Square Gate Connect
Square GateConnect

Legal

Privacy Policy

Last updated: 6 July 2026. This policy explains how Square Gate Connect (operated by Square Gate Group (Pty) Ltd, Gaborone, Botswana — “Square Gate”, “we”, “us”) collects, uses, stores and protects personal data when you use the Square Gate Connect platform and services.

1. Who we are and how to reach us

Square Gate Connect is a readiness, verification and matchmaking platform connecting African founders with investors. Square Gate Group (Pty) Ltd is the data controller for personal data processed on the platform.

Data protection queries and requests: privacy@squaregategroup.com. Our appointed data protection contact responds to requests within 30 days.

2. What we collect

We collect the following categories of personal data:

  • Account data — name, email address, password (hashed), optional phone and LinkedIn profile, language preference, and two-factor authentication settings.
  • Founder data — company details, diagnostic answers and scores, uploaded documents (financial statements, registrations, contracts), and deal listing content.
  • Investor data — institution details, investor type, investment mandate (sectors, ticket size, regions), and KYC verification status and references.
  • Billing data — subscription plan, payment references and transaction status. Card details are processed by DPO Pay and never touch our servers (see §6).
  • Usage data — pages visited, actions taken (deal views, unlocks, downloads), device and browser information, and IP address for security logging.
  • Communications — in-platform messages, introduction requests and notification preferences.

3. Why we process it (lawful bases)

  • Contract performance — operating your account, running diagnostics, listing deals, computing matches, facilitating introductions, and billing subscriptions.
  • Legitimate interests — platform security, fraud prevention, audit logging, service analytics and product improvement, balanced against your rights.
  • Legal obligation — KYC/AML screening, financial record retention, and responses to lawful requests from regulators.
  • Consent — optional marketing communications and non-essential analytics, which you can withdraw at any time in Settings.

4. Deal confidentiality

Deal listings are anonymised by design. Company names, founder identities and contact details are stripped server-side and are only disclosed to investors after (a) a paid unlock, and (b) approval by our mandate desk. Documents in your data room are released only with your explicit approval, and every access is logged and visible to you.

5. Who we share data with

  • Counterparties you approve — founder identity and contact details are shared with an investor only after mandate desk approval, and vice versa.
  • Service providers — cloud hosting (Vercel), database (MongoDB Atlas), document storage (Cloudflare R2), email delivery (Resend), payments (DPO Pay), error monitoring (Sentry) and product analytics (PostHog, EU-hosted). Each processes data under contract and only on our instructions.
  • CRM systems— where enabled, introduction pipeline data syncs to Square Gate's internal CRM for mandate management.
  • Authorities — where required by applicable law or a binding order.

We never sell personal data.

6. Payments

Subscriptions are processed by DPO Pay (PCI-DSS compliant). We store only the transaction reference, amount, currency and status for reconciliation; we never receive or store card numbers.

7. How we protect your data

  • TLS 1.2+ encryption in transit on all endpoints.
  • Encryption at rest for the database and document store.
  • Documents hashed (SHA-256) on upload; downloads via short-lived signed URLs (5 minutes).
  • Role-based access control with server-side entitlement checks on every restricted action.
  • Append-only audit log of authentication, document, deal, payment and admin events.
  • Two-factor authentication available on all accounts.

8. How long we keep data

  • Account and profile data — for the life of your account, then deleted or anonymised on erasure.
  • Financial and payment records, audit logs — minimum 7 years, as required for financial-services record-keeping.
  • Analytics data — maximum 24 months.
  • Messages — retained for compliance while the related introduction or mandate remains active.

9. Your rights

Subject to the Botswana Data Protection Act 2018, the EU/UK GDPR and South Africa's POPIA (as applicable to you), you have the right to:

  • Access & portability — download everything we hold about you as JSON from your account (Settings → your data), or by emailing us.
  • Rectification — correct your profile and company data at any time in the app.
  • Erasure — request deletion; personal data is anonymised while records we must legally retain (payments, audit trail) are kept in de-identified form.
  • Objection & restriction — object to processing based on legitimate interests, and opt out of analytics and marketing in Settings.
  • Complaint — lodge a complaint with the Botswana Information and Data Protection Commission or your local supervisory authority.

10. Cookies & analytics

We use strictly necessary cookies for authentication and language preference, and PostHog (EU-hosted) for product analytics. Analytics respects your browser's Do Not Track setting, IP addresses are anonymised, and no analytics profile is built until you sign in. You can opt out at any time in Settings.

11. International transfers

Our infrastructure providers store data in the EU and the United States under appropriate safeguards (standard contractual clauses or equivalent). Analytics data is hosted in the EU.

12. Changes to this policy

We will notify registered users of material changes by email and in-app notice at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

See also our Terms of Service. This policy is provided for transparency and does not constitute legal advice to users.