Privacy Policy
How Double Down AI collects, uses and protects your personal information.
Last Updated:10 April 2026 | Effective Date:1 January 2026
Double Down AI ("we", "our", "us") is committed to protecting the privacy and personal information of all individuals who interact with our website, products and services. This Privacy Policy explains what information we collect, how we use it, how we protect it and your rights in relation to it.
By using our website atdoubledownai.co.zaor any of our services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our website and services.
1. Who We Are
Business Name: DoubleDown AI
Trading address: 7 Hanz Coetzee Avenue, Vanderbijlpark, SW5, South Africa
Website: doubledownai.co.za
Contact: Contact Us
We provide AI automation products and services including website chatbots, WhatsApp AI agents, social media automation, and AI receptionist solutions to businesses primarily in South Africa.
1.1 Information Officer (POPIA s55)
Our designated Information Officer for the purposes of the Protection of Personal Information Act (POPIA) is:
Name: Duval van Staden, CEO & Co-Founder
Email: info@doubledownai.co.za
Phone: +27 76 847 0371
Address: 7 Hanz Coetzee Avenue, Vanderbijlpark, SW5, South Africa
The Information Officer is registered with the Information Regulator of South Africa and is responsible for ensuring compliance with POPIA and for handling all data-subject requests, complaints and breach notifications.
2. Information We Collect
We collect information in the following ways:
2.1 Information You Provide Directly
- Contact forms:Name, email address, phone number, company name and any message you submit.
- Booking forms:Name, email, phone number, preferred call times and service requirements.
- Onboarding / get-started forms:Business details, service preferences, branding assets and billing information needed to set up your product.
- Chatbot interactions:Messages and data exchanged with our demo or live chatbot widgets on this website.
2.2 Information Collected Automatically
- Usage data:Pages visited, time spent on pages, referring URL, browser type and device information.
- IP address:Used for security monitoring and general geographic analytics (country/city level only).
- Cookies and similar technologies:See Section 7 below.
2.3 Information From Third Parties
- If you interact with us via WhatsApp, we receive your WhatsApp display name and phone number through the WhatsApp Business API (Meta).
- If you engage with our social media pages (Facebook, Instagram, LinkedIn, TikTok), we may receive information in accordance with those platforms' privacy policies.
3. How We Use Your Information
We use your information for the following purposes:
- To respond to your enquiries, contact form submissions and booking requests.
- To set up, deliver and manage the AI products and services you have purchased.
- To send you service-related communications (e.g. onboarding instructions, account notifications, support responses).
- To send marketing communications about our services — only where you have given consent or where we have a legitimate interest, and always with an easy opt-out option.
- To improve our website, products and user experience through aggregated analytics.
- To comply with our legal obligations under South African law including the Protection of Personal Information Act (POPIA).
- To detect, prevent and respond to fraud, abuse or security threats.
4. Legal Basis for Processing (POPIA)
Double Down AI processes your personal information in accordance with theProtection of Personal Information Act 4 of 2013 (POPIA). Our lawful bases for processing are:
- Contract:Processing necessary to provide the services you have requested or contracted for.
- Consent:Where you have provided explicit consent (e.g. subscribing to our newsletter or allowing cookie tracking).
- Legitimate interests:Where we have a legitimate business interest that does not override your rights (e.g. fraud prevention, improving our services).
- Legal obligation:Where processing is required by applicable South African law.
5. How We Share Your Information
We do not sell, rent or trade your personal information. We may share it with:
- Service providers:Third-party tools we use to deliver our services, such as cloud hosting providers, email service providers, and workflow automation platforms (e.g. n8n, our internal automation tool). These are contractually bound to protect your data.
- PayFast (payment processing):When you make a payment through our website, your payment details are processed by PayFast (Pty) Ltd, a PCI-DSS compliant South African payment gateway. We do not receive or store your full card number. PayFast's privacy policy is available at payfast.co.za. Payment confirmation data (transaction ID, amount, status) is received by us to process your order.
- Meta (WhatsApp Business API):When you interact with our WhatsApp AI, message data is processed through Meta's infrastructure in accordance with their terms.
- Analytics providers:Aggregated, anonymised data may be shared with analytics platforms to help us understand usage patterns.
- Legal authorities:Where required to comply with a court order, legal obligation or government request.
- Business transfers:In the event of a merger, acquisition or sale of our business, your information may be transferred to the new entity under the same protections.
5A. International Data Transfers (POPIA s72)
To deliver our services we use the following sub-processors. Some are located outside South Africa, which constitutes a cross-border transfer of personal information under POPIA s72. We rely on the lawful bases of contractual necessity (s11(1)(b)) and your explicit consent (s11(1)(a)) at the point of signup. Each sub-processor is bound by their own data-protection terms which provide a level of protection substantially similar to POPIA, GDPR (EU) or comparable frameworks.
| Sub-processor | Location | Purpose | Data shared |
|---|---|---|---|
| OpenAI, LLC | United States | LLM (gpt-4o-mini) for chatbot responses | Conversation messages (ephemeral; not retained for training per OpenAI API ToS) |
| Hostinger International Ltd. | European Union (Lithuania) / Brazil | Application hosting (n8n + nginx) | All transactional data at rest |
| Google LLC (Google Workspace, Sheets, Drive) | United States | Document storage and lead data | Lead/client records, knowledge bases |
| Brevo (Sendinblue) | European Union (France) | Transactional + marketing email delivery | Email address, message body |
| PayFast (Pty) Ltd | South Africa | Payment processing | Cardholder data (we never see full PAN) |
| Stitch Money (Pty) Ltd | South Africa | EFT payouts to partners | Bank account number, partner name |
| Meta Platforms (WhatsApp Business) | United States / Ireland | WhatsApp messaging | Phone number, message body |
You may at any time withdraw your consent for any specific cross-border transfer by contacting our Information Officer (Section 1.1). In some cases this will mean we can no longer provide certain features to you (e.g. without OpenAI access, the chatbot can't respond).
6. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes described in this policy:
- Active client records:Retained for the duration of the service agreement plus 5 years.
- Enquiry and contact form data:Retained for up to 2 years from the date of submission.
- Chatbot conversation logs:Retained for up to 12 months for quality and training purposes.
- Marketing data:Retained until you unsubscribe or withdraw consent.
When retention periods expire, we securely delete or anonymise your data.
7. Cookies
Our website uses cookies and similar technologies to improve your experience. Types of cookies we use:
- Essential cookies:Required for the website to function (e.g. session management). Cannot be disabled.
- Analytics cookies:Help us understand how visitors use our website (aggregated, anonymous data).
- Preference cookies:Remember your settings and choices between visits.
You can control cookies through your browser settings. Disabling certain cookies may affect website functionality.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration or destruction. These include:
- HTTPS encryption on all web communications.
- Access controls limiting who within our team can access personal data.
- Secure, reputable third-party hosting infrastructure.
- Regular review of our data handling practices.
While we take all reasonable precautions, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
9. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights:
- Access:Request a copy of the personal information we hold about you.
- Correction:Request that we correct inaccurate or incomplete personal information.
- Deletion:Request that we delete your personal information, subject to our legal retention obligations.
- Objection:Object to the processing of your personal information for direct marketing purposes.
- Withdrawal of consent:Withdraw consent to processing where consent is the legal basis, at any time.
- Complaint:Lodge a complaint with the Information Regulator of South Africa atinforegulator.org.zaif you believe your rights have been violated.
To exercise any of these rights, please contact us via ourContact page. We will respond within 30 days.
10. Children's Privacy
Our services are intended for business use and are not directed at children under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a child, please contact us immediately and we will delete it.
11. Third-Party Links
Our website may contain links to third-party websites (e.g. social media platforms, Meta, WhatsApp). We are not responsible for the privacy practices of those websites. We encourage you to review their privacy policies before providing them with any personal information.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of our website after changes constitutes acceptance of the updated policy.
12A. Data Breach Notification (POPIA s22)
In the event of a confirmed personal-information security compromise, we will:
- Notify the Information Regulator of South Africa as soon as reasonably possible after becoming aware of the compromise, in accordance with POPIA s22(1).
- Notify affected data subjects directly (via email and/or in-app banner) as soon as reasonably possible, providing sufficient information to enable you to take protective measures (POPIA s22(4)).
- Document the nature of the breach, affected data categories, approximate number of subjects, likely consequences, and remediation taken.
If you suspect a breach affecting your data, contact the Information Officer (Section 1.1) immediately.
13. Contact Us
If you have any questions, concerns or requests regarding this Privacy Policy or our handling of your personal information, please contact our Information Officer:
- Information Officer: Duval van Staden, CEO & Co-Founder
- Email: info@doubledownai.co.za
- Phone: +27 76 847 0371
- Address: 7 Hanz Coetzee Avenue, Vanderbijlpark, SW5, South Africa
- Website: doubledownai.co.za/contact
- Data-subject access & erasure (DSAR): doubledownai.co.za/data-rights