Skip to main content
AI Visibility Tracker← Back to site

POPIA Notice

Information Officer and lawful processing basis.

Last updated: 25 May 2026

This notice complies with section 18 of the Protection of Personal Information Act, 2013 (POPIA). It is published proactively, not in response to a specific request, because we believe that’s the institutional default.

Responsible Party

Auto Alpha Advisory (Pty) Ltd, a South African private company registered with CIPC, trading as AI Visibility Tracker for this product line.

Information Officer

Matt Owen, CA(SA). Until a deputy is appointed, the Information Officer is also the sole contact for POPIA requests.

Email: matt@autoalphaadvisory.co.za
Location: Cape Town, South Africa

Lawful basis for processing

At pre-launch, the only personal information we collect is your email address (with optional metadata: IP, user-agent, referer). The lawful basis under POPIA §11 is:

  • Consent— you actively submit your email by clicking “Join the waitlist” or requesting a sign-in link.
  • Legitimate interest— for the security metadata (IP, user-agent), to triage spam and abuse patterns on the waitlist endpoint.

Categories of data subjects

  • Waitlist signups (members of the public)
  • Authenticated users (currently: the Information Officer only)

Categories of personal information

  • Email address
  • IP address, user-agent string, HTTP referer (security metadata)

We do not process special personal information (POPIA §26) or children’s information at this stage.

Recipients of personal information

  • Supabase Inc.— data processor; hosts the Postgres database in eu-west-1 (Ireland) under a standard Data Processing Agreement.
  • Vercel Inc.— data processor; serves the public website + auth flow.
  • Resend Inc.— data processor; delivers transactional email (magic-link sign-ins).

All three are POPIA-aware data processors with cross-border transfer agreements covered under POPIA §72.

Cross-border transfers

Data is processed outside South Africa (Ireland for storage, USA for Vercel/Resend platform operations). POPIA §72 permits transfers where the recipient is subject to comparable laws or contractual commitments. Each processor we use is bound by their published Data Processing Agreement.

Data subject rights

You have the right to:

  • Confirm whether we hold personal information about you (§23)
  • Request access to that information (§23)
  • Request correction or deletion (§24)
  • Object to processing (§11(3))
  • Lodge a complaint with the Information Regulator (inforegulator.org.za) if a request goes unaddressed

Email matt@autoalphaadvisory.co.za with subject “POPIA Request” and we will respond within seven business days.

Security safeguards

All data is encrypted at rest and in transit (TLS 1.3). Database access is service-role-only from the Vercel application; we use Postgres Row-Level Security on every table that holds personal information. Auth uses magic links (no passwords to leak). We have not had a personal-information breach to date; if one occurs, we will notify the Information Regulator and affected data subjects within the timelines required by POPIA §22.

Updates

This notice will be revised before the first paid pilot tenant goes live, to reflect the additional categories of data (tenant brand information, prompt sets, run results) the live product will hold. Material changes will be flagged to waitlist members by email with at least seven days’ notice.