Privacy Policy

1. Introduction

Dootsa (Pty) Ltd (“Dootsa”, “we”, “us”, “our”) operates the websites dootsa.com and dootsa.co.za (the “Platform”). We are committed to protecting your personal information in compliance with the South African Protection of Personal Information Act 4 of 2013 (POPIA), the EU General Data Protection Regulation (GDPR), and all other applicable data protection legislation.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have in relation to your data.

2. Data Controller & Information Officer

2.1 Data Controller

The Data Controller (the entity that determines the purposes and means of processing personal data) is Dootsa (Pty) Ltd, registered in the Republic of South Africa.

2.2 Information Officer

Our designated Information Officer (as required by POPIA Section 55) is responsible for ensuring compliance and can be contacted at:

• Email: privacy@dootsa.com
• Postal Address: Dootsa (Pty) Ltd, South Africa

For EU/EEA data subjects, you may also contact our EU representative at the same email address.

3. Personal Information We Collect

We collect the following categories of personal information:

3.1 Account Information

• Full name, email address, password (stored as a one-way hash)
• Date of birth (for age verification only — we do not store exact age)
• Phone number (optional, if provided during invitation)
• Account type (survey participant or business)

3.2 Profile Data

• Living standards measure (LSM) and income bracket
• Demographic information (age group, location, language)
• Purchasing preferences and brand affinities
• Media consumption and lifestyle preferences
• Personality and values indicators

Important: Profile data is collected through our profiling questionnaire with your explicit, informed consent. This data is used to match you with relevant surveys and is shared with survey creators only in anonymised, aggregated form. Individual profile data is never sold or shared in identifiable form.

3.3 Survey Response Data

• Answers you provide when completing surveys
• Tags derived from your responses (used for audience matching)

3.4 Transaction Data

• Points earned and redeemed
• Redemption history (items, shipping addresses)

3.5 Technical Data

• IP address, browser type, device type
• Cookies and session identifiers
• Access logs and timestamps
• Mobile device metadata and integrity signals (for example OS version, app version, device identifiers, emulator/root indicators, and attestation status where available)

3.6 Business Account Data (Creators)

• Business name, registration number, VAT number
• Business address and billing information

4. Legal Basis for Processing

GDPR Art. 6 / POPIA s11

5. How We Use Your Information

• To create and manage your account
• To match you with relevant surveys based on your profile
• To award points and process reward redemptions
• To provide survey creators with anonymised, aggregated audience insights
• To generate AI-powered research insights (using anonymised data only)
• To prevent fraud and ensure platform security
• To comply with legal and regulatory obligations
• To send marketing communications (only if you opt in)

6. Data Sharing and Third Parties

We may share your information with:

• Survey creators: Anonymised, aggregated responses only. Your identity is never disclosed to survey creators.
• Rewards fulfilment partners: Shipping address and name for physical item delivery only.
• AI processing: We use DeepSeek for insight generation. Only anonymised, aggregated data is sent to AI providers. No personal identifiers are transmitted.
• Legal authorities: Where required by law, court order, or regulation.

We do not sell your personal information. We do not share your individual-level data with advertisers or data brokers.

7. Data Processing Agreements

Where we engage third-party Data Processors to process personal data on our behalf, we ensure:

1. All Data Processors comply with applicable data protection laws, including POPIA and GDPR (if applicable).
2. All personnel handling personal data are bound by confidentiality obligations.
3. Appropriate technical and organisational measures are implemented to protect personal data, including access controls to limit unauthorised access.
4. No sub-processors are engaged without our prior written consent. If approved, sub-processors must comply with the same data protection standards.
5. We are notified without undue delay (within 24–48 hours) of any data breach affecting personal data.

8. Cross-Border Data Transfers

Your data is primarily stored on servers in South Africa. Where data is transferred internationally (e.g., to AI processing providers), we ensure adequate safeguards are in place as required by POPIA Section 72 and GDPR Chapter V, including standard contractual clauses and adequacy decisions.

9. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Survey responses: Retained for the duration of the survey plus 2 years for research integrity.
• Consent records: Retained for 5 years after the consent event (legal obligation).
• Audit logs: Retained for 5 years (regulatory compliance).
• Financial records: Retained for 7 years (tax and accounting requirements).

10. Your Rights

Under POPIA and GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@dootsa.com or use the relevant feature in your Privacy & Data settings.

11. Cookies

We use strictly necessary cookies for authentication and session management. For details, see our Cookie Policy.

12. Children

The Platform is not intended for persons under the age of 18. We do not knowingly collect personal information from children. If you are under 18, you may not use the Platform. If we become aware that we have collected personal information from a person under 18, we will delete that data promptly.

13. Security Measures

We implement appropriate technical and organisational measures to protect your personal information (POPIA s19 / GDPR Art. 32), including:

• Passwords stored using bcrypt one-way hashing
• JWT-based session authentication with httpOnly cookies
• Role-based access control (RBAC)
• Server-side input validation
• Audit logging of administrative actions
• Rate limiting and bot detection
• Access controls to limit unauthorised access to personal data
• Short-lived token and session design for mobile and SDK-based integrations
• Risk-based controls for untrusted clients, including device integrity checks where available

No client-side environment can be guaranteed secure. Forked or modified Android distributions may provide weaker security assurances than certified device environments. We may apply feature restrictions, additional verification, or fraud controls to reduce abuse and protect user data.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Regulator (POPIA s22) and, where applicable, your local Data Protection Authority (GDPR Art. 33) without undue delay (within 72 hours). Affected data subjects will be notified directly where the breach is likely to result in high risk (GDPR Art. 34).

15. Complaints

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with:

• South Africa: The Information Regulator — inforegulator.org.za
• EU: Your local Data Protection Authority

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice on the Platform. The version number and effective date at the top of this page indicate the latest revision. Continued use of the Platform after changes constitutes acceptance of the updated policy.