Privacy Policy
Last updated: 9 April 2026
1. Introduction
Aigency (trading as "Aigency", hereinafter "we", "us", or "our") is an AI-powered business operating system accessible at dontthinkabout.com. We are committed to protecting your personal information in compliance with the Protection of Personal Information Act, 2013 (POPIA) and all applicable South African data protection legislation.
This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have as a data subject.
2. Information Officer
Our designated Information Officer can be contacted at:
Role: Aigency Information Officer
Email: talk@dontthinkabout.com
WhatsApp: 069 674 0566
Location: Johannesburg, South Africa
3. What Personal Information We Collect
We collect and process the following categories of personal information:
3.1 Account Information
- Full name
- Email address
- Phone number
- Company/business name
- Password (stored in hashed form only)
3.2 WhatsApp Messages
- Incoming and outgoing WhatsApp messages sent to/from linked business numbers
- Contact phone numbers of message senders
- Message content, including text, images, documents, and voice notes
- Message timestamps and delivery status
3.3 AI Chat Logs
- Conversations between users and AI bots within the platform
- AI-generated responses and recommendations
- Bot configuration and training data provided by workspace administrators
3.4 Payment Information
- Subscription plan selection and billing history
- Payment transaction references from PayFast
- We do NOT store credit card numbers, bank account details, or other sensitive financial data. All payment processing is handled securely by PayFast, a PCI DSS-compliant payment gateway.
3.5 Business Data
- Contacts, customers, and CRM records created within a workspace
- Invoices, quotes, products, bookings, and other business records
- Documents, SOPs, and knowledge base content uploaded by users
3.6 Technical Data
- IP address and browser user-agent string
- Session identifiers and CSRF tokens (see our Cookie Policy)
4. Why We Collect It — Purpose of Processing
In accordance with POPIA Section 13, we process personal information for the following specific, explicitly defined, and legitimate purposes:
| Purpose | Legal Basis (POPIA) |
|---|---|
| Account creation and authentication | Consent & Contract (s11(1)(a), s11(1)(b)) |
| Providing the AI business platform services | Contract (s11(1)(b)) |
| Processing WhatsApp messages via AI bots | Consent & Legitimate interest (s11(1)(a), s11(1)(f)) |
| Subscription billing and invoicing | Contract (s11(1)(b)) |
| Customer support and communication | Contract & Legitimate interest (s11(1)(b), s11(1)(f)) |
| System security and fraud prevention | Legitimate interest (s11(1)(f)) |
| Legal compliance and dispute resolution | Legal obligation (s11(1)(c)) |
5. POPIA Conditions for Lawful Processing
We adhere to all eight conditions for lawful processing as set out in POPIA Chapter 3:
5.1 Accountability
We take responsibility for complying with POPIA. Our Information Officer ensures all processing activities are lawful and documented.
5.2 Processing Limitation
We process personal information only for the purposes described in Section 4 above, with your consent or as otherwise permitted by law. You may withdraw consent at any time.
5.3 Purpose Specification
Personal information is collected for specific, explicitly defined purposes. We will not use your data for unrelated purposes without your additional consent.
5.4 Further Processing Limitation
We will not process your personal information for a secondary purpose that is incompatible with the original purpose of collection.
5.5 Information Quality
We take reasonable steps to ensure personal information is complete, accurate, not misleading, and updated where necessary. You may request corrections at any time.
5.6 Openness
This Privacy Policy serves as our notification to you about how we process your information. We are transparent about our data practices.
5.7 Security Safeguards
We implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, or unlawful processing (see Section 8).
5.8 Data Subject Participation
You have the right to access, correct, and request deletion of your personal information (see Section 6).
6. Your Rights Under POPIA
As a data subject, you have the following rights under POPIA:
- Right to access — Request confirmation of whether we hold your personal information and obtain a copy of it.
- Right to correction — Request that inaccurate or incomplete personal information be corrected or updated.
- Right to deletion — Request deletion of your personal information where it is no longer necessary for the purpose it was collected, or where you withdraw consent.
- Right to object — Object to the processing of your personal information on reasonable grounds.
- Right not to be subject to automated decision-making — Request human review of decisions made solely by automated means that significantly affect you.
- Right to lodge a complaint — Lodge a complaint with the Information Regulator if you believe your rights have been infringed.
Information Regulator (South Africa)
Website: inforegulator.org.za
Email: enquiries@inforegulator.org.za
To exercise any of these rights, contact our Information Officer at talk@dontthinkabout.com. We will respond within 30 days.
7. How We Store Your Information
7.1 Cloud Deployments
For cloud-hosted workspaces, your data is stored in PostgreSQL databases on secure servers. Data is encrypted in transit (TLS/SSL) and access is restricted to authorised personnel only.
7.2 On-Premise Deployments
For enterprise clients using on-premise deployments, all data remains on your own infrastructure. No data is transmitted to our servers. You retain full control over your data storage, backup, and security measures.
7.3 Multi-Tenant Data Isolation
Aigency is a multi-tenant platform. Each workspace's data is logically isolated from all other workspaces. Users in one workspace cannot access data belonging to another workspace. This isolation applies to all data including contacts, messages, documents, and business records.
7.4 WhatsApp Message Storage
WhatsApp messages received by your linked business numbers are stored within your workspace's database. These messages are processed by AI to generate automated responses according to your bot configuration. Message content is not shared with other workspaces or used for purposes beyond your workspace's configured functionality.
7.5 AI Processing
Messages and data processed by our AI systems may be sent to third-party AI providers (such as OpenAI) for natural language processing. These providers are contractually bound to not retain or use your data for training purposes. We use API-level access only, which provides data processing agreements that exclude training on customer data.
8. Who We Share Your Information With
We do not sell your personal information. We share data only with:
- PayFast — Payment processing. PayFast receives only the information necessary to process your subscription payments. We do not store your card details.
- AI service providers — Message content is processed by AI APIs to generate bot responses. These providers operate under strict data processing agreements.
- WhatsApp / Meta — Messages sent via WhatsApp are subject to WhatsApp's own privacy policy and Meta's terms of service.
- Law enforcement — We may disclose information when required by law, court order, or to protect the safety of our users.
We do not transfer personal information outside of South Africa unless adequate safeguards are in place as required by POPIA Section 72.
9. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes outlined in this policy:
- Account data — Retained for the duration of your account. Deleted within 90 days of account termination upon request.
- WhatsApp messages and AI chat logs — Retained for the duration of your subscription. You may request deletion at any time.
- Billing records — Retained for 5 years as required by South African tax legislation (Tax Administration Act).
- Technical logs — Retained for up to 12 months for security and troubleshooting purposes.
When data is no longer required, it is securely deleted or anonymised.
10. Security Measures
We implement the following technical and organisational measures to protect your personal information:
- Encryption in transit (TLS/SSL) for all data transmissions
- Hashed password storage using industry-standard algorithms
- Role-based access control within workspaces
- Multi-tenant data isolation at the application and database level
- Regular security reviews and updates
- CSRF protection on all forms
- Secure session management
In the event of a data breach that poses a risk to your rights, we will notify you and the Information Regulator as required by POPIA Section 22.
11. Children's Information
Aigency is a business platform and is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we discover that we have inadvertently collected information from a child, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on our platform. The "Last updated" date at the top of this page indicates when the latest changes were made.
13. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or your personal information, please contact:
Information Officer: Aigency Information Officer
Email: talk@dontthinkabout.com
WhatsApp: 069 674 0566
Address: Johannesburg, South Africa