1. Who is responsible for your data
The data controller (GDPR) / responsible party (POPIA) / business (CCPA) is ApexGEO, based in Cape Town, Western Cape, South Africa. For enterprise customers we operate as a data processor / operator under a Data Processing Addendum (DPA) — request the current DPA at [email protected].
Privacy questions go to [email protected]. Our Data Protection Officer (GDPR Art. 37) is reachable at [email protected]. The role is held internally; we will appoint a separate qualified DPO if and when our processing crosses the GDPR Art. 37(1)(b) / (c) threshold.
EU and UK representatives (GDPR Art. 27 / UK GDPR Art. 27). We do not currently have a designated EU or UK representative because our processing of EU/UK personal data is occasional and not on a large scale. We will appoint representatives if and when our activities meet the Art. 27(2) threshold (regular monitoring of EU/UK data subjects or processing of special-category data on a large scale). If you are in the EU/UK and want to exercise data-subject rights in the meantime, the contacts above accept requests directly.
2. What we collect and why
Account data
Examples: email, name, organisation, hashed password, role on team
Why we need it: Authenticate you, route notifications, scope access to your brands.
Legal basis: Contract performance (GDPR Art. 6(1)(b)); POPIA s11(1)(b).
Brand and audit data you submit
Examples: domains, brand metadata, audit URLs, paste-mode HTML content, content drafts, scraped mentions
Why we need it: Run the platform you signed up for — audits, monitoring, content generation.
Legal basis: Contract performance.
Billing data
Examples: company name, billing address, VAT/tax number, last four digits of card, plan tier
Why we need it: Issue invoices and collect payment. Card numbers themselves are stored only by Stripe / Paystack — never on our servers.
Legal basis: Contract performance + legal obligation (tax/audit retention).
Usage and product analytics
Examples: which pages you visit in the dashboard, feature usage counters, audit count per month, error events
Why we need it: Improve the product, debug issues, calculate billing usage.
Legal basis: Legitimate interest (GDPR Art. 6(1)(f)); POPIA s11(1)(f). Aggregated where possible.
Cookies and similar technology
Examples: session token, CSRF token, locale, theme; aggregated analytics counters
Why we need it: Keep you signed in, prevent CSRF, remember preferences. See the Cookie Policy for the full list.
Legal basis: Strictly necessary; consent for non-essential cookies (GDPR Art. 6(1)(a); ePrivacy).
Communications
Examples: support emails, ticket conversations, sales meeting notes
Why we need it: Help you when you ask; renew or upgrade your subscription.
Legal basis: Contract performance + legitimate interest.
3. What we do NOT do
- We don't sell your personal data. Not in the CCPA sense (no monetary or other valuable consideration), not in the colloquial sense. Our revenue is subscriptions; selling data would break the trust the product is built on.
- We don't share for cross-context behavioural advertising(CPRA §1798.140(ah)) or for any advertising-network reuse.
- We don't train third-party AI models on your private brand data. Your content goes to AI providers (Anthropic, OpenAI, Google, etc. — see section 5) to runinference for you. We use those providers' enterprise / no-training tiers where they exist, and our DPA prohibits secondary use.
- We don't do automated decision-making with legal or similarly significant effects on you (GDPR Art. 22). The AI-generated scores you see in the product are advisory; a human at your end decides what to act on.
4. Where your data lives (data residency)
We host on a small set of regions. The default for African-market customers is Johannesburg (POPIA-aligned); for everyone else we host in Virginia (us-east-1). EU residency in Frankfurt and APAC residency in Singapore are in build-out — see the planned dates below. Enterprise customers can pin a residency region in their contract.
| Region | Status | Notes |
|---|---|---|
| European Union (Frankfurt) | Planned (2027-06-01) | Primary data center in Frankfurt; backups in Ireland. |
| United States (us-east-1) | Available | Primary data center in Virginia; backups in Oregon. |
| South Africa (Johannesburg) | Available | Primary data center in Johannesburg. Our default for African-market customers — POPIA-aligned. |
| Asia-Pacific (Singapore) | Planned (2027-09-01) | Singapore; covers APAC enterprise customers. |
5. Sub-processors
We use the third-party services below to deliver the platform. Each operates under a written agreement with us, including a Data Processing Agreement where applicable. Adding a new sub-processor that touches customer data triggers an in-product banner and the list below updates. Enterprise customers can sign up for at-least-30-days' advance notice of new sub-processors at [email protected].
| Vendor | Purpose | Country | Data |
|---|---|---|---|
| Supabase | Primary Postgres database + auth provider | US | All account, brand, audit, monitoring, and billing-state data |
| Anthropic | LLM inference (Claude) | US | Brand metadata, content samples, generated drafts |
| OpenAI | LLM inference (GPT-4/5) | US | Brand metadata, content samples, generated drafts |
| LLM inference (Gemini, NotebookLM), Search Console, Analytics | US | Brand queries, site analytics, search performance | |
| Perplexity AI | LLM inference (Perplexity) | US | Brand monitoring prompts |
| xAI | LLM inference (Grok) | US | Brand monitoring prompts |
| DeepSeek | LLM inference (DeepSeek) | CN | Brand monitoring prompts |
| Mistral AI | LLM inference (Mistral) | FR | Brand monitoring prompts |
| Cohere | LLM inference (Cohere) | US | Brand monitoring prompts |
| Together AI | Hosted-LLM inference (Janus, Llama, and other open-weights models) | US | Brand monitoring prompts |
| Moonshot AI | LLM inference (Kimi) | CN | Brand monitoring prompts |
| Alibaba Cloud | LLM inference (Qwen via DashScope) | CN | Brand monitoring prompts |
| Yandex Cloud | LLM inference (YandexGPT) | RU | Brand monitoring prompts |
| Microsoft | LLM inference (Copilot, Bing Copilot via Bing Search API) | US | Brand monitoring prompts |
| Pinecone | Vector embeddings store for semantic search and content retrieval | US | Embeddings of customer content and brand metadata |
| Cloudflare | CDN, DDoS protection, R2 backup storage | US | All traffic; encrypted backups |
| Upstash | Redis cache + queue | US | Ephemeral job payloads, rate-limit counters |
| Bugsink (self-hosted) | Error tracking — Sentry-protocol-compatible, self-hosted at errors.isaflow.co.za | ZA | Application errors, redacted stack traces. Data never leaves infrastructure we control. |
| Stripe | Billing + payment processing (global customers, USD) | US | Billing emails, payment tokens (card data never touches our servers) |
| Paystack | Billing + payment processing (South African customers, ZAR) | ZA | Billing emails, payment tokens (card data never touches our servers) |
| DataForSEO | AI keyword volume data for Prompt Radar | US | Keywords only; no brand-identifying data |
6. International transfers
Several sub-processors are based in the United States. For transfers of EU/UK personal data to those vendors we rely on the European Commission's 2021 Standard Contractual Clauses (SCCs) and the UK's International Data Transfer Addendum, supplemented with technical safeguards (encryption in transit and at rest, role-scoped access, audit logging). For POPIA s72 transfers out of South Africa, we rely on the equivalent law or binding contractual clauses where no equivalent law exists.
We do not transfer personal data to a country that fails an adequacy decision and has no available transfer mechanism. If we ever need to, we will obtain your explicit consent first or refuse the transfer.
7. How long we keep your data
Retention is the minimum we need for the purpose, subject to legal retention floors (e.g. tax records). You can request earlier deletion any time — see section 9.
- Account data: kept while your account is active, then up to 7 years after closure (South African tax / audit floor).
- Audit results: rolling 2-year window — enough for year-on-year comparisons.
- Monitoring mentions: rolling 2-year window.
- Application logs and error traces: 90 days (Bugsink default window). PII is redacted before logging.
- Aggregated / anonymised analytics: 3 years. These are statistical only and no longer relate to an identifiable person.
- Backups: point-in-time recovery is retained for 35 days; encrypted backups roll off automatically.
- Inactive accounts: if an account has had zero activity for 3 years and is unpaid, we email a deletion warning then auto-delete.
8. How we protect it
- TLS 1.2+ for all traffic; HSTS preload on the public domain.
- Encryption at rest for the database, object storage, and backups.
- Per-tenant row-level scoping in the application layer; super-admin reads are audit-logged.
- Single-sign-on via Supabase auth; passwords are bcrypt-hashed.
- API keys (LLM provider keys, your stored credentials for connected accounts) are encrypted at rest with AES-256-GCM using authenticated encryption.
- Vendor security review before adding any sub-processor that touches customer data; SOC 2 Type II / ISO 27001 in progress (see the Trust Center for current status).
- Breach notification:GDPR Art. 33/34 (72 hours to supervisory authorities, without undue delay to affected users when there is high risk); POPIA s22 (notice to the Information Regulator and to data subjects); equivalent CCPA §1798.82 and LGPD Art. 48 obligations.
9. Your rights
You have rights over your personal data. The exact list depends on where you live; the table below maps the common requests to the law that gives you the right. To exercise any of them, email [email protected]from the address on your account or any other address we can reasonably verify belongs to you. We respond within one month (GDPR Art. 12(3); POPIA operator response is “as soon as reasonably possible”). Complex requests may be extended by two further months under Art. 12(3) — we will tell you within the first month if we need the extension.
| Jurisdiction | Rights you have | Authority |
|---|---|---|
| EU / UK / EEA (GDPR + UK GDPR) | Access, rectification, erasure, restriction, portability, objection, no automated decision-making with legal effects, withdraw consent at any time. | Arts. 15–22 |
| South Africa (POPIA) | Access (s23), correction (s24), deletion (s24), object to processing (s11(3)), object to direct marketing (s69), complaint to the Information Regulator. | POPIA Chapter 3 |
| California (CCPA + CPRA) | Know, delete, correct, opt out of sale/sharing, limit use of sensitive personal information, non-discrimination, two requests per 12 months are free. | Cal. Civ. Code §§1798.100–.199 |
| Brazil (LGPD) | Confirmation of processing, access, correction, anonymisation, portability, deletion, information about sharing, revocation of consent. | LGPD Art. 18 |
| Canada (PIPEDA) | Access to your information, accuracy, withdrawal of consent, complaint to the Privacy Commissioner. | PIPEDA Principles 8–10 |
| Australia (Privacy Act 1988) | Access, correction, anonymity/pseudonymity where lawful, complaint to the OAIC. | APP 12, 13, 2 |
| India (DPDP Act 2023) | Access, correction, completion, updating, erasure, grievance redressal, nominate someone to exercise rights on your behalf. | DPDP Act ss11–13 |
You can also complain directly to your data-protection authority — the Information Regulator (ZA), the ICO (UK), your national DPA in the EU, the California Privacy Protection Agency, the ANPD (Brazil), the OPC (Canada), the OAIC (Australia), or the Data Protection Board (India).
10. Children
ApexGEO is a B2B product not directed at children. We do not knowingly collect personal data from anyone under 16 (GDPR Art. 8) or under 13 (COPPA). If you believe a child has provided us with personal data, email [email protected] and we will delete it.
11. Automated marketing communications
We send product, billing, and security emails to customers — these are operational and not opt-out (you can close the account to stop them). Marketing emails are opt-in only and every one has an unsubscribe link that takes effect on the next send.
12. Changes to this policy
We update this policy when our practices change. Material changes (new sub-processor that processes more than ephemeral metadata, a new legal basis, a change to retention upper bounds) get at least 30 days' advance notice via in-product banner and email. Non-material changes (clarifications, typo fixes) ship without notice but the last-updated date at the top of this page always changes.
13. Governing law and supervisory authorities
This policy is governed by the laws of South Africa. Nothing in this section limits any non-waivable rights you have under your local law.
- South Africa: Information Regulator — [email protected]
- UK: Information Commissioner's Office — ico.org.uk
- EU: your country's Data Protection Authority (full list at edpb.europa.eu)
- California: Privacy Protection Agency — cppa.ca.gov
- Brazil: ANPD — gov.br/anpd
- Canada: Office of the Privacy Commissioner — priv.gc.ca
- Australia: OAIC — oaic.gov.au
- India: Data Protection Board (post-rules)
14. Contact
ApexGEO, Cape Town, South Africa. [email protected] for privacy questions, [email protected] for DPO-equivalent matters, [email protected] for contract and DPA requests.