aiactly
Start free
Articles AI Act guide How it works Log in

Privacy policy

Last updated: 17 May 2026

This privacy policy explains how aiactly ("we", "us", "our") collects, uses, and protects your personal data when you use our platform ("Service"). We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable South African data protection laws (POPIA).

1. Data controller

aiactly is the data controller for the personal data processed through the Service. For privacy enquiries, please contact us.

2. Data we collect

Account data

When you create an account, we collect:

  • Email address - for authentication and communication
  • Full name - for personalisation and document generation
  • Organisation name - for multi-user context and document generation
  • Password - stored as an irreversible hash (Argon2); we never store or see your password in plain text

Google sign-in

If you sign in with Google, we receive your name and email address from Google. We do not access your Google contacts, calendar, or any other Google data.

AI system data

You voluntarily provide information about your AI systems, including system names, descriptions, intended purposes, risk classifications, and compliance documentation content. This data belongs to you and is used solely to provide the Service.

Usage data

We use two analytics tools to understand how AIActly is used:

  • Umami - a privacy-focused, cookieless analytics tool that collects anonymous, aggregated usage statistics. Umami does not set cookies, does not collect personal data, and respects Do Not Track settings. Always on.
  • Google Analytics 4 - opt-in only. If you accept analytics cookies via our consent banner, GA4 helps us understand which pages, content, and flows are useful. We have configured GA4 with EU-region data processing, IP truncation, the strictest data-retention setting, and Google Signals disabled, so no data is fed into Google's advertising graph. If you reject, GA4 runs in consent mode: it may send anonymous, cookieless pings used only for aggregate counts, with no identifiers stored on your device.

Advertising

We display advertising provided by Google AdSense on public pages of the Service. Google may use cookies to serve ads based on your prior visits to this and other websites. If you have rejected analytics and advertising cookies via our consent banner, Google runs in non-personalised mode and serves contextual ads only. You can manage your ad preferences at any time at Google Ads Settings. See the Google advertising policy for details.

3. How we use your data

We process your data for the following purposes:

  • Service delivery - authenticating your account, generating documents, tracking compliance progress
  • Communication - responding to support requests, sending service-related notifications
  • Improvement - anonymous analytics to understand usage patterns and improve the Service
  • Advertising - serving ads on public pages to support the free Service (via Google AdSense)

Legal basis (GDPR)

  • Contract performance (Article 6(1)(b)) - processing necessary to provide the Service you signed up for
  • Legitimate interest (Article 6(1)(f)) - anonymous analytics, security, and fraud prevention
  • Consent (Article 6(1)(a)) - optional marketing communications (if we add these in future)

4. Data sharing

We do not sell your personal data. We share data only with:

  • Google - if you use Google sign-in (for authentication); Google Analytics 4 (for aggregated usage statistics, if you have accepted analytics cookies); and Google AdSense (for serving ads on public pages). See the Google privacy policy.
  • Infrastructure providers - our hosting provider processes data on our behalf under appropriate data processing agreements

We do not share your AI system data, compliance information, or generated documents with any third party.

5. Data retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

Anonymous analytics data (which cannot identify you) may be retained indefinitely.

6. Data security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (HTTPS/TLS)
  • Password hashing with Argon2
  • CSRF protection on all state-changing requests
  • Rate limiting on authentication endpoints
  • Secure, httponly session cookies

7. Your rights

Under GDPR and POPIA, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing of your data
  • Port your data to another service
  • Object to processing based on legitimate interest
  • Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us. We will respond within 30 days.

8. Cookies

We distinguish between cookies the Service cannot function without, and optional cookies you can accept or reject via the consent banner shown on your first visit.

Essential cookies (always on)

  • access_token - authentication session (httponly, secure, 7-day expiry)
  • _csrf - CSRF protection token (24-hour expiry)
  • session - temporary session data for OAuth flow

Analytics cookies (opt-in)

If you click Accept on the cookie banner, Google Analytics 4 sets cookies (typically _ga and _ga_<property-id>) to recognise repeat visits and produce aggregated statistics. If you click Reject, GA4 runs in consent mode and sends only anonymous, cookieless pings - no identifiers are stored on your device.

Your choice is recorded in your browser's local storage under aiactly_consent. To change it, clear that entry in your browser's site data and reload the page; the banner will appear again.

Umami analytics is always on and is cookieless by design.

9. International transfers

Your data may be processed in countries outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place:

  • Google (Analytics, sign-in) self-certifies under the EU-US Data Privacy Framework, the adequacy decision adopted by the European Commission in July 2023. GA4 is configured with EU-region data processing where supported.
  • Other providers rely on Standard Contractual Clauses (SCCs) and, where appropriate, supplementary technical and organisational measures.

10. Children

The Service is not intended for individuals under 16. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or through the Service. The "last updated" date at the top indicates the most recent revision.

12. Contact

For privacy-related enquiries, please contact us.

Advertisement