Privacy Policy

1. Introduction

Indaba (Pty) Ltd ("Indaba", "we", "us", or "our") is committed to protecting your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your data when you use our platform and services.

This policy complies with the Protection of Personal Information Act, 2013 (POPIA) of South Africa. For users in the European Union, we also comply with the General Data Protection Regulation (GDPR).

2. Information We Collect

Information you provide

• Account registration details (name, email, phone number, company name)
• Billing information (processed by our payment provider; we do not store card details)
• Organisation details (company size, industry, BEE level, address)
• Content you upload (documents, proposals, rate cards, research data)
• Communications with our support team

Information collected automatically

• Device and browser information (type, operating system, screen resolution)
• IP address and approximate location
• Usage data (pages visited, features used, time spent, click patterns)
• Log data (access times, error logs, referral URLs)

Information from third parties

• Data from integrated services (Pipedrive, Zapier) when you authorise a connection
• Publicly available business information used for lead enrichment

3. How We Use Your Information

We process your personal information for the following purposes:

• Providing and maintaining the Service
• Processing subscriptions and payments
• AI-powered features (lead scoring, gap analysis, strategy generation)
• Communicating service updates, security alerts, and support messages
• Improving our products through anonymised, aggregated analytics
• Complying with legal obligations
• Detecting, preventing, and addressing fraud or security issues

We will not use your personal information for purposes incompatible with those listed above without your consent.

4. Data Sharing

We do not sell your personal information. We may share data with:

• Service providers: Cloud hosting (South African data centres), payment processors, email delivery, and analytics providers, all bound by data processing agreements.
• Integrated services: Third-party tools you explicitly connect (e.g., Pipedrive, Zapier).
• Legal requirements: When required by law, court order, or government regulation.
• Business transfers: In the event of a merger, acquisition, or sale of assets, with prior notice to you.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: retained while your account is active, plus 30 days after deletion request
• Billing records: retained for 5 years as required by South African tax law
• Usage analytics: retained in anonymised form indefinitely
• Support communications: retained for 2 years after resolution
• Uploaded documents: deleted within 30 days of account termination

6. Your Rights

Under POPIA (and GDPR for EU users), you have the following rights:

• Right of access: Request a copy of the personal information we hold about you.
• Right to correction: Request correction of inaccurate or incomplete data.
• Right to deletion: Request deletion of your personal information, subject to legal retention requirements.
• Right to object: Object to the processing of your data for direct marketing purposes.
• Right to data portability: Receive your data in a structured, machine-readable format (CSV/JSON export available in your account settings).
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact our Information Officer using the details below. We will respond within 30 days.

7. Cookies & Tracking

We use the following types of cookies:

• Essential cookies: Required for authentication, session management, and security. Cannot be disabled.
• Analytics cookies: Help us understand how users interact with the platform. Can be disabled in your browser settings.
• Preference cookies: Remember your settings (theme, language, division). Can be disabled.

We do not use advertising cookies or third-party tracking pixels. You can manage cookie preferences in your browser settings.

8. Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Row-level security (RLS) on all database tables
• Regular security audits and penetration testing
• Access controls with role-based permissions
• Incident response procedures with 24-hour notification

9. International Transfers

By default, all data is stored in South African data centres. If data is transferred outside South Africa (e.g., for EU-based customers selecting an EU region), we ensure adequate protection through standard contractual clauses or equivalent safeguards as required by POPIA Section 72 and GDPR Chapter V.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.