aiactly
Start free
Features How it works Pricing Log in

Privacy policy

Last updated: 15 April 2026

This privacy policy explains how aiactly ("we", "us", "our") collects, uses, and protects your personal data when you use our platform ("Service"). We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable South African data protection laws (POPIA).

1. Data controller

aiactly is the data controller for the personal data processed through the Service. For privacy enquiries, please contact us.

2. Data we collect

Account data

When you create an account, we collect:

  • Email address — for authentication and communication
  • Full name — for personalisation and document generation
  • Organisation name — for multi-user context and document generation
  • Password — stored as an irreversible hash (Argon2); we never store or see your password in plain text

Google sign-in

If you sign in with Google, we receive your name and email address from Google. We do not access your Google contacts, calendar, or any other Google data.

AI system data

You voluntarily provide information about your AI systems, including system names, descriptions, intended purposes, risk classifications, and compliance documentation content. This data belongs to you and is used solely to provide the Service.

Billing data

Payment processing is handled by Stripe. We do not store credit card numbers or bank details. We receive only a Stripe customer identifier to manage your subscription.

Usage data

We use Umami, a privacy-focused analytics tool, to collect anonymous usage statistics. Umami does not use cookies, does not collect personal data, and respects Do Not Track settings. No data is shared with third parties.

3. How we use your data

We process your data for the following purposes:

  • Service delivery — authenticating your account, generating documents, tracking compliance progress
  • Communication — responding to support requests, sending service-related notifications
  • Billing — managing subscriptions via Stripe
  • Improvement — anonymous analytics to understand usage patterns and improve the Service

Legal basis (GDPR)

  • Contract performance (Article 6(1)(b)) — processing necessary to provide the Service you signed up for
  • Legitimate interest (Article 6(1)(f)) — anonymous analytics, security, and fraud prevention
  • Consent (Article 6(1)(a)) — optional marketing communications (if we add these in future)

4. Data sharing

We do not sell your personal data. We share data only with:

  • Stripe — for payment processing (Stripe privacy policy)
  • Google — only if you use Google sign-in, and only for authentication (Google privacy policy)
  • Infrastructure providers — our hosting provider processes data on our behalf under appropriate data processing agreements

We do not share your AI system data, compliance information, or generated documents with any third party.

5. Data retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

Anonymous analytics data (which cannot identify you) may be retained indefinitely.

6. Data security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (HTTPS/TLS)
  • Password hashing with Argon2
  • CSRF protection on all state-changing requests
  • Rate limiting on authentication endpoints
  • Secure, httponly session cookies

7. Your rights

Under GDPR and POPIA, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing of your data
  • Port your data to another service
  • Object to processing based on legitimate interest
  • Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us. We will respond within 30 days.

8. Cookies

We use only essential cookies required for the Service to function:

  • access_token — authentication session (httponly, secure, 7-day expiry)
  • _csrf — CSRF protection token (24-hour expiry)
  • session — temporary session data for OAuth flow

We do not use advertising, tracking, or third-party cookies. Our analytics (Umami) is cookieless.

9. International transfers

Your data may be processed in countries outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions.

10. Children

The Service is not intended for individuals under 16. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or through the Service. The "last updated" date at the top indicates the most recent revision.

12. Contact

For privacy-related enquiries, please contact us.