use analytics services (no Google Analytics, Mixpanel, etc.)
  • We do not use error tracking services (no Sentry, Bugsnag, etc.)
  • We do not use advertising pixels or tracking cookies
  • We do not collect browsing behavior, heatmaps, or session recordings
  • We do not collect payment card details directly (no payment processing currently integrated)
  • We do not collect geolocation data from your browser
  • We do not use fingerprinting or cross-site tracking

3. How We Use Your Information

3.1 Account Management

To create and manage your account, authenticate you, and communicate with you about your account.

3.2 Service Delivery

To receive, store, process, and display your device telemetry data on dashboards and charts.

3.3 Alerts and Notifications

To evaluate trigger conditions against your device metrics and send alerts via email and web inbox when thresholds are exceeded or device status changes.

3.4 Real-Time Streaming

To deliver live device metrics and status updates to your dashboard via Server-Sent Events (SSE).

3.5 Organization Management

To manage multi-tenant workspaces, team invitations, role-based access, and organizational settings.

3.6 Security

To protect your account via two-factor authentication (TOTP), passkeys (WebAuthn), rate limiting, and audit logging of authentication events.

3.7 Communication

To send transactional emails (verification, password reset, OTP codes, team invitations, alert notifications).

3.8 Service Improvement

We may use anonymized, aggregated data (stripped of all personal identifiers) to improve platform performance and reliability. Individual user behavior is never tracked.

Legal Basis (GDPR)

  • Contract performance: account management, service delivery, alerts, streaming, organization management
  • Legitimate interests: security, service improvement (with balancing test — minimal data, high security benefit)
  • Consent: marketing communications (if ever introduced)
  • Legal obligation: responding to lawful requests, audit logs

4. How We Share Your Information

4.1 Third-Party Service Providers (Sub-Processors)

ProviderPurposeData SharedLocation
PlunkEmail deliveryRecipient email, notification contentEU
HetznerInfrastructure hostingAll data (encrypted at rest)EU

That is it. We use only 2 third-party services. We do not sell, rent, or trade your personal information.

4.2 Within Your Organization

If you belong to an organization, other members with appropriate roles can see devices, dashboards, streams, and alerts owned by that organization. They cannot see your personal devices or account credentials.

4.3 Legal Requirements

We may disclose information if required by law, court order, or government request. We will notify you before disclosure unless legally prohibited from doing so.

4.4 Business Transfers

If TipThing (Pty) Ltd is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is subject to a different privacy policy.

5. Data Retention

Data TypeRetention PeriodWhat Happens After
Account informationUntil you delete your accountPermanently deleted
Device telemetry metrics60 daysAutomatically purged by TimescaleDB
Device status history90 daysAutomatically purged
Notification / alert history90 daysAutomatically purged
Audit logs90 days (capped at 10,000 per org)Oldest entries automatically removed
Auth sessions7 days from last activityAutomatically expired
Verification tokens1 hourAutomatically expired
OTP codes5 minutesAutomatically expired
Device / stream metadataUntil you delete the device / streamPermanently deleted with cascading removal of all related data
Organization dataUntil the organization is deletedAll associated devices, dashboards, streams, and alerts permanently deleted

Industry plan customers may have custom retention periods (up to 1 year+) as configured in their organization settings.

6. Cookies and Local Storage

6.1 Essential Cookies

  • Session cookie (auth): Contains encrypted session token. HttpOnly, Secure, SameSite=Lax. Expires after 7 days. Required for authentication.

6.2 Functional Cookies

  • sidebar_state: Stores sidebar open/closed preference. 7-day expiry. Not transmitted to any server.

6.3 Local Storage (browser-only, cleared on logout)

  • activeOrganizationId: Your currently selected organization
  • dashboard-view-mode: Grid or table view preference
  • Form draft data: Temporarily saves form inputs to prevent data loss

6.4 Session Storage (cleared when tab closes)

  • Temporary email addresses during password reset and OTP verification flows

We do NOT use analytics cookies, advertising cookies, or third-party tracking cookies.

6.5 Google Fonts

We use Plus Jakarta Sans and Geist Mono fonts. These are self-hosted by our application via Next.js — no requests are made to Google's servers, and Google does not receive any data about your visits.

7. International Data Transfers

Your data is stored on Hetzner servers in the European Union. TipThing (Pty) Ltd is based in South Africa.

For EU/EEA Users

South Africa does not have an EU adequacy decision. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to safeguard your data when it is accessed from South Africa for platform administration purposes.

For South African Users

Your data is processed in the EU, which provides data protection standards that are substantially similar to or exceed POPIA requirements.

We do not transfer your data to any country outside the EU and South Africa.

8. Data Security

We implement the following security measures:

  • Encryption in transit: All data transmitted via HTTPS/TLS. MQTT connections support TLS encryption.
  • Password hashing: Passwords are hashed using industry-standard algorithms and never stored in plaintext. Passwords are redacted from all logs.
  • Authentication: JWT-based access tokens (15-minute expiry), session tokens with automatic refresh, two-factor authentication (TOTP), passkeys (WebAuthn), email OTP.
  • Rate limiting: Global rate limiting (100 requests/minute), stricter limits on authentication endpoints (5 requests/minute), per-device ingestion limits.
  • Access control: Role-based access control at organization and system levels. Strict data isolation between tenants.
  • Input validation: All API inputs are validated and sanitized. Unknown fields are rejected.
  • Audit logging: Authentication events, data access, and administrative actions are logged with IP address and user agent.
  • Session security: Sessions expire after 7 days. Users can revoke individual sessions or all other sessions.
  • Token security: Device and stream authentication tokens are generated using cryptographic random bytes and are never exposed in list API responses.

9. Your Rights

9.1 Under POPIA (South Africa)

  • Right to be notified of data collection
  • Right to access your personal information
  • Right to request correction or deletion
  • Right to object to processing
  • Right to data portability
  • Right to lodge a complaint with the Information Regulator (inforegulator.org.za)

9.2 Under GDPR (EU/EEA)

  • Right to access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / right to be forgotten (Article 17)
  • Right to restrict processing (Article 18)
  • Right to data portability (Article 20) — export your device metrics as CSV or JSON
  • Right to object (Article 21)
  • Right not to be subject to automated decision-making (Article 22)
  • Right to lodge a complaint with your local supervisory authority

9.3 Under CCPA/CPRA (California)

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your rights

How to exercise your rights

Email privacy@logable.app. We will respond within 30 days. You can also delete your account, devices, streams, and organizations directly through the platform. Account deletion cascades to remove all associated data including sessions, tokens, memberships, and invitations.

10. Children's Privacy

Logable is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@logable.app.

11. Automated Decision-Making

Logable uses automated processing for the following purposes:

  • Alert triggers: Automated evaluation of device metrics against user-configured thresholds and conditions. These trigger notifications but do not make decisions about your account or access.
  • Rate limiting: Automated enforcement of API request limits for security purposes.
  • Session management: Automatic session expiry and refresh.

None of these automated processes make decisions that produce legal effects or similarly significantly affect you. All alert conditions are configured by you and can be modified or disabled at any time.

12. Data Breach Notification

In the event of a data breach that affects your personal information:

  • We will notify the South African Information Regulator within 72 hours of becoming aware of the breach.
  • We will notify affected users as soon as reasonably possible, including: what happened, what data was affected, what we are doing about it, and what you can do to protect yourself.
  • For EU users, we will also notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.

13. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes:

  • We will update the "Last updated" date at the top of this page.
  • We will notify you via email or an in-app notification for significant changes.
  • Continued use of Logable after the effective date constitutes acceptance of the updated policy.

We encourage you to review this policy periodically.

14. Contact Us

Information Officer / Data Protection Contact

TipThing (Pty) Ltd (trading as Logable)

Registration: 2025/400138/07

Pretoria, South Africa

Email: privacy@logable.app

General Support

Email: support@logable.app

Complaints

If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with:

  • South Africa: The Information Regulator — inforegulator.org.za
  • EU: Your local data protection supervisory authority
  • California: The California Attorney General — oag.ca.gov