Skip to main content
Auto Alpha AdvisoryAuto Alpha Advisory

Legal

What we collect, why, and who can see it.

Last updated: 2026-06-07

Auto Alpha Advisory (registration number: 2025/213512/07) is a South African advisory firm. This Privacy Policy describes the personal information we collect when you use this website — sending an enquiry, requesting a website audit, buying an audit report, or downloading a resource — how we use it, who we share it with, and your rights under the Protection of Personal Information Act, 2013 (“POPIA”).

1. Responsible party and Information Officer

The responsible party (in POPIA terms) is Auto Alpha Advisory. The designated Information Officer is:

The Information Officer named above is the responsible party’s designated Information Officer for all purposes under POPIA ss55–56.

2. What personal information we collect

We only collect information you actively give us, plus standard technical logs. Specifically:

2.1 Enquiry and contact information

  • Contact form — your name, email address, and, where you choose to provide them, your company name, the service you are interested in, and the contents of your message. Used to answer your enquiry and, where relevant, to prepare a proposal.

2.2 Website audit requests

  • The website address you submit and your email address — so our audit engine can scan the publicly-available pages of the site you ask us to assess and email the resulting report to you. We assess public web pages only; we do not access anything behind a login.

2.3 Purchase and payment information

  • Order details — when you buy the paid audit report, we receive your email address and the PayFast transaction metadata (payment reference, amount, and status) via PayFast’s notification. We do notreceive or store card numbers or bank-account details — PayFast handles all payment-card data under its own PCI-DSS compliance.

2.4 Resource downloads

  • Email address — when you request a free resource such as our guide, so we can deliver it to you.

2.5 Usage and operational logs

Standard web-server and application logs (request timestamps, IP address, user-agent, error traces, page paths) are retained for debugging, security, and abuse-prevention purposes.

2.6 What we do not collect

  • Card numbers or bank account details (handled exclusively by PayFast).
  • Special personal information as defined by POPIA §26 (biometrics, health, race, etc.).
  • Children’s personal information (this website is not directed at persons under 18).
  • Third-party advertising or behavioural tracking data.

3. Why we collect it — lawful basis (POPIA §11)

  • Consent (POPIA §11(1)(a)) — when you submit the contact form, request an audit, or download a resource, you consent to us using the details you provide to respond and to deliver what you asked for.
  • Contract performance (POPIA §11(1)(b)) — processing your email and order details is necessary to deliver the audit report you have purchased.
  • Legitimate interest (POPIA §11(1)(f)) — processing server and security logs to keep the site available, secure, and free of spam and abuse.
  • Legal obligation (POPIA §11(1)(c)) — retaining payment records to comply with SARS record-keeping requirements.

4. Who we share your information with — sub-processors

We engage the following service providers to operate this website and deliver what you request. Each receives only the minimum data necessary for its function and is bound by a Data Processing Agreement (DPA) or equivalent contractual commitment.

ProcessorPurposeRegion
Vercel Inc.Hosting and serving the website; serverless function execution; server logsUSA (fra1 edge for SA traffic)
Payfast (Pty) LtdPayment processing for one-time audit purchases; refund handling. Handles all card data under PCI-DSSSouth Africa
Google LLC (Google Workspace)Business and transactional email — sending audit reports and resources, and receiving your enquiriesUSA
Cloudflare, Inc.Anti-spam challenge (Turnstile) on our forms; processes IP address and challenge interaction to distinguish humans from botsUSA
DigitalOcean, LLCHosts our own website-audit engine, which processes the website address and email you submit to generate your reportUSA

We do not sell your personal information to any third party. We do not share your information with advertisers, data brokers, or marketing platforms.

5. Cross-border transfers (POPIA §72)

Several sub-processors listed above (Vercel Inc., Google LLC, Cloudflare, Inc., and DigitalOcean, LLC) are located in the United States, which is not subject to a POPIA adequacy finding. Transfers to these processors are permitted under POPIA §72 on the basis that each is bound by contractual obligations (via its published DPA or terms of service) that afford substantially similar protections to those in POPIA, and we have assessed that adequate safeguards are in place. Payment processing (PayFast) is performed within South Africa.

6. How long we keep your information

We retain personal information only as long as necessary for the purposes set out below:

  • Enquiry correspondence (contact-form messages and email threads) — retained in our Google Workspace mailbox for up to 24 months for business-continuity purposes, then deleted, and sooner on request.
  • Audit requests and generated reports — retained by our audit engine for up to 12 months to allow re-delivery and support, then deleted.
  • Payment records (transaction metadata, references, amounts) — retained for 5 years from the transaction date to comply with SARS record-keeping obligations under the Tax Administration Act.
  • Server and security logs (IP, user-agent, request events) — retained for 12 months, then deleted.
  • Resource-download email addresses — retained until you unsubscribe or ask us to delete them.

7. Security

We apply the following safeguards:

  • All data is transmitted over encrypted connections (HTTPS / TLS 1.2+), and is held by the reputable processors listed above, which encrypt data at rest.
  • Payment-card data never touches our systems — it is handled entirely by PayFast under PCI-DSS.
  • API keys and credentials for our service providers are stored as environment secrets; they are not present in application code or client-side bundles.
  • Our forms are protected by an anti-spam challenge and server-side validation to prevent automated abuse.

No system is perfectly secure. If we become aware of a personal information breach that is likely to cause harm to you, we will notify the Information Regulator and affected data subjects as required by POPIA §22.

8. Your rights under POPIA

You have the right to:

  • Access (§23) — request a copy of the personal information we hold about you.
  • Correction (§24) — request that inaccurate information be corrected.
  • Deletion (§24) — request deletion of your personal information, subject to our legal-retention obligations.
  • Objection (§11(3)) — object to processing based on legitimate interest.
  • Complaint — if you are dissatisfied with how we handle your information or your request, you may complain to the Information Regulator at inforegulator.org.za.

To exercise any of the above rights, email hello@autoalphaadvisory.co.za with the subject “POPIA Request”. We will respond within 7 business days.

9. Cookies and analytics

This website runs on a deliberately minimal cookie footprint:

  • No third-party advertising or analytics cookies. We do not use Google Analytics, Meta Pixel, or similar cross-site tracking technologies. Any usage measurement we perform is cookie-free and aggregated.
  • Anti-spam (strictly necessary). The Cloudflare Turnstile challenge that protects our forms may set a short-lived, strictly-necessary cookie when it needs to verify that a submission is human. It is used only for that purpose and not for tracking.

10. Direct marketing and email communications (POPIA §69)

We send two kinds of email, and we treat them differently under POPIA §69:

  • Transactional and service emails are not direct marketing. These include your audit report, resources you requested, receipts, and replies to your enquiry. They are sent on the lawful basis of consent or contract performance (§11(1)(a)/(b)) because they are the thing you asked us for.
  • Promotional and marketing emails are opt-in only. If we ever send electronic direct marketing (for example, news, offers, or other Auto Alpha Advisoryupdates), we will do so under POPIA §69 only where you have consented, or where you are an existing customer and the marketing relates to similar services. Every such message carries a clear, free opt-out (unsubscribe) mechanism, and you can withdraw consent at any time using that link or by emailing hello@autoalphaadvisory.co.za.

11. Changes to this Privacy Policy

We may update this Policy to reflect changes in the website or applicable law. For material changes (new data categories or new sub-processors), we will update the “Last updated” date at the top of this page, which always reflects the most recent version.

12. Contact

Auto Alpha Advisory
Cape Town, South Africa
General: hello@autoalphaadvisory.co.za
Information Officer (POPIA requests): hello@autoalphaadvisory.co.za