Privacy Policy

DoubleDown AI ("we", "our", "us") is committed to protecting the privacy and personal information of all individuals who interact with our website, products and services. This Privacy Policy explains what information we collect, how we use it, how we protect it and your rights in relation to it.

By using our website atdoubledownai.co.zaor any of our services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our website and services.

1. Who We Are

Registered name: DoubleDown AI (Pty) Ltd
Company registration number: 2026/041829/07
Trading address: 7 Hanz Coetzee Avenue, Vanderbijlpark, SW5, South Africa
Website: doubledownai.co.za
Contact: Contact Us

We provide AI automation products and services including website chatbots, WhatsApp AI agents, lead generation, and AI receptionist solutions to businesses primarily in South Africa.

1.1 Information Officer (POPIA s55)

Our designated Information Officer for the purposes of the Protection of Personal Information Act (POPIA) is:

Name: Duval van Staden, CEO & Co-Founder
Email: sales@doubledownai.co.za
Phone: +27 76 847 0371
Address: 7 Hanz Coetzee Avenue, Vanderbijlpark, SW5, South Africa

The Information Officer is registered with the Information Regulator of South Africa and is responsible for ensuring compliance with POPIA and for handling all data-subject requests, complaints and breach notifications.

1.2 Our Role — Responsible Party vs Operator (POPIA s1, s20–21)

POPIA distinguishes between a Responsible Party (who determines why and how personal information is processed) and an Operator (who processes personal information on behalf of, and under the authority of, a Responsible Party). DoubleDown AI acts in two distinct capacities:

• As Responsible Party: For personal information of our own website visitors, enquirers, leads, partners and the contracting individuals at our business clients (e.g. contact forms, onboarding, billing, our own marketing). This Privacy Policy governs that processing.
• As Operator: When we build, host and operate an AI chatbot, WhatsApp agent or automation for a business client, that client's own end-customers may submit personal information to the chatbot (names, contact details, enquiry content). For that end-customer data, our business client is the Responsible Party and DoubleDown AI is the Operator. We process such data only on the documented instructions of that client, solely to provide the contracted service, and we do not use it for our own purposes.

Where we act as Operator we comply with POPIA s20–21: we process only on the client's authority and instruction, treat the data as confidential, apply the security safeguards in Section 8, and notify the client without undue delay if we have reasonable grounds to believe their data has been accessed or acquired by an unauthorised person (s21(2), s22). Our business clients remain responsible, as Responsible Party, for establishing their own lawful basis, issuing their own privacy notice to their end-customers, and obtaining any required consent. A written Operator / Data Processing Agreement (POPIA s21(1)–(2)) is available to all business clients on request from the Information Officer and is incorporated into our service terms.

2. Information We Collect

We collect information in the following ways:

2.1 Information You Provide Directly

• Contact forms:Name, email address, phone number, company name and any message you submit.
• Booking forms:Name, email, phone number, preferred call times and service requirements.
• Onboarding / get-started forms:Business details, service preferences, branding assets (logo, brand colours, website domain) and billing information needed to set up your product.
• Partner programme onboarding:If you apply to become a referral or white-label partner we collect, as required fields, your full name, South African ID or passport number, business registration (CIPC) number, VAT number (where applicable), business address and contact details, and your bank account details (account holder, bank, account number, branch code). Purpose: identity and business verification (KYC), partner agreement administration, tax/invoicing, and processing your commission payouts (including via our payout sub-processor, Stitch). This is a legal/contractual necessity for participating in the partner programme.
• Contract acceptance & electronic signature:When you accept a Service or Partner Agreement we record your full legal name, the signature/acceptance date, an acceptance timestamp and the originating IP address. This is retained as legal proof that you agreed to the agreement (Electronic Communications and Transactions Act 25 of 2002, s13).
• Account credentials:A 4–6 digit dashboard PIN (and any recovery code) that you set to access your client or partner dashboard. PINs are never stored in plain text — only a salted scrypt hash is kept (see Section 8).
• Chatbot interactions:Messages and data exchanged with our demo or live chatbot widgets on this website.

2.2 Information Collected Automatically

• Usage data:Pages visited, time spent on pages, referring URL, browser type and device information.
• IP address:Used for security monitoring and general geographic analytics (country/city level only).
• Cookies and similar technologies:See Section 7 below.

2.3 Information From Third Parties

• If you interact with us via WhatsApp, we receive your WhatsApp display name and phone number through the WhatsApp Business API (Meta).
• If you engage with our social media pages (Facebook, Instagram, LinkedIn, TikTok), we may receive information in accordance with those platforms' privacy policies.

3. How We Use Your Information

We use your information for the following purposes:

• To respond to your enquiries, contact form submissions and booking requests.
• To set up, deliver and manage the AI products and services you have purchased.
• To send you service-related communications (e.g. onboarding instructions, account notifications, support responses).
• To send marketing communications about our services — only where you have given consent or where we have a legitimate interest, and always with an easy opt-out option.
• To improve our website, products and user experience through aggregated analytics.
• To comply with our legal obligations under South African law including the Protection of Personal Information Act (POPIA).
• To detect, prevent and respond to fraud, abuse or security threats.

4. Legal Basis for Processing (POPIA)

DoubleDown AI processes your personal information in accordance with theProtection of Personal Information Act 4 of 2013 (POPIA). Our lawful bases for processing are:

• Contract:Processing necessary to provide the services you have requested or contracted for.
• Consent:Where you have provided explicit consent (e.g. subscribing to our newsletter or allowing cookie tracking).
• Legitimate interests:Where we have a legitimate business interest that does not override your rights (e.g. fraud prevention, improving our services).
• Legal obligation:Where processing is required by applicable South African law.

5. How We Share Your Information

We do not sell, rent or trade your personal information. We may share it with:

• Service providers:Third-party tools we use to deliver our services, such as cloud hosting providers, email service providers, and workflow automation platforms (e.g. n8n, our internal automation tool). These are contractually bound to protect your data.
• PayFast (payment processing):When you make a payment through our website, your payment details are processed by PayFast (Pty) Ltd, a PCI-DSS compliant South African payment gateway. We do not receive or store your full card number. PayFast's privacy policy is available at payfast.co.za. Payment confirmation data (transaction ID, amount, status) is received by us to process your order.
• Meta (WhatsApp Business API):When you interact with our WhatsApp AI, message data is processed through Meta's infrastructure in accordance with their terms.
• Analytics providers:Aggregated, anonymised data may be shared with analytics platforms to help us understand usage patterns.
• Legal authorities:Where required to comply with a court order, legal obligation or government request.
• Business transfers:In the event of a merger, acquisition or sale of our business, your information may be transferred to the new entity under the same protections.

5A. International Data Transfers (POPIA s72)

To deliver our services we use the following sub-processors. Some are located outside South Africa, which constitutes a cross-border transfer of personal information under POPIA s72. We rely on the lawful bases of contractual necessity (s11(1)(b)) and your explicit consent (s11(1)(a)) at the point of signup. Each sub-processor is bound by their own data-protection terms which provide a level of protection substantially similar to POPIA, GDPR (EU) or comparable frameworks.

Sub-processor	Location	Purpose	Data shared
OpenAI, LLC	United States	LLM (gpt-4o-mini) for chatbot responses	Conversation messages (ephemeral; not retained for training per OpenAI API ToS)
Hostinger International Ltd.	European Union (Lithuania) / Brazil	Application hosting (n8n + nginx)	All transactional data at rest
Google LLC (Google Workspace, Sheets, Drive)	United States	Document storage and lead data	Lead/client records, knowledge bases
Brevo (Sendinblue)	European Union (France)	Transactional + marketing email delivery	Email address, message body
PayFast (Pty) Ltd	South Africa	Payment processing	Cardholder data (we never see full PAN)
Stitch Money (Pty) Ltd	South Africa	EFT payouts to partners	Bank account number, partner name
Meta Platforms (WhatsApp Business)	United States / Ireland	WhatsApp messaging	Phone number, message body
Supabase, Inc.	European Union (Frankfurt, eu-central-1)	Managed PostgreSQL application database	Client, lead, partner and configuration records (encrypted at rest)

You may at any time withdraw your consent for any specific cross-border transfer by contacting our Information Officer (Section 1.1). In some cases this will mean we can no longer provide certain features to you (e.g. without OpenAI access, the chatbot can't respond).

5B. Social Media Publishing Apps & Platform APIs

DoubleDown AI operates social-media content-scheduling and publishing applications that let a business connect its own social media accounts and publish its own marketing content to those accounts. These applications are operated by DoubleDown AI and are referred to by the following names in the relevant developer platforms:

• DoubleDown AI Social Auto-Poster — our multi-platform social publishing app used by DoubleDown AI and our business clients.
• Chalk Auto — the publishing app for our client Chalk Properties, used to post Chalk Properties' own property listing imagery and videos to Chalk Properties' own connected accounts.

Each individual business connects its accounts through the official, secure authorisation (OAuth) flow provided by the platform and explicitly authorises the app. The app then publishes only content that the account owner has created, scheduled and approved inside a private dashboard. The app never posts automatically without the owner's setup, and never accesses or posts to any account that has not explicitly authorised it. We do not scrape, buy or repost third-party content.

5B.1 TikTok

Our apps "DoubleDown AI Social Auto-Poster" and "Chalk Auto" integrate with TikTok using TikTok Login and the TikTok Content Posting API. When an account owner connects their TikTok account we request only the following scopes:

• user.info.basic — to read the connected account's open_id and basic profile (such as display name) so the dashboard can confirm which TikTok account is linked and show connection status.
• video.publish — to publish the account owner's own approved photo/video content directly to their connected TikTok account. Publishing happens only when the owner creates or schedules a post.

We use TikTok data solely to provide this publishing feature to the account owner. We do not sell TikTok data, do not use it for advertising or profiling, and do not share it with third parties except the infrastructure sub-processors listed in Section 5A that are necessary to operate the service. Access tokens are stored securely and encrypted at rest. An account owner can disconnect at any time from within their dashboard or by revoking access in their TikTok account settings (Manage app permissions); on disconnection we delete the stored tokens for that account. Our use of TikTok data complies with the TikTok Developer Terms of Service and TikTok's Usage Guidelines, and content we publish complies with TikTok's Community Guidelines.

5B.2 Other Platforms (Meta, LinkedIn, Pinterest, Reddit, YouTube, Bluesky)

The same principles apply to every other platform our publishing apps support — Facebook and Instagram (Meta), LinkedIn, Pinterest, Reddit, YouTube and Bluesky. For each, the account owner authorises the connection via that platform's official OAuth (or app-password) flow, we request only the minimum permissions required to confirm the connected account and to publish the owner's approved content, and we use the resulting access tokens only to publish on the owner's behalf. Tokens are stored encrypted, are never sold or shared for marketing, and are deleted when the owner disconnects. Each integration is operated in accordance with the respective platform's developer terms and API policies.

6. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes described in this policy:

• Active client records:Retained for the duration of the service agreement plus 5 years.
• Enquiry and contact form data:Retained for up to 2 years from the date of submission.
• Chatbot conversation logs:Retained for up to 12 months for quality and training purposes.
• Marketing data:Retained until you unsubscribe or withdraw consent.

When retention periods expire, we securely delete or anonymise your data.

7. Cookies

Our website uses cookies and similar technologies to improve your experience. Types of cookies we use:

• Essential cookies:Required for the website to function (e.g. session management). Cannot be disabled.
• Analytics cookies:Help us understand how visitors use our website (aggregated, anonymous data).
• Preference cookies:Remember your settings and choices between visits.

You can control cookies through your browser settings. Disabling certain cookies may affect website functionality.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration or destruction. These include:

• TLS/HTTPS encryption in transit on all web, API and webhook communications.
• Encryption at rest: Personal data we store is held on infrastructure that encrypts data at rest at the storage and database layer (our managed PostgreSQL database and Google Workspace encrypt data at rest by default). The most sensitive fields receive additional application-level encryption: partner bank-account details are encrypted at rest using AES-256-GCM, and account PINs are never stored in recoverable form — only a salted scrypt hash is kept (never in plain text). OAuth tokens for connected social accounts are likewise stored encrypted at rest.
• HMAC-signed, origin-restricted webhooks and server-side request validation to prevent forged or tampered submissions.
• Rate-limiting and automatic lockouts on authentication and one-time-PIN endpoints to deter brute-force and abuse.
• Least-privilege access controls limiting which team members and systems can access personal data, with payment processing delegated to a PCI-DSS compliant gateway (we never store full card numbers).
• Centralised error monitoring and alerting, and routine daily backups of operational data.
• Reputable hosting and sub-processors bound by their own data-protection terms, with regular review of our data-handling practices.

These measures are intended to satisfy our obligation under POPIA s19 to secure the integrity and confidentiality of personal information through appropriate, reasonable technical and organisational measures, taking into account generally accepted information-security practices. We periodically review and update our safeguards as risks evolve. However, no method of transmission or storage is ever completely secure, and while we take all reasonable precautions we cannot guarantee absolute security.

8A. Where Your Data Is Stored (Data Residency)

Our application, automation backend and primary production server are hosted on managed infrastructure provided by Hostinger, with the primary server located in the European Union. Our operational application database is a managed Supabase PostgreSQL instance hosted in the European Union (Frankfurt, region eu-central-1), which stores client, partner and lead records. A limited set of records is additionally held in Google Workspace (United States). Because some of these locations are outside South Africa, storing your data with them is a cross-border transfer of personal information governed by Section 5A and POPIA s72. We choose hosting and database providers that contractually commit to security and data-protection standards substantially similar to POPIA and the EU GDPR.

9. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

• Access:Request a copy of the personal information we hold about you.
• Correction:Request that we correct inaccurate or incomplete personal information.
• Deletion:Request that we delete your personal information, subject to our legal retention obligations.
• Objection:Object to the processing of your personal information for direct marketing purposes.
• Withdrawal of consent:Withdraw consent to processing where consent is the legal basis, at any time.
• Complaint:Lodge a complaint with the Information Regulator of South Africa atinforegulator.org.zaif you believe your rights have been violated.
• Data portability:Request an export of the personal information you provided to us in a structured, commonly used electronic format.
• Not to be subject to automated decision-making:See Section 9A.

How to exercise your rights. Clients with an account can request an automated data export or deletion directly from their dashboard via our self-service data-request facility; the request is identity-verified (account PIN / secure portal token) before it is actioned. You may also contact our Information Officer or use our data-rights page. We verify the identity of every requester before disclosing or deleting data to prevent unauthorised access. We respond to all requests within 30 days (POPIA does not prescribe a fee for a reasonable request; an excessive or repetitive request may attract a reasonable, prescribed fee). Deletion is honoured except where we are required or entitled to retain certain records by law (e.g. tax, accounting and anti-fraud obligations — see Section 6), in which case we restrict processing instead and delete on expiry of the retention period. Where we act as Operator for a business client (Section 1.2), data-subject requests relating to that client's end-customers are referred to the client as Responsible Party, and we assist the client in responding.

9A. Automated Decision-Making & Artificial Intelligence (POPIA s71)

Our chatbots and agents use large language models (currently OpenAI's GPT family, via the OpenAI API) to generate conversational responses. These responses are informational and assistive. We do not make decisions that produce legal consequences for you, or that affect you to a similarly significant degree, based solely on automated processing without human involvement. Pricing, contracting, refunds, cancellations and similar account decisions involve human oversight. You have the right under POPIA s71 to (a) not be subject to such a purely automated decision and (b) request human review of, make representations about, or query, any automated output that materially affects you — contact the Information Officer. Conversation content sent to our LLM sub-processor is processed transiently to produce a reply and, per the OpenAI API terms, is not used to train their models. Do not submit information to a chatbot that you would not want processed for the purpose of receiving a reply.

Your AI choices and opt-out. Where our products process your messages with third-party AI models (currently OpenAI, and we may use other reputable AI providers), this is done transiently to generate a reply and, under those providers' API terms, is not used to train their models. If you would prefer not to have your enquiry handled by an AI assistant, you can reach a human at any time: email sales@doubledownai.co.za, call or WhatsApp +27 76 847 0371, or ask the chatbot to connect you to a person. You may also object to, or request human review of, any automated output that materially affects you by contacting our Information Officer (Section 1.1). For data handled by a chatbot we operate on behalf of a business client, that client is the Responsible Party (Section 1.2) and sets the AI behaviour and opt-out path for their own end-customers.

9B. Direct Marketing (POPIA s69)

We send electronic marketing communications (email/SMS/WhatsApp) only where you have consented, or to our existing customers about similar services where the law permits, and always with a clear, free opt-out in every message. We do not sell or rent your contact details for third-party marketing. You may object to or withdraw from direct marketing at any time using the unsubscribe link in any message or by contacting the Information Officer; we action opt-outs promptly and maintain a suppression list to ensure they are honoured.

9C. Rights for EU / EEA Data Subjects (GDPR)

DoubleDown AI is based in South Africa and primarily serves South African businesses, so POPIA is our governing framework. However, if you are located in the European Union or European Economic Area, or your personal data is otherwise subject to the EU General Data Protection Regulation (GDPR), the following also applies. The rights we provide under Section 9 map closely to GDPR rights: access (Art. 15), rectification (Art. 16), erasure / “right to be forgotten” (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21) and the right not to be subject to solely automated decisions (Art. 22). Our lawful bases under Section 4 correspond to GDPR Art. 6 (contract, consent, legitimate interests and legal obligation). Where we transfer EU/EEA personal data outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision, as applicable. EU/EEA data subjects also have the right to lodge a complaint with their local supervisory authority. To exercise any of these rights, contact our Information Officer (Section 1.1) or use our data-rights page; we respond within the shorter of the POPIA and GDPR statutory periods (we aim for 30 days).

10. Children's Privacy (POPIA s34–35)

Our services are intended for business use and are not directed at children (persons under 18). We do not knowingly collect or process the personal information of a child without the consent of a competent person, as required by POPIA s34–35. If you believe a child's personal information has been provided to us or submitted to one of our chatbots, contact the Information Officer immediately and we will delete it without undue delay.

10A. Special Personal Information (POPIA s26–s27)

We do not intentionally collect or request "special personal information" as defined in POPIA s26 (e.g. race, health, religious or philosophical beliefs, sex life, biometric data, criminal behaviour, or trade-union membership). Please do not submit special personal information to our forms or chatbots unless strictly necessary. Where such information is unavoidably processed to provide a service, we rely on the authorisation grounds in POPIA s27 (such as your explicit consent or that the processing is necessary to establish, exercise or defend a right or obligation in law) and apply enhanced safeguards. Business clients must not configure our products to solicit special personal information from their end-customers without an appropriate s27 ground.

11. Third-Party Links

Our website may contain links to third-party websites (e.g. social media platforms, Meta, WhatsApp). We are not responsible for the privacy practices of those websites. We encourage you to review their privacy policies before providing them with any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of our website after changes constitutes acceptance of the updated policy.

12A. Data Breach Notification (POPIA s22)

In the event of a confirmed personal-information security compromise, we will:

• Assess and contain within 72 hours: We aim to assess and contain any confirmed personal-information security compromise within 72 hours of becoming aware of it, and to notify the relevant parties as soon as reasonably possible thereafter (this internal target also aligns us with the GDPR Art. 33 norm).
• Notify the Information Regulator of South Africa as soon as reasonably possible after becoming aware of the compromise, in accordance with POPIA s22(1).
• Notify affected data subjects directly (via email and/or in-app banner) as soon as reasonably possible, providing sufficient information to enable you to take protective measures (POPIA s22(4)).
• Document the nature of the breach, affected data categories, approximate number of subjects, likely consequences, and remediation taken.

If you suspect a breach affecting your data, contact the Information Officer (Section 1.1) immediately.

13. Contact Us

If you have any questions, concerns or requests regarding this Privacy Policy or our handling of your personal information, please contact our Information Officer:

• Information Officer: Duval van Staden, CEO & Co-Founder
• Email: sales@doubledownai.co.za
• Phone: +27 76 847 0371
• Address: 7 Hanz Coetzee Avenue, Vanderbijlpark, SW5, South Africa
• Website: doubledownai.co.za/contact
• Data-subject access & erasure (DSAR): doubledownai.co.za/data-rights

13A. The Information Regulator (South Africa)

You have the right to lodge a complaint with the Information Regulator if you believe we have processed your personal information unlawfully or have not adequately resolved your concern. We ask that you contact our Information Officer first so we can try to resolve it directly, but this is not a precondition to complaining to the Regulator.

• Information Regulator (South Africa)
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Postal: P.O. Box 31533, Braamfontein, Johannesburg, 2017
• General enquiries: enquiries@inforegulator.org.za
• POPIA complaints: POPIAComplaints@inforegulator.org.za
• Website: inforegulator.org.za

14. Governing Law & Jurisdiction

This Privacy Policy and any dispute or matter arising out of it are governed by the laws of the Republic of South Africa, including the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the Electronic Communications and Transactions Act 25 of 2002 and the Consumer Protection Act 68 of 2008. You submit to the non-exclusive jurisdiction of the courts of the Republic of South Africa. If any provision of this policy is found to be unenforceable, the remaining provisions remain in full force.

This Privacy Policy is provided in good faith to explain our data practices and reflects our genuine internal controls. It is not legal advice. DoubleDown AI keeps this policy under periodic review and updates it as our practices and the law evolve.

15. Acceptance

By using our website, products or services, or by submitting information to any of our forms or chatbots, you acknowledge that you have read and understood this Privacy Policy. Where consent is the lawful basis, you may withdraw it at any time as described above, without affecting the lawfulness of processing carried out before withdrawal.