Privacy Policy

1. Introduction

Dootsa (Pty) Ltd (“Dootsa”, “we”, “us”, “our”) operates the websites dootsa.com and dootsa.co.za(the “Platform”). We are committed to protecting your personal information in compliance with the South African Protection of Personal Information Act 4 of 2013 (POPIA), the EU General Data Protection Regulation (GDPR), and all other applicable data protection legislation.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have in relation to your data.

2. Data Controller & Information Officer

2.1 Data Controller

The Data Controller (the entity that determines the purposes and means of processing personal data) is Dootsa (Pty) Ltd, registered in the Republic of South Africa.

2.2 Information Officer

Our designated Information Officer (as required by POPIA Section 55) is responsible for ensuring compliance and can be contacted at:

• Email: privacy@dootsa.com
• Postal Address: Dootsa (Pty) Ltd, South Africa

For EU/EEA data subjects, you may also contact our EU representative at the same email address.

3. Personal Information We Collect

We collect the following categories of personal information:

3.1 Account Information

• Full name, email address, password (stored as a one-way hash)
• Date of birth (for age verification only — we do not store exact age)
• Identity verification details where required (South African ID number hash, passport number hash, and verification status)
• Phone number (optional, if provided during invitation)
• Account type (survey participant or business)

3.2 Profile Data

• Living standards measure (LSM) and income bracket
• Demographic information (age group, location, language)
• Purchasing preferences and brand affinities
• Media consumption and lifestyle preferences
• Personality and values indicators
• Government employment indicator and selected national department (when provided)

Important: Profile data is collected through our profiling questionnaire with your explicit, informed consent. This data is used to match you with relevant surveys and is shared with survey creators only in anonymised, aggregated form. Individual profile data is never sold or shared in identifiable form.

3.3 Survey Response Data

• Answers you provide when completing surveys
• Tags derived from your responses (used for audience matching)
• Cross-survey linkage metadata (for example shared answer themes and recommendation scores)
• Indexed search linkage fields that reference survey number, question number, and follow-up depth to improve creator discoverability flows
• Impact cluster labels and confidence scores used internally for audience planning
• Response archive and restore audit events performed by authorised staff/admins

3.4 Transaction Data

• Points earned and redeemed
• Redemption history (items, shipping addresses)

3.5 Technical Data

• IP address, browser type, device type
• Cookies and session identifiers
• Access logs and timestamps
• Mobile device metadata and integrity signals (for example OS version, app version, device identifiers, emulator/root indicators, and attestation status where available)
• Browser extension technical data where enabled, including extension API base URL setting and extension auth token references stored in browser local extension storage
• Website maintenance-notice delivery telemetry (for example notice state and render events) used to keep update messaging reliable

3.6 Business Account Data (Creators)

• Business name, registration number, VAT number
• Business address and billing information

3.7 Browser Extension Signal Data

• Current tab page URL when you explicitly submit a brand-interest signal from the extension
• Optional brand hint and optional free-text note entered by the user
• Aggregated host-level signal counts used for outreach prioritization

3.8 Communications Metadata

• Notification delivery channel metadata for email, push, and SMS delivery attempts
• SMS provider message references and delivery status fields when SMS notifications are enabled

4. Legal Basis for Processing

GDPR Art. 6 / POPIA s11

5. How We Use Your Information

• To create and manage your account
• To match you with relevant surveys based on your profile
• To award points and process reward redemptions
• To provide survey creators with anonymised, aggregated audience insights
• To generate AI-powered research insights (using anonymised data only)
• To generate department-aware and cluster-aware audience matching for approved internal teams
• To maintain archive lifecycle controls for research quality, integrity, and compliance
• To prevent fraud and ensure platform security
• To comply with legal and regulatory obligations
• To send marketing communications (only if you opt in)

6. Data Sharing and Third Parties

We may share your information with:

• Survey creators: Anonymised, aggregated responses only. Your identity is never disclosed to survey creators.
• Rewards fulfilment partners: Shipping address and name for physical item delivery only.
• AI processing: We use DooAI (our configured AI inference) for insight generation. Only anonymised, aggregated data is sent to AI providers. No personal identifiers are transmitted.
• Communications providers: We may use approved SMS/email delivery providers to send transactional notifications and service updates.
• Product analytics (PostHog): When you accept analytics cookies, we use PostHog (EU-hosted by default) for aggregated product usage metrics. No advertising profiles are created. A Data Processing Agreement is required before production analytics is enabled.
• Legal authorities: Where required by law, court order, or regulation.

We do not sell your personal information. We do not share your individual-level data with advertisers or data brokers.

7. Data Processing Agreements

Where we engage third-party Data Processors to process personal data on our behalf, we ensure:

1. All Data Processors comply with applicable data protection laws, including POPIA and GDPR (if applicable).
2. All personnel handling personal data are bound by confidentiality obligations.
3. Appropriate technical and organisational measures are implemented to protect personal data, including access controls to limit unauthorised access.
4. No sub-processors are engaged without our prior written consent. If approved, sub-processors must comply with the same data protection standards.
5. We are notified without undue delay (within 24–48 hours) of any data breach affecting personal data.

8. Cross-Border Data Transfers

Your data is primarily stored on servers in South Africa. Where data is transferred internationally (e.g., to AI processing providers or reward fulfilment partners), we ensure adequate safeguards are in place as required by POPIA section 72 and GDPR Chapter V, including standard contractual clauses and adequacy decisions where applicable.

Some reward partners (including telecommunications providers, voucher platforms, and licensed bank disbursement partners for mobile recognition credits) may process personal information outside South Africa when you redeem points. Dootsa ensures any such cross-border transfer complies with section 72 of POPIA by:

• Concluding binding data transfer agreements incorporating POPIA-equivalent protections;
• Obtaining your consent for such transfers during the redemption process;
• Restricting transfers to countries with adequate data protection laws where possible.

You may withdraw consent for cross-border transfers at any time by contacting privacy@dootsa.com or through your Privacy & Data settings, but this may prevent reward delivery for affected redemptions. See also our Terms of Service (§6.7) for categories of data shared with fulfilment partners.

9. Data Retention

• Account data: Retained while your account is active. After you request deletion, live profile and survey data are removed within 30 days (grace period). A minimal compliance record (hashed identifiers and audit metadata) may be retained for up to 5 years to prevent fraud and meet legal obligations — this is not restored if you register again.
• Deleted-account registry: When an account is permanently deleted, we retain a pseudonymised index (hashed email, phone, and identity document fingerprints) and a staff-only compliance archive for fraud prevention and regulatory audit. Retention defaults to 5 years unless a shorter period applies by law. Re-registration creates a new account; prior data is not automatically restored.
• Call-centre quick-intake answers: Retained for 24 months after session completion, then anonymised or deleted.
• Survey responses: Retained for the duration of the survey plus 2 years for research integrity.
• Consent records: Retained for 5 years after the consent event (legal obligation).
• Audit logs: Retained for 5 years (regulatory compliance).
• Financial records: Retained for 7 years (tax and accounting requirements).

10. Your Rights

Under POPIA and GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@dootsa.com or use the relevant feature in your Privacy & Data settings.

11. Cookies

We use strictly necessary cookies for authentication and session management. For details, see our Cookie Policy.

12. Children

The Platform is not intended for persons under the age of 18. We do not knowingly collect personal information from children. If you are under 18, you may not use the Platform. If we become aware that we have collected personal information from a person under 18, we will delete that data promptly.

13. Security Measures

We implement appropriate technical and organisational measures to protect your personal information (POPIA s19 / GDPR Art. 32), including:

• Passwords stored using bcrypt one-way hashing
• JWT-based session authentication with httpOnly cookies
• Role-based access control (RBAC)
• Server-side input validation
• Audit logging of administrative actions
• Rate limiting and bot detection
• Access controls to limit unauthorised access to personal data
• Short-lived token and session design for mobile and SDK-based integrations
• Risk-based controls for untrusted clients, including device integrity checks where available

No client-side environment can be guaranteed secure. Forked or modified Android distributions may provide weaker security assurances than certified device environments. We may apply feature restrictions, additional verification, or fraud controls to reduce abuse and protect user data.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Regulator (POPIA s22) and, where applicable, your local Data Protection Authority (GDPR Art. 33) without undue delay (within 72 hours). Affected data subjects will be notified directly where the breach is likely to result in high risk (GDPR Art. 34).

15. Complaints

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with:

• South Africa: The Information Regulator — inforegulator.org.za
• EU: Your local Data Protection Authority

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice on the Platform. The version number and effective date at the top of this page indicate the latest revision. Continued use of the Platform after changes constitutes acceptance of the updated policy.