Legal
What we collect, why, and who can see it.
Last updated: 2026-07-03
Auto Alpha Security is a web-security practice of Auto Alpha Advisory, a South African firm. This website is an information and enquiry site: it describes our Deep Scan service and lets you request a scan. This Privacy Policy describes the personal information we collect when you visit this site or submit a scan request, how we use it, who we share it with, and your rights under the Protection of Personal Information Act, 2013 (“POPIA”).
1. Responsible party and Information Officer
The responsible party (in POPIA terms) is Auto Alpha Advisory. The designated Information Officer is:
- Matt Owen
- Email: matt@autoalphaadvisory.co.za
- Location: Cape Town, South Africa
The Information Officer named above is the responsible party’s designated Information Officer for all purposes under POPIA ss55–56.
2. What personal information we collect
We collect the following categories of information:
2.1 Scan-request (enquiry) information
When you submit the “Request a scan” form, we collect:
- Your name and company name.
- Work email address — used to respond to your enquiry.
- Target URL(s), a scope note, and your answer to whether you own or control the domain— so we can scope the request. We do not scan any target without separate written authorization and proof of ownership.
2.2 Usage and operational logs
Standard web-server and application logs (request timestamps, IP address, user-agent, error traces, page paths) are generated by our host for security and debugging purposes.
2.3 What we do not collect
- Payment-card or bank-account details — this site does not process payments; scans are invoiced separately.
- Account passwords — this site has no login or user accounts.
- Special personal information as defined by POPIA §26 (biometrics, health, race, etc.).
- Children’s personal information (the service is not directed at persons under 18).
- Third-party advertising or behavioural tracking data.
3. Why we collect it — lawful basis (POPIA §11)
- Consent(POPIA §11(1)(a)) — the primary basis. You provide your enquiry details and tick the consent box so that we can contact you about, and scope, your scan request. You may withdraw consent at any time (see section 8).
- Legitimate interest(POPIA §11(1)(f)) — processing operational log data (IP, user-agent) for the security and integrity of this website.
4. Who we share your information with — sub-processors
We engage the following data processors to deliver the Service. Each receives only the minimum data necessary for its function and is bound by a Data Processing Agreement (DPA) or equivalent contractual commitment.
| Processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Hosting and serving the website; serverless execution of the scan-request form; edge analytics | USA (fra1 edge for SA traffic) |
| Resend Inc. | Delivering your scan-request enquiry to us by email | USA |
We do not sell your personal information to any third party. We do not share your information with advertisers, data brokers, or marketing platforms.
5. Cross-border transfers (POPIA §72)
Several sub-processors listed above are located in the United States, which is not subject to a POPIA adequacy finding. Transfers to these processors are permitted under POPIA §72 on the basis that each processor is bound by contractual obligations (via their published DPA or terms of service) that afford substantially similar protections to those in POPIA, and we have assessed that adequate safeguards are in place. The processors concerned are: Vercel Inc. and Resend Inc.
6. How long we keep your information
We retain personal information only as long as necessary for the purposes set out below:
- Scan-request enquiries— retained while we scope and respond to your request, and for up to 12 months afterwards so we can follow up, then deleted. If the enquiry leads to an engagement, related records are kept under the engagement agreement and applicable record-keeping obligations.
- Operational and security logs(IP, user-agent) — retained by our host for up to 12 months, then deleted.
7. Security
We apply the following safeguards:
- This website does not operate its own user database. Details you submit through the scan-request form are transmitted to us by email and are not stored in a database on this site.
- All data is encrypted in transit (TLS 1.3) and served over HTTPS with HSTS enforced.
- A strict Content Security Policy and standard security headers (HSTS, X-Frame-Options, X-Content-Type-Options) are applied on every response.
- API keys for sub-processors are stored as environment secrets; they are not accessible in application code or client-side bundles.
No system is perfectly secure. If we become aware of a personal information breach that is likely to cause harm to you, we will notify the Information Regulator and affected data subjects as required by POPIA §22.
8. Your rights under POPIA
You have the right to:
- Access (§23) — request a copy of the personal information we hold about you.
- Correction (§24) — request that inaccurate information be corrected.
- Deletion (§24) — request deletion of your personal information, subject to our legal-retention obligations.
- Objection (§11(3)) — object to processing based on legitimate interest.
- Complaint — if you are dissatisfied with how we handle your information or your request, you may complain to the Information Regulator at inforegulator.org.za.
To exercise any of the above rights, email matt@autoalphaadvisory.co.za with the subject “POPIA Request”. We will respond within 7 business days.
9. Cookies and analytics
This site is designed to run without tracking cookies:
- No login or session cookies— the site has no user accounts, so it sets no authentication cookies.
- Cookie-free analytics. We use privacy-friendly, aggregate analytics that do not set tracking cookies or identify you personally.
- No third-party advertising or tracking. We do not use Google Analytics, Meta Pixel, or similar technologies.
10. Direct marketing and email communications (POPIA §69)
We send two kinds of email, and we treat them differently under POPIA §69:
- Replies to your enquiry are not direct marketing. When you submit a scan request, our follow-up to scope and respond to it is part of handling the enquiry you asked us to, on the lawful basis of consent (§11(1)(a)).
- Promotional and marketing emails are opt-in only. If we ever send electronic direct marketing (for example, news about new features, offers, or other Auto Alpha Advisoryproducts), we will do so under POPIA §69 only where you have consented, or where you are an existing customer and the marketing relates to similar products or services. Every such message carries a clear, free opt-out (unsubscribe) mechanism, and you can withdraw consent at any time using that link or by emailing matt@autoalphaadvisory.co.za.
11. Changes to this Privacy Policy
We may update this Policy to reflect changes in the Service or applicable law. For material changes (new data categories, new sub-processors, or changes to your rights), we will notify you by email at least 14 days before the change takes effect. The “Last updated” date at the top of this page always reflects the most recent version.
12. Contact
Auto Alpha Advisory
Cape Town, South Africa
General: matt@autoalphaadvisory.co.za
Information Officer (POPIA requests): matt@autoalphaadvisory.co.za
This is a parameterized template, not legal advice. Have it reviewed by a qualified attorney before launch.