Skip to main content

Privacy Policy

What we collect, why, and who can see it.

Last updated: 31 May 2026

AIV Index is a subscription product of Auto Alpha Advisory (Pty) Ltd (registration number: 2025/213512/07), a South African company. This Privacy Policy describes the personal information we collect when you use the AIV Index platform, how we use it, who we share it with, and your rights under the Protection of Personal Information Act, 2013 (“POPIA”). These terms are effective from the date you subscribe.

1. Responsible party and Information Officer

The responsible party (in POPIA terms) is Auto Alpha Advisory (Pty) Ltd. The designated Information Officer is:

The Information Officer named above is the responsible party’s designated Information Officer for all purposes under POPIA ss55–56.

2. What personal information we collect

We collect the following categories of information when you use the Service:

2.1 Account information

  • Email address— used for authentication (magic-link OTP or Google OAuth), transactional email (receipts, sweep notifications), and account communications.
  • Display name— provided by you at onboarding or pulled from your Google profile if you authenticate via Google OAuth.
  • Sign-in metadata— IP address, user-agent, and HTTP referrer collected at authentication for security and abuse-prevention purposes.

2.2 Brand and product configuration

  • Brand name, domain, and description— the brand you configure for tracking.
  • Competitor names and domains— if you configure competitor tracking.
  • AI prompts— the brand-specific prompts generated by our AI pipeline and reviewed/edited by you. These may be commercially sensitive.
  • Website content fetched during prompt generation— when onboarding, our prompt-generation pipeline crawls your brand domain (and optionally competitor URLs) to extract context for prompt creation. Crawled content is used solely for this purpose and is not stored long-term as raw HTML.

2.3 Sweep results and AI engine responses

  • AI engine responses— the verbatim responses returned by ChatGPT, Claude, Perplexity, and Gemini to your brand-specific prompts, collected on the sweep cadence of your plan.
  • Brand-visibility scores and trends— processed output derived from raw engine responses.
  • GEO site-readiness audit results— structured findings from the automated audit of your domain.
  • Google Search Console analytics— if you grant optional read-only GSC access, we sync impression, click, and query data for your domain. This connection is revocable at any time via your Google account.

2.4 Billing information

  • Billing email— the email address associated with your PayFast subscription (may differ from your login email).
  • PayFast transaction metadata— payment status, subscription ID, amount, and billing date received via PayFast’s ITN (Instant Transaction Notification) webhook. We do not store card numbers or bank account details; PayFast handles all payment-card data under their own PCI-DSS compliance.

2.5 Chatbot messages

If you use the in-dashboard AI chatbot, your messages are transmitted to the Claude (Anthropic) API to generate a response. We retain your chatbot conversations — your questions and the assistant’s replies — in our database for up to 30 days to preserve conversation context and to monitor for abuse, after which they are automatically and permanently deleted.

2.6 Usage and operational logs

Standard web-server and application logs (request timestamps, error traces, page paths) are retained for debugging and security purposes. Logs do not include the content of AI engine responses or your brand configuration in searchable form.

2.7 What we do not collect

  • Card numbers or bank account details (handled exclusively by PayFast).
  • Special personal information as defined by POPIA §26 (biometrics, health, race, etc.).
  • Children’s personal information (the Service is not directed at persons under 18).
  • Third-party advertising or behavioural tracking data.

3. Why we collect it — lawful basis (POPIA §11)

  • Contract performance(POPIA §11(1)(b)) — the primary basis. Processing your account information, brand data, prompts, sweep results, and billing metadata is necessary to provide the subscription Service you have purchased.
  • Legitimate interest(POPIA §11(1)(f)) — processing sign-in metadata (IP, user-agent) for security and fraud prevention, and generating de-identified aggregated benchmarks for product improvement.
  • Legal obligation(POPIA §11(1)(c)) — retaining payment records to comply with SARS record-keeping requirements.

4. Who we share your information with — sub-processors

We engage the following data processors to deliver the Service. Each receives only the minimum data necessary for its function and is bound by a Data Processing Agreement (DPA) or equivalent contractual commitment.

ProcessorPurposeRegion
Supabase Inc.Primary database (account, brand data, sweep results, billing metadata)Ireland (eu-west-1)
Vercel Inc.Hosting and serving the web application; serverless function executionUSA company; functions for SA traffic run in Frankfurt, Germany (fra1)
DigitalOcean LLCVPS worker host (aaa-audit-01) that runs the sweep engine; processes brand prompts and receives raw AI engine responsesUSA
OpenAI Inc.Prompt generation from your domain content; ChatGPT engine measurement sweep; AI-generated insights (OpenAI models)USA
Anthropic PBCClaude engine measurement sweep; in-dashboard chatbot responsesUSA
Perplexity AI Inc.Perplexity engine measurement sweepUSA
Google LLCGemini engine measurement sweep; optional Google Search Console read-only integration (with your explicit OAuth consent)USA
OpenRouter Inc.API transport layer for Gemini sweep; prompts are relayed through OpenRouter to the Google Gemini APIUSA
Resend Inc.Transactional email delivery (magic-link sign-ins, notifications)USA
PayFast (Pty) LtdPayment processing; recurring subscription billing; refund management. PayFast is a South African entity and handles all card data under PCI-DSSSouth Africa
AAA Audit Engine (in-house)Automated GEO site-readiness audit of your domain; returns structured audit findings. Operated by Auto Alpha Advisory on separate infrastructureEU

We do not sell your personal information to any third party. We do not share your information with advertisers, data brokers, or marketing platforms.

5. Cross-border transfers (POPIA §72)

Several sub-processors listed above are located in the United States, which is not subject to a POPIA adequacy finding. Transfers to these processors are permitted under POPIA §72 on the basis that each processor is bound by contractual obligations (via their published DPA or terms of service) that afford substantially similar protections to those in POPIA, and we have assessed that adequate safeguards are in place. The processors concerned are: Vercel Inc., DigitalOcean LLC, OpenAI Inc., Anthropic PBC, Perplexity AI Inc., Google LLC, OpenRouter Inc., and Resend Inc.

Your data is stored at rest in Ireland (Supabase eu-west-1), which is subject to the GDPR — a regime that POPIA is modelled on and that provides comparable protections.

6. How long we keep your information

We retain personal information only as long as necessary for the purposes set out below:

  • Active subscription data(account details, brand configuration, sweep results) — retained for the duration of your subscription.
  • Post-cancellation— brand configuration and sweep results are retained for 30 days after subscription end to allow a data export on request, then deleted or anonymised.
  • Payment records(billing metadata, PayFast transaction IDs, amounts) — retained for 5 years from the transaction date to comply with SARS record-keeping obligations under the Tax Administration Act.
  • Security logs(IP, user-agent, sign-in events) — retained for 12 months, then deleted.
  • Inactive accounts(no paid subscription, no activity) — deleted after 12 months of inactivity.

7. Security

We apply the following safeguards:

  • Data is encrypted at rest (Supabase AES-256) and in transit (TLS 1.3).
  • Postgres Row-Level Security (RLS) is enforced on every table that holds personal or tenant-specific data — database queries cannot return another tenant’s records even if the application layer has a bug.
  • Authentication uses magic links (no password to leak) or Google OAuth. No plaintext credentials are stored.
  • API keys for AI sub-processors are stored as environment secrets; they are not accessible in application code or client-side bundles.

No system is perfectly secure. If we become aware of a personal information breach that is likely to cause harm to you, we will notify the Information Regulator and affected data subjects as required by POPIA §22.

8. Your rights under POPIA

You have the right to:

  • Access (§23) — request a copy of the personal information we hold about you.
  • Correction (§24) — request that inaccurate information be corrected.
  • Deletion (§24) — request deletion of your personal information, subject to our legal-retention obligations.
  • Objection (§11(3)) — object to processing based on legitimate interest.
  • Complaint — if you are dissatisfied with how we handle your information or your request, you may complain to the Information Regulator at inforegulator.org.za.

To exercise any of the above rights, email hello@autoalphaadvisory.co.za with the subject “POPIA Request”. We will respond within 7 business days.

9. Cookies and analytics

We use a minimal cookie footprint:

  • Supabase Auth session cookie— set when you sign in; stores your encrypted session token. Necessary for the authenticated dashboard to function. Expires when you sign out or after the session timeout.
  • No third-party advertising or analytics cookies. We do not use Google Analytics, Meta Pixel, or similar tracking technologies.

10. Direct marketing and email communications (POPIA §69)

We send two kinds of email, and we treat them differently under POPIA §69:

  • Transactional and service emails are not direct marketing. These include magic-link sign-in codes, billing receipts, sweep-completion notifications, drift alerts, and the monthly AIV Index digest. They form part of the subscription Service you have purchased and are sent on the lawful basis of contract performance (§11(1)(b)). The monthly digest is a contracted plan feature — you can turn it off at any time in your dashboard account settings.
  • Promotional and marketing emails are opt-in only. If we ever send electronic direct marketing (for example, news about new features, offers, or other Auto Alpha Advisory products), we will do so under POPIA §69 only where you have consented, or where you are an existing customer and the marketing relates to similar products or services. Every such message carries a clear, free opt-out (unsubscribe) mechanism, and you can withdraw consent at any time using that link or by emailing hello@autoalphaadvisory.co.za.

11. Changes to this Privacy Policy

We may update this Policy to reflect changes in the Service or applicable law. For material changes (new data categories, new sub-processors, or changes to your rights), we will notify you by email at least 14 days before the change takes effect. The “Last updated” date at the top of this page always reflects the most recent version.

12. Contact

Auto Alpha Advisory (Pty) Ltd
Cape Town, South Africa
General: hello@autoalphaadvisory.co.za
Information Officer (POPIA requests): hello@autoalphaadvisory.co.za