Skip to main content
Auto Alpha AdvisoryAuto Alpha Advisory

Legal

Information Officer, responsible party, and lawful processing.

Last updated: 2026-06-07

This notice is published in compliance with section 18 of the Protection of Personal Information Act, 2013 (“POPIA”). It applies to this website, operated by Auto Alpha Advisory, and supplements the Privacy Policy.

1. Responsible party

Auto Alpha Advisory
Registration number: 2025/213512/07
A private company registered in the Republic of South Africa.
Principal place of business: Cape Town, South Africa
Website: autoalphaadvisory.co.za

2. Information Officer

The Information Officer as contemplated in POPIA §1, read with ss55–56, is:

The Information Officer named above is the responsible party’s designated Information Officer for all purposes under POPIA ss55–56.

No deputy Information Officer has been appointed. All POPIA requests should be directed to Matt Owen at the email above.

3. Lawful basis for processing (POPIA §11)

We process personal information on the following lawful bases:

  • Consent (§11(1)(a)) — when you submit the contact form, request a website audit, or download a resource, you consent to us using the details you provide to respond and to deliver what you asked for.
  • Contract performance (§11(1)(b)) — processing your email and order details is necessary to deliver the audit report you have purchased.
  • Legitimate interest (§11(1)(f)) — processing server and security logs (IP address, user-agent) to keep the site available, secure, and free of spam and abuse. In each case, our interest does not override the data subject’s right to privacy.
  • Legal obligation (§11(1)(c)) — retaining payment records (amounts, dates, transaction references) for 5 years pursuant to SARS record-keeping requirements under the Tax Administration Act, 2011.

4. Categories of data subjects and personal information

4.1 Data subjects

  • Enquirers — individuals who contact us via the website or request a website audit or a resource.
  • Customers — individuals who purchase an audit report or engage Auto Alpha Advisory for services.

4.2 Categories of personal information processed

  • Contact information: name, email address, and (optionally) company name and message content
  • Audit request data: the website address you ask us to assess
  • Device and network identifiers: IP address, user-agent string
  • Commercial data: PayFast transaction metadata (payment reference, amount, date)

We do not process special personal information as defined in POPIA §26 (health, biometrics, race, religion, sexual orientation, criminal record, or political persuasion), nor information relating to children.

5. Recipients of personal information — sub-processor list

The following operators (in POPIA terms, “operators” who process personal information on behalf of the responsible party) receive personal information in the course of operating this website and delivering what you request:

OperatorRole / data receivedRegion
Vercel Inc.Website hosting and serverless function execution; processes requests and server logs (IP, user-agent)USA (fra1 edge for SA traffic)
Payfast (Pty) LtdPayment processing for one-time audit purchases; receives payment-card data directly from you and returns transaction metadata via webhook. Handles all card data under PCI-DSSSouth Africa
Google LLC (Google Workspace)Business and transactional email; receives your email address and message content to deliver reports and resources and to receive your enquiriesUSA
Cloudflare, Inc.Anti-spam challenge (Turnstile) on our forms; receives IP address and challenge-interaction dataUSA
DigitalOcean, LLCHosts our website-audit engine, which receives the website address and email you submit to generate your reportUSA

6. Cross-border transfers (§72)

Operating this website involves the transfer of personal information outside South Africa, primarily to processors in the United States (Vercel Inc., Google LLC, Cloudflare, Inc., and DigitalOcean, LLC). South Africa has not issued a general adequacy finding for the United States. We rely on the following basis for these transfers under POPIA §72:

  • Contractual commitments (§72(1)(b)) — each US-based processor is bound by a DPA, standard contractual clauses, or equivalent published processing terms that impose data-protection obligations substantially equivalent to POPIA.

Payment processing (PayFast) is performed within South Africa and does not involve a cross-border transfer.

7. Data-subject rights under POPIA

As a data subject, you have the following rights under POPIA:

  • Right to be notified (§18) — to be informed of what information is collected about you and for what purpose. This notice fulfils that obligation.
  • Right of access (§23) — to request a copy of personal information held about you.
  • Right to correction or deletion (§24) — to request correction of inaccurate information or deletion of information that is no longer necessary, subject to our legal-retention obligations.
  • Right to object (§11(3)) — to object to processing based on legitimate interest; we will cease such processing unless we can demonstrate compelling grounds that override your interests.
  • Right to complain (§73) — to lodge a complaint with the Information Regulator if you believe your rights have been infringed.

To exercise any right, email hello@autoalphaadvisory.co.za with subject “POPIA Request”. We will acknowledge within 3 business days and respond within 7 business days, or notify you if additional time is required.

8. Security safeguards (§19)

We have implemented the following technical and organisational measures:

  • All personal information is transmitted over encrypted connections (HTTPS / TLS 1.2+) and held by the reputable processors listed above, which encrypt data at rest.
  • Payment-card data never touches our own systems — it is handled entirely by PayFast under PCI-DSS.
  • Our forms are protected by an anti-spam challenge and server-side validation.
  • Environment-secret management for all API keys; secrets are not exposed in application code or client bundles.

In the event of a personal information breach that is likely to result in harm to data subjects, we will notify the Information Regulator and affected data subjects within the timelines prescribed by POPIA §22 and any regulations made thereunder.

9. Complaints to the Information Regulator

If your POPIA request is not resolved to your satisfaction, or if you believe we have processed your personal information in violation of POPIA, you may lodge a complaint with:

  • The Information Regulator (South Africa)
  • Website: inforegulator.org.za
  • Email: complaints@inforegulator.org.za

10. Updates to this notice

This notice will be updated to reflect changes in our processing activities, our sub-processor list, or applicable law. The “Last updated” date at the top of this page reflects the current version.