POPIA disclosure (South Africa)
Last updated: 2026-06-24 Applies to: Ikigai ADE (Pty) Ltd, registered in South Africa.
This page satisfies the disclosure requirements of the Protection of Personal Information Act 4 of 2013 (POPIA), in particular:
- Section 18 (notification of collection)
- Section 19 (security safeguards)
- Section 22 (notification of compromise)
- Section 23 (data subject participation)
- Section 71 (automated decision-making)
1. Responsible Party
Ikigai ADE (Pty) Ltd Information Officer: Mohamed Sidiyot Contact: mohamedsidiyot@gmail.com Information Regulator registration: in progress (targeted Q3 2026)
2. Categories of personal information processed
| Category | Source | Why |
|---|---|---|
| Account: name, email, password (hashed) | Signup form | Authentication, support |
| Billing: name, email, card last-4 (tokenized) | Paystack | Subscription management |
| Usage: prompts, model outputs, agent memory | Customer's product use | Service delivery |
| CRM (customer's own customers): names, emails, companies | Customer-uploaded | Customer's outreach workflows |
| Technical: IP, browser, timestamps | Automatic | Security, abuse prevention |
| Brain content: text, preferences | Customer-edited | Per-tenant agent customization |
3. Purpose
Personal information is processed to:
- Provide the Ikigai ADE product (10 AI Intelligence skills + Brain Sync).
- Bill subscriptions.
- Detect abuse, fraud, and security incidents.
- Improve agent quality via aggregated, anonymised, de-identified evaluation logs (lawful basis: legitimate interest in improving the service).
4. Subprocessors
Full list at /legal/subprocessors. Briefly: Vercel (hosting), Supabase (database), Cloudflare (CDN), Paystack (billing), and the LLM providers selected per-request by the customer.
5. Cross-border transfers
POPIA Section 72: Some processing occurs outside South Africa.
- USA: Vercel, Supabase, Anthropic, OpenAI, Google, Groq, Nvidia.
- EU: Better Stack (Germany).
- Asia: Alibaba DashScope (Singapore), Moonshot, DeepSeek (China).
All subprocessors are bound by Data Processing Agreements (DPAs) that include adequate protections in line with POPIA Section 72(1)(a) (substantially similar protection).
6. Retention
- Account + brain content: while subscription is active + 30 days after cancellation, then permanent deletion (unless legal hold).
- Billing records: 7 years (Tax Administration Act, Section 29).
- Eval logs (anonymized after 90 days): retained indefinitely for product improvement.
- Logs (Better Stack): 7 days on free tier.
7. Your rights (Section 23-25)
You may:
- Access your personal information at any time (
/accountExport My Data). - Correct inaccurate information.
- Delete your account and all personal information (
/accountDelete Account), except records required by law. - Object to processing (POPIA s11(3) - email mohamedsidiyot@gmail.com).
- Lodge a complaint with the Information Regulator: complaints.IR@justice.gov.za / +27 12 406 4818.
Request deadline: 30 days.
8. Automated decision-making (Section 71)
Some Ikigai products produce automated outputs that may affect data subjects:
- Sales Intelligence: agentic outreach via email/SMS/voice/Telegram. Recipient lists are uploaded by the customer.
- Marketing Intelligence: audience segmentation suggestions.
- Trading Intelligence: market analysis (not investment advice).
These are decision-support tools, not autonomous decisions. A human in the customer's workflow is required to approve any external action (send, post, invest). Customers receive a clear disclosure at signup that they (the operator of the automated system) bear responsibility for outputs delivered to third parties.
If you (a third-party data subject - e.g., a recipient of an outreach email) believe an automated process produced a decision affecting you, please contact mohamedsidiyot@gmail.com. We will:
- Identify the customer who initiated the workflow.
- Cooperate in providing information and remedies under POPIA s71.
9. Security safeguards (Section 19)
- TLS 1.3 in transit; Supabase AES-256 at rest.
- Row-Level Security (RLS) policies enforce per-tenant isolation; verified by automated cross-tenant test suite on every code change.
- Secrets rotated on a defined schedule; service-role access logged.
- Annual penetration test budget allocated post-first-enterprise-contract.
10. Compromise notification (Section 22)
In the unlikely event of a personal-information compromise, we will notify:
- The Information Regulator within 72 hours.
- Affected data subjects within 72 hours, in writing.
- A breach-notification template is maintained internally.
11. Updates
Material changes are notified at least 30 days in advance via email + this page.
12. Contact
Information Officer: Mohamed Sidiyot, mohamedsidiyot@gmail.com Postal address: available on request (mohamedsidiyot@gmail.com)