PRIVACY · POPIA
Privacy notice.
Last updated · 2026-05-25
This notice explains how Aitsa AI Integration (“Aitsa”, “we”, “us”, “our”) collects, uses and protects your personal information. It follows the Protection of Personal Information Act, 4 of 2013 (POPIA), South Africa's data-protection law.
If anything here is unclear, send us a message via the contact form and we'll walk you through it.
1 · Who we are
Responsible party: Aitsa AI Integration, a process-first automation and AI implementation consultancy based in North West Province, South Africa. Trading entity registration is in progress with the Companies and Intellectual Property Commission (CIPC); this notice will be updated when the registration completes.
Contact: [email protected].
Information Officer: appointed internally. Registration details will be updated here if the Information Regulator requires a public registration record for this stage of the business. Contact via [email protected] with subject line “Information Officer”.
2 · What we collect
We collect the minimum needed to do the work and bill for it.
- From the audit form: business name, email address, your industry, your geographic location, a short description of the operational bottleneck you want to fix.
- From direct messages: your display name, profile photo (if visible), and the messages you choose to send us through any messaging channel.
- During an engagement: information needed to scope and build the workflow, sample documents you share, names of systems you use, and access credentials we need to do the build.
- Automatically when you visit the site: a salted hash of your IP address (for rate-limiting and abuse prevention), your browser user-agent, and a Cloudflare Turnstile token (anti-bot check on the audit form).
We do not collect your ID number, banking details on first contact, biometric data, health data, or any special-category personal information (POPIA Section 26) unless the engagement specifically requires it and we have asked you for consent in writing.
3 · Why we collect it (purpose + legal basis)
POPIA requires a lawful basis for every category of processing. Ours are:
- To respond to your audit request, legal basis: necessary for the conclusion or performance of a contract with you (Section 11(1)(b)).
- To deliver the engagement, same basis: contract performance.
- To bill you, same basis: contract performance, plus compliance with the Tax Administration Act, 2011 (Section 11(1)(c)).
- To prevent spam + abuse on the audit form, legal basis: legitimate interest (Section 11(1)(f)), we store an IP hash, not the IP itself, and discard it after 30 days.
- To send you operational updates about an active engagement, legal basis: contract performance.
We do not use your personal information for direct marketing without your prior consent (POPIA Section 69).
4 · Who else sees it (sub-processors)
We use a small number of third-party services to keep the site and our operations running. Each one only sees the personal information it needs to do its job.
- Brevo (formerly Sendinblue), sends us email when you submit the audit form, and sends your process snapshot or follow-up note to you. Servers in France.
- Calendly, embeds the booking calendar on the success page. If you book a call, Calendly sees your name, email, and any prefill we passed in. Servers in the United States.
- Cloudflare Turnstile, checks the audit form is being submitted by a human, not a bot. Sets one cookie (
__cf_bm) per visit. Servers global, primarily United States. - Tally, optional secondary diagnostic form (post-submission). Used only if you click the secondary link. Servers in the European Union.
- Our Ubuntu VPS, hosts the website and the lead-capture API. The database that holds the lead form submissions is stored on this server (South African data centre).
Every sub-processor is bound by their own contractual data protection terms. We do not sell, rent, or share your information with anyone for marketing purposes.
5 · Cross-border transfers
Some of the sub-processors above (Brevo in France, Tally in the EU, Calendly in the US, Cloudflare global) process your personal information outside South Africa. POPIA Section 72 permits this where:
- The receiving party is bound by binding corporate rules, contractual clauses, or laws providing adequate protection; or
- You have consented to the transfer; or
- The transfer is necessary for the performance of a contract with you.
By submitting the audit form, you consent to your information being sent to these sub-processors for the limited purposes described above. If you would rather not use the form, contact us by email and we'll capture your details manually.
6 · How long we keep it
- Audit form submissions: kept for 24 months after submission. We use this window to follow up if you didn't book, and to honour your access rights.
- IP-hash (for rate-limiting): discarded after 30 days.
- Engagement records (proposals, invoices, build artefacts): kept for 5 years after the engagement ends, in line with the Tax Administration Act and the Companies Act.
- Access credentials you shared during a build: rotated and removed from our systems within 14 days of engagement end. We will prompt you to confirm the rotation.
7 · How we protect it
- The website runs on HTTPS only.
- The lead-capture database lives on a hardened Ubuntu VPS; only the Information Officer has root access.
- Backups are encrypted at rest. Access keys rotate quarterly.
- IP addresses are hashed with a server-side salt before they hit the database, we can't reverse the hash.
- Credentials you share are stored in an encrypted password manager, scoped to the engagement.
If a security incident affects your personal information, we will notify you and the Information Regulator without unreasonable delay (POPIA Section 22).
8 · Your rights
Under POPIA you can ask us to:
- Confirm whether we hold information about you (POPIA Section 23).
- Provide a copy of that information in a usable format.
- Correct or delete information that is inaccurate, out of date, or no longer needed (POPIA Section 24, submit Form 2 if you prefer the formal route).
- Object to specific processing (POPIA Section 11(3)), submit Form 1 if you prefer the formal route.
- Withdraw consent at any time, where consent was the basis.
- Lodge a complaint with the Information Regulator if you believe we have not handled your information properly.
Send any of these requests to [email protected]. We will respond within 30 days.
9 · The Information Regulator
If we have not resolved your complaint to your satisfaction, you can escalate to:
The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
[email protected]
inforegulator.org.za
10 · Cookies + tracking
See our separate cookie policy for the cookies we set and why.
11 · PAIA
The Promotion of Access to Information Act, 2 of 2000 (PAIA) gives you the right to request information we hold, about you or about our operations. Our PAIA manual is available on request at [email protected].
12 · Changes to this notice
We will update this notice when our practices, sub-processors, or applicable law change. The “Last updated” date at the top reflects the most recent revision. Material changes, for example, a new sub-processor, a new purpose, or a longer retention period, will be flagged on the homepage banner and emailed to active clients.