Last updated: 28 April 2026
This policy applies to Wrench (formerly 13-Spanner). It is a working draft and will be reviewed by a qualified attorney before public launch.
1. Introduction
Wrench (“we”, “us”, “our”) is a workshop management tool built for independent mechanics and small workshops in South Africa. This privacy policy explains how we collect, use, store, and protect personal information in compliance with the Protection of Personal Information Act (POPIA), 2013.
2. Information We Collect
2.1 Workshop and Mechanic Information
- Full name and business name
- Email address and phone / WhatsApp number
- Business logo (optional)
- VAT registration number (optional)
- Workshop address (optional)
2.2 Customer Information
- Customer name
- WhatsApp / phone number
- Email address (optional)
- POPIA consent status and date
2.3 Vehicle and Job Information
- Year, make, model, registration, VIN, mileage
- Customer complaints, job notes and status history
- Inspection checklist scores, notes, voice recordings and photographs
- Estimates, quotes and quote line items
3. How We Use Information
We use the information collected solely for the purpose of:
- Running the workshop’s daily operations: book-in, inspection, quoting, parts and customer messaging
- Generating vehicle diagnostic inspection reports and quotes
- Providing AI-assisted checklist generation tailored to the vehicle
- Sending the customer-facing branded report page when shared via WhatsApp
- Managing your subscription, billing and account
4. Data Storage
Workshop data is stored in our cloud database, hosted on Supabase infrastructure within the European Union region. Photographs are stored in Supabase Storage with workspace-level access controls (Row-Level Security). Each workshop’s data is isolated from every other workshop’s data at the database level.
The application also caches data locally on the mechanic’s device so that it works without an internet connection. Local data is synchronised with the cloud when a connection is available.
We do not sell, share, or transfer personal information to third parties for marketing purposes.
5. POPIA Consent
Before any customer’s personal information is captured in Wrench, the mechanic must confirm that the customer has given informed consent for their personal information to be stored and used for vehicle inspection, quoting, and follow-up communication purposes. This consent is recorded with a timestamp on the customer record.
6. Data Retention
We retain workshop data for as long as your account is active. After cancellation, data remains available for export for 30 days, after which it may be permanently deleted from our systems. Mechanics can export all of their workshop data from the Settings page at any time.
7. Data Subject Rights
Under POPIA, individuals have the right to:
- Request access to their personal information
- Request correction of inaccurate information
- Request deletion of their personal information
- Object to the processing of their personal information
- Request a copy of their information in a portable format
Customers should direct data subject requests to the workshop that performed the inspection. Workshop owners can fulfil these requests using the export and delete functions on the customer record. For any matter the workshop cannot resolve, the customer or workshop may contact us using the details below.
8. Security
We implement security measures including Row-Level Security on every database table, encrypted connections (HTTPS), Content Security Policy headers, input validation, rate limiting, and CORS protections. Customer-facing report links are tokenised and expire after 90 days. Workshop owners are responsible for keeping their account credentials confidential.
9. Third-Party Services
We use the following third-party services to operate Wrench:
- Supabase — database, authentication, and file storage hosting
- Vercel — application hosting and content delivery
- OpenAI— AI checklist generation, voice transcription, and note polishing. Vehicle specifications and audio recordings are sent for processing; no customer contact information is transmitted to OpenAI.
- Paystack — subscription payment processing
10. Changes to This Policy
We may update this privacy policy from time to time. The “Last updated” date at the top of this page indicates when the policy was last revised. Material changes will be communicated through the application and via email.
11. Contact
For privacy-related queries or to exercise your data subject rights, please contact us at the email address listed on our website or in the application settings.