Privacy Policy
What we collect, why, and who can see it.
Last updated: 31 May 2026
AIV Index is a subscription product of Auto Alpha Advisory (Pty) Ltd (registration number: 2025/213512/07), a South African company. This Privacy Policy describes the personal information we collect when you use the AIV Index platform, how we use it, who we share it with, and your rights under the Protection of Personal Information Act, 2013 (“POPIA”). These terms are effective from the date you subscribe.
1. Responsible party and Information Officer
The responsible party (in POPIA terms) is Auto Alpha Advisory (Pty) Ltd. The designated Information Officer is:
- Matt Owen (Information Officer)
- Email: hello@autoalphaadvisory.co.za
- Location: Cape Town, South Africa
The Information Officer named above is the responsible party’s designated Information Officer for all purposes under POPIA ss55–56.
2. What personal information we collect
We collect the following categories of information when you use the Service:
2.1 Account information
- Email address— used for authentication (magic-link OTP or Google OAuth), transactional email (receipts, sweep notifications), and account communications.
- Display name— provided by you at onboarding or pulled from your Google profile if you authenticate via Google OAuth.
- Sign-in metadata— IP address, user-agent, and HTTP referrer collected at authentication for security and abuse-prevention purposes.
2.2 Brand and product configuration
- Brand name, domain, and description— the brand you configure for tracking.
- Competitor names and domains— if you configure competitor tracking.
- AI prompts— the brand-specific prompts generated by our AI pipeline and reviewed/edited by you. These may be commercially sensitive.
- Website content fetched during prompt generation— when onboarding, our prompt-generation pipeline crawls your brand domain (and optionally competitor URLs) to extract context for prompt creation. Crawled content is used solely for this purpose and is not stored long-term as raw HTML.
2.3 Sweep results and AI engine responses
- AI engine responses— the verbatim responses returned by ChatGPT, Claude, Perplexity, and Gemini to your brand-specific prompts, collected on the sweep cadence of your plan.
- Brand-visibility scores and trends— processed output derived from raw engine responses.
- GEO site-readiness audit results— structured findings from the automated audit of your domain.
- Google Search Console analytics— if you grant optional read-only GSC access, we sync impression, click, and query data for your domain. This connection is revocable at any time via your Google account.
2.4 Billing information
- Billing email— the email address associated with your PayFast subscription (may differ from your login email).
- PayFast transaction metadata— payment status, subscription ID, amount, and billing date received via PayFast’s ITN (Instant Transaction Notification) webhook. We do not store card numbers or bank account details; PayFast handles all payment-card data under their own PCI-DSS compliance.
2.5 Chatbot messages
If you use the in-dashboard AI chatbot, your messages are transmitted to the Claude (Anthropic) API to generate a response. We retain your chatbot conversations — your questions and the assistant’s replies — in our database for up to 30 days to preserve conversation context and to monitor for abuse, after which they are automatically and permanently deleted.
2.6 Usage and operational logs
Standard web-server and application logs (request timestamps, error traces, page paths) are retained for debugging and security purposes. Logs do not include the content of AI engine responses or your brand configuration in searchable form.
2.7 What we do not collect
- Card numbers or bank account details (handled exclusively by PayFast).
- Special personal information as defined by POPIA §26 (biometrics, health, race, etc.).
- Children’s personal information (the Service is not directed at persons under 18).
- Third-party advertising or behavioural tracking data.
3. Why we collect it — lawful basis (POPIA §11)
- Contract performance(POPIA §11(1)(b)) — the primary basis. Processing your account information, brand data, prompts, sweep results, and billing metadata is necessary to provide the subscription Service you have purchased.
- Legitimate interest(POPIA §11(1)(f)) — processing sign-in metadata (IP, user-agent) for security and fraud prevention, and generating de-identified aggregated benchmarks for product improvement.
- Legal obligation(POPIA §11(1)(c)) — retaining payment records to comply with SARS record-keeping requirements.
4. Who we share your information with — sub-processors
We engage the following data processors to deliver the Service. Each receives only the minimum data necessary for its function and is bound by a Data Processing Agreement (DPA) or equivalent contractual commitment.
| Processor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Primary database (account, brand data, sweep results, billing metadata) | Ireland (eu-west-1) |
| Vercel Inc. | Hosting and serving the web application; serverless function execution | USA company; functions for SA traffic run in Frankfurt, Germany (fra1) |
| DigitalOcean LLC | VPS worker host (aaa-audit-01) that runs the sweep engine; processes brand prompts and receives raw AI engine responses | USA |
| OpenAI Inc. | Prompt generation from your domain content; ChatGPT engine measurement sweep; AI-generated insights (OpenAI models) | USA |
| Anthropic PBC | Claude engine measurement sweep; in-dashboard chatbot responses | USA |
| Perplexity AI Inc. | Perplexity engine measurement sweep | USA |
| Google LLC | Gemini engine measurement sweep; optional Google Search Console read-only integration (with your explicit OAuth consent) | USA |
| OpenRouter Inc. | API transport layer for Gemini sweep; prompts are relayed through OpenRouter to the Google Gemini API | USA |
| Resend Inc. | Transactional email delivery (magic-link sign-ins, notifications) | USA |
| PayFast (Pty) Ltd | Payment processing; recurring subscription billing; refund management. PayFast is a South African entity and handles all card data under PCI-DSS | South Africa |
| AAA Audit Engine (in-house) | Automated GEO site-readiness audit of your domain; returns structured audit findings. Operated by Auto Alpha Advisory on separate infrastructure | EU |
We do not sell your personal information to any third party. We do not share your information with advertisers, data brokers, or marketing platforms.
5. Cross-border transfers (POPIA §72)
Several sub-processors listed above are located in the United States, which is not subject to a POPIA adequacy finding. Transfers to these processors are permitted under POPIA §72 on the basis that each processor is bound by contractual obligations (via their published DPA or terms of service) that afford substantially similar protections to those in POPIA, and we have assessed that adequate safeguards are in place. The processors concerned are: Vercel Inc., DigitalOcean LLC, OpenAI Inc., Anthropic PBC, Perplexity AI Inc., Google LLC, OpenRouter Inc., and Resend Inc.
Your data is stored at rest in Ireland (Supabase eu-west-1), which is subject to the GDPR — a regime that POPIA is modelled on and that provides comparable protections.
6. How long we keep your information
We retain personal information only as long as necessary for the purposes set out below:
- Active subscription data(account details, brand configuration, sweep results) — retained for the duration of your subscription.
- Post-cancellation— brand configuration and sweep results are retained for 30 days after subscription end to allow a data export on request, then deleted or anonymised.
- Payment records(billing metadata, PayFast transaction IDs, amounts) — retained for 5 years from the transaction date to comply with SARS record-keeping obligations under the Tax Administration Act.
- Security logs(IP, user-agent, sign-in events) — retained for 12 months, then deleted.
- Inactive accounts(no paid subscription, no activity) — deleted after 12 months of inactivity.
7. Security
We apply the following safeguards:
- Data is encrypted at rest (Supabase AES-256) and in transit (TLS 1.3).
- Postgres Row-Level Security (RLS) is enforced on every table that holds personal or tenant-specific data — database queries cannot return another tenant’s records even if the application layer has a bug.
- Authentication uses magic links (no password to leak) or Google OAuth. No plaintext credentials are stored.
- API keys for AI sub-processors are stored as environment secrets; they are not accessible in application code or client-side bundles.
No system is perfectly secure. If we become aware of a personal information breach that is likely to cause harm to you, we will notify the Information Regulator and affected data subjects as required by POPIA §22.
8. Your rights under POPIA
You have the right to:
- Access (§23) — request a copy of the personal information we hold about you.
- Correction (§24) — request that inaccurate information be corrected.
- Deletion (§24) — request deletion of your personal information, subject to our legal-retention obligations.
- Objection (§11(3)) — object to processing based on legitimate interest.
- Complaint — if you are dissatisfied with how we handle your information or your request, you may complain to the Information Regulator at inforegulator.org.za.
To exercise any of the above rights, email hello@autoalphaadvisory.co.za with the subject “POPIA Request”. We will respond within 7 business days.
9. Cookies and analytics
We use a minimal cookie footprint:
- Supabase Auth session cookie— set when you sign in; stores your encrypted session token. Necessary for the authenticated dashboard to function. Expires when you sign out or after the session timeout.
- No third-party advertising or analytics cookies. We do not use Google Analytics, Meta Pixel, or similar tracking technologies.
10. Direct marketing and email communications (POPIA §69)
We send two kinds of email, and we treat them differently under POPIA §69:
- Transactional and service emails are not direct marketing. These include magic-link sign-in codes, billing receipts, sweep-completion notifications, drift alerts, and the monthly AIV Index digest. They form part of the subscription Service you have purchased and are sent on the lawful basis of contract performance (§11(1)(b)). The monthly digest is a contracted plan feature — you can turn it off at any time in your dashboard account settings.
- Promotional and marketing emails are opt-in only. If we ever send electronic direct marketing (for example, news about new features, offers, or other Auto Alpha Advisory products), we will do so under POPIA §69 only where you have consented, or where you are an existing customer and the marketing relates to similar products or services. Every such message carries a clear, free opt-out (unsubscribe) mechanism, and you can withdraw consent at any time using that link or by emailing hello@autoalphaadvisory.co.za.
11. Changes to this Privacy Policy
We may update this Policy to reflect changes in the Service or applicable law. For material changes (new data categories, new sub-processors, or changes to your rights), we will notify you by email at least 14 days before the change takes effect. The “Last updated” date at the top of this page always reflects the most recent version.
12. Contact
Auto Alpha Advisory (Pty) Ltd
Cape Town, South Africa
General: hello@autoalphaadvisory.co.za
Information Officer (POPIA requests): hello@autoalphaadvisory.co.za