Skip to main content

POPIA Notice

Information Officer, responsible party, and lawful processing.

Last updated: 31 May 2026

This notice is published in compliance with section 18 of the Protection of Personal Information Act, 2013 (“POPIA”). It applies to the AIV Index platform operated by Auto Alpha Advisory (Pty) Ltd and supplements the Privacy Policy. These terms are effective from the date you subscribe.

1. Responsible party

Auto Alpha Advisory (Pty) Ltd
Registration number: 2025/213512/07
A private company incorporated under the Companies Act, 2008, registered with the Companies and Intellectual Property Commission (CIPC).
Trading as: AIV Index (product line)
Principal place of business: Cape Town, South Africa
Product domain: aiv.autoalphaadvisory.co.za

2. Information Officer

The Information Officer as contemplated in POPIA §1, read with ss55–56, is:

The Information Officer named above is the responsible party’s designated Information Officer for all purposes under POPIA ss55–56.

No deputy Information Officer has been appointed. All POPIA requests should be directed to the Information Officer at the email above.

3. Lawful basis for processing (POPIA §11)

We process personal information on the following lawful bases:

  • Contract performance(§11(1)(b)) — the primary basis for all processing associated with the subscription: account information, brand data, prompt sets, sweep results, billing metadata, and Google Search Console data (if connected). Processing this information is necessary to deliver the Service under the subscription agreement.
  • Legitimate interest(§11(1)(f)) — processing sign-in metadata (IP address, user-agent) to detect and prevent fraudulent access; generating de-identified aggregated benchmarks from multi-tenant sweep data for product improvement and industry reporting. In each case, our interest does not override the data subject’s right to privacy.
  • Legal obligation(§11(1)(c)) — retaining payment records (amounts, dates, transaction IDs) for 5 years pursuant to SARS record-keeping requirements under the Tax Administration Act, 2011.
  • Consent(§11(1)(a)) — for Google Search Console integration, which requires your explicit OAuth consent granting read-only access. This consent is revocable at any time via your Google account settings.

4. Categories of data subjects and personal information

4.1 Data subjects

  • Subscribers (account holders)— individuals who create and maintain a paid AIV Index account.
  • Workspace members— additional users invited into a tenant workspace by the account holder.
  • Third-party brand entities— the brand entity (and potentially its employees, if their names appear in AI engine responses or in website content crawled during prompt generation) whose visibility is being measured. This data is incidental and is not the primary processing purpose.

4.2 Categories of personal information processed

  • Contact information: email address, display name
  • Device and network identifiers: IP address, user-agent string, HTTP referrer
  • Commercial data: billing email, PayFast transaction metadata (subscription ID, amount, date)
  • Brand configuration: brand name, domain, description, competitor names and domains
  • AI prompt text (potentially commercially sensitive)
  • Website content extracted from the subscriber’s domain during onboarding prompt generation
  • AI engine responses to brand prompts
  • Google Search Console impressions, clicks, and queries (if integration is enabled)
  • Chatbot messages (session-only; not stored in the database)

We do not process special personal informationas defined in POPIA §26 (health, biometrics, race, religion, sexual orientation, criminal record, or political persuasion), nor information relating to children.

Note on third-party website scraping: During onboarding, the prompt-generation pipeline fetches publicly accessible content from your brand domain (and optionally competitor domains). This crawled content may incidentally include personal information (e.g. staff names, contact details visible on public web pages). Such information is used only to generate brand prompts and is not retained as raw content.

5. Recipients of personal information — full sub-processor list

The following operators (in POPIA terms, “operators” who process personal information on behalf of the responsible party) receive personal information in the course of delivering the Service:

OperatorRole / data receivedRegion
Supabase Inc.Primary database operator; stores account data, brand configuration, sweep results, billing metadata, and workspace dataIreland (eu-west-1)
Vercel Inc.Application hosting and serverless function execution; processes requests containing account and brand dataUSA company; functions for SA traffic run in Frankfurt, Germany (fra1)
DigitalOcean LLCHosts the sweep worker container (aaa-audit-01); receives and dispatches brand prompts; receives raw AI engine responsesUSA
OpenAI Inc.Receives brand prompts for the ChatGPT measurement sweep; receives domain content for prompt generation; generates AI-driven insights (OpenAI models)USA
Anthropic PBCReceives brand prompts for Claude measurement sweep; receives chatbot messagesUSA
Perplexity AI Inc.Receives brand prompts for Perplexity measurement sweepUSA
Google LLCReceives brand prompts for Gemini measurement sweep via the Gemini API; receives Google OAuth token and processes Search Console data if integration is enabledUSA
OpenRouter Inc.API routing layer; relays brand prompts from the worker to the Google Gemini APIUSA
Resend Inc.Transactional email delivery; receives email address and message content for magic-link sign-ins and platform notificationsUSA
PayFast (Pty) LtdPayment processing; receives billing email and payment card data; returns transaction metadata (subscription ID, amount, status) via ITN webhook. Handles all card data under PCI-DSSSouth Africa
AAA Audit Engine (in-house)Automated GEO site-readiness audit; receives brand domain URL; crawls publicly accessible website content; returns structured audit findingsEU

6. Cross-border transfers (§72)

The Service involves the transfer of personal information outside South Africa, primarily to processors in the United States. South Africa has not issued a general adequacy finding for the United States. We rely on the following basis for these transfers under POPIA §72:

  • Contractual commitments(§72(1)(b)) — each US-based processor is bound by a DPA, standard contractual clauses, or equivalent published processing terms that impose data-protection obligations substantially equivalent to POPIA.
  • Primary data storage in Ireland— all subscriber data is stored at rest in Supabase’s eu-west-1 (Ireland) region, which is subject to the GDPR. US processors receive data in transit (for the purpose of the specific API call) but are not the data-at-rest custodian.

The processors that receive personal information via cross-border transfer are: Vercel Inc., DigitalOcean LLC, OpenAI Inc., Anthropic PBC, Perplexity AI Inc., Google LLC, OpenRouter Inc., and Resend Inc.

7. Data-subject rights under POPIA

As a data subject, you have the following rights under POPIA:

  • Right to be notified(§18) — to be informed of what information is collected about you and for what purpose. This notice fulfils that obligation.
  • Right of access(§23) — to request a copy of personal information held about you.
  • Right to correction or deletion(§24) — to request correction of inaccurate information or deletion of information that is no longer necessary, subject to our legal-retention obligations.
  • Right to object(§11(3)) — to object to processing based on legitimate interest; we will cease such processing unless we can demonstrate compelling grounds that override your interests.
  • Right to complain(§73) — to lodge a complaint with the Information Regulator if you believe your rights have been infringed.

To exercise any right, email hello@autoalphaadvisory.co.za with subject “POPIA Request”. We will acknowledge within 3 business days and respond within 7 business days, or notify you if additional time is required.

8. Security safeguards (§19)

We have implemented the following technical and organisational measures:

  • Encryption at rest (AES-256 via Supabase) and in transit (TLS 1.3) for all personal information.
  • Postgres Row-Level Security (RLS) on every table containing personal or tenant data, enforcing tenant isolation at the database level.
  • Passwordless authentication (magic-link OTP or OAuth) eliminating credential-stuffing vectors.
  • Environment-secret management for all API keys; secrets are not exposed in application code or client bundles.
  • Primary data storage in Supabase eu-west-1 (Ireland), a GDPR-regulated environment with SOC 2 Type II and ISO 27001 certifications.

In the event of a personal information breach that is likely to result in harm to data subjects, we will notify the Information Regulator and affected data subjects within the timelines prescribed by POPIA §22 and any regulations made thereunder.

9. Complaints to the Information Regulator

If your POPIA request is not resolved to your satisfaction, or if you believe we have processed your personal information in violation of POPIA, you may lodge a complaint with:

  • The Information Regulator (South Africa)
  • Website: inforegulator.org.za
  • Email: POPIAComplaints@inforegulator.org.za (general enquiries: enquiries@inforegulator.org.za)

10. Updates to this notice

This notice will be updated to reflect changes in our processing activities, our sub-processor list, or applicable law. Material changes will be notified to subscribers by email at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the current version.