Privacy Notice
For Business Customers
Effective Date: 22 July 2025
Contents
Introduction
This Privacy Notice explains how Aultech Proprietary Limited ("Aultech", "we", "us", or "our") collects and processes personal data as a data controller in relation to its enterprise SaaS platforms, including its products and offerings described on our website ("the Services"). The Services are exclusively provided to business customers and not to consumers or individuals in their personal capacity.
This notice complies with applicable laws such as South Africa's Protection of Personal Information Act 4 of 2013 ("POPIA"), the United Kingdom's Data Protection Act 2018, and/or the EU's General Data Protection Regulation ("GDPR").
Scope of this Privacy Notice
This Privacy Notice applies exclusively to Service Data.
"Service Data" refers to personal information processed by Aultech when establishing, operating, supporting, and maintaining the Services for business clients, including onboarding, account administration, billing, security monitoring, technical support, service analytics, platform updates, and customer communications.
"Customer Data" (i.e., data uploaded or processed by Customers and End Users via the Services such as documents, project data, emails, site instructions, or AI task queries) is governed by the Aultech Services Agreement and Data Processing Addendum ("DPA"), where Aultech acts as a data processor/operator.
Where Aultech processes Customer Data, Aultech acts as a data processor (or operator under POPIA), and processes such data strictly in accordance with Customer instructions. If you are a user authorised under a Customer's Account and have questions about your data, please contact your Account Admin, as they are responsible for managing your data under applicable data protection laws.
Contact Us
Aultech is the controller for the Service Data we process, unless otherwise stated.
Legal Entity
Aultech Proprietary Limited
(Company Reg No.: 2025/226086/07)
Information Officer
Mr Ushir Maharaj
Postal Address
13 Hillclimb Road,
Westmead, Durban,
KwaZulu-Natal, South Africa, 3610
What Service Data We Collect
We collect and process the following categories of personal data as part of the Service Data:
Business Account Data
Company name, registration number, VAT number, billing and subscription details.
User Identity & Authentication
Names, business email addresses, telephone numbers, job titles, user roles, admin assignments, login credentials (hashed).
Billing & Payment Data
Invoicing records, payment confirmations, refunds, and debit orders.
Technical & Device Data
Device IDs, IP addresses, browser types, operating system, session logs, access logs, error reports. Server-side application logs collected through Elastic stack and Azure telemetry.
Communication & Support Logs
Customer service tickets, onboarding calls, training session records, troubleshooting interactions. Email agent interaction metadata for those using integrated agent features.
Integration Metadata
Limited data from third-party integrations (e.g., Microsoft Outlook, Gmail and Workspace).
How We Collect Service Data
5.1 Direct Interactions
Registration forms, contract execution, subscription onboarding, user provisioning, customer support communications.
5.2 Automated Technologies
- Application telemetry, API usage logs, agent activity, system diagnostics, and platform analytics.
- Our email agent, where enabled, may collect metadata and perform rules-based tagging, routing, or auto-responses based on criteria set by the user.
- When you interact with our website, we may collect technical and usage information automatically from your browser or device using cookies and similar technologies.
- Users can manage cookie preferences through our cookie consent tool.
To opt out of being tracked by Google Analytics across all websites, visit: tools.google.com/dlpage/gaoptout
5.3 Third-Party Sources
We will only receive your personal data from third parties when:
- You have provided your consent to share such data with us
- When required by law
- When strictly necessary to fulfil our contractual obligations
- When strictly necessary to protect our or our Customer's legitimate interests
- To protect the vital interests of the data subject
Why We Process Service Data
When we process Service Data for the purposes described below, we rely on the following legal grounds:
| Category | Purpose | Legal Basis |
|---|---|---|
| Business Account Information | Account setup, invoicing, contract management | Contractual Necessity |
| User Identity & Authentication | Create accounts, assign user roles, authentication | Contractual Necessity |
| Billing & Payment Data | Payment processing, managing billing records | Contractual Necessity |
| Technical & Device Metadata | Security monitoring, fraud prevention, platform stability | Legitimate Interest |
| Platform Access & Usage Logs | Audit trail, system monitoring, access control audits | Legitimate Interest |
| AI & Task Automation Logs | Automating task management, claims, and contract analysis | Legitimate Interest; Contractual Necessity |
| Security Event Data | Threat detection, incident response, system integrity | Legitimate Interest; Legal Obligations |
| Support Communications | Providing customer support and resolving issues | Contractual Necessity |
To achieve the above processing purposes, we may use algorithms to recognise patterns in Service Data, manual review of Service Data, and aggregation or anonymisation of Service Data to eliminate personal data.
Consequences of Failure to Provide Personal Data
If we are required by law or contract to process certain personal data and you do not provide it, we may be unable to:
- Deliver our services, including configuring, supporting, or facilitating any training
- Fulfil our contractual obligations, such as onboarding, billing, or security-related requirements
- Comply with certain legal or regulatory requirements to verify your identity
In such cases, we may need to suspend or terminate our contract and/or business relationship with you, providing due notice and acting under the terms of the contract and applicable legislation.
Service Data We Share and Disclose
We do not sell Service Data.
We may share your Personal Data with Aultech Affiliates who perform technical services for us or on our behalf as Processors.
We do not share Service Data with companies, organisations, or individuals outside of Aultech except in the following cases:
- When you or our customer choose(s) to procure a Third-Party Service through our platforms
- With your administrator who you authorise to manage your organisation's account
- For external processing with trusted third-party providers
- For legal reasons (comply with applicable law, enforce agreements, protect rights and safety)
- In the event of beta services or feature access (we may share anonymised Service Data)
- For potential business transfers (reorganization, merger, acquisition, or sale of assets)
- In other ways as you direct us, from time to time
Special Category Personal Data
We generally do not collect special category personal data (such as race, religious beliefs, or health information) as part of the Service Data unless it is required for specific legal purposes (for example, during legal disputes or regulatory compliance). When we do process such data, it will be with your explicit consent, or as otherwise permitted by applicable laws. Any processing of such data by the Customer remains the sole responsibility of the Customer under the Customer Agreement and DPA.
Children
Our Services are designed for business use only. We do not knowingly collect data relating to children under 18 years of age.
Where Service Data is Stored and Transferred
11.1 Storage Locations
Your Service Data will be primarily stored and processed in data centres in South Africa and the European Union.
11.2 Cross-Border Transfers
Personal Data may be transferred to and processed in the Republic of South Africa ("RSA"), where our personnel are located. We apply the same protections described in this Privacy Notice in all cases. Some Service Data may pass through Cloudflare as part of Aultech's perimeter security measures.
11.3 Legal Frameworks for Cross-Border Transfers
- Adequacy decisions: We may transfer data to countries with adequate protection as determined by the European Commission, UK Adequacy Regulations, or Swiss Federal Council.
- Transfer Impact Assessments (TIAs): Before transferring data to countries without an adequacy decision, we conduct TIAs to assess risks and implement necessary mitigation measures.
- Standard Contractual Clauses (SCCs): We use SCCs approved by the European Commission and UK ICO to ensure your data is protected.
- Data Encryption: Where appropriate, we encrypt personal data before transfer to prevent unauthorized access or interception.
Security and Integrity
We take the security and protection of your Service Data seriously. In line with industry standards, we implement appropriate technical and organisational measures:
Access Control
Restricting access to employees, contractors and agents who strictly need it, all subject to confidentiality obligations.
Encryption
Encrypting Service Data at rest and while in transit.
Review and Testing
Regularly reviewing our systems for vulnerabilities and implementing updates and patches.
Incident Management
Implementing a response plan to address and mitigate any data breaches or security incidents.
While we take all reasonable steps to protect your Service Data, you acknowledge that no system is entirely secure. If we become aware of a data breach, we will notify you and relevant regulatory authorities in accordance with legal requirements.
Accuracy, Access and Portability of Service Data
We strive to ensure your personal data is accurate, complete, and up to date. It is your responsibility to inform your administrator of any changes to your personal data so they can update your records with us.
Your administrators can access user-specific data, such as account configurations and billing information, but access to sensitive data may be restricted based on role permissions.
Your employer may allow you to access and export your data to back it up or transfer it to a service outside of Aultech. To access and download the data you have stored in the services, please submit your request to our Information Officer by emailing privacy@aultech.ai
Retention and Deletion of Service Data
Retention Periods
We will retain your Service Data as a Controller only for as long as it is necessary to fulfil the purposes for which it was collected, or as required by law.
Determining Retention
The retention period is determined by: the type of data and its sensitivity, the purposes for which the data was collected, how you configure your settings, and legal obligations.
Deletion
You may request deletion of your Service Data following account termination or non-payment. We will permanently delete or de-identify such data within 30 days of termination, unless retention is required by law.
Backup Copies
Copies of Personal Data may remain for a limited period in our encrypted backup systems for disaster recovery purposes, before being overwritten by new backup copies.
Exercising Your Data Protection Rights
If South African, European Union, UK, or Swiss data protection law applies to our processing of your personal data, you may have certain rights:
Access
Request copies of your personal data
Rectification
Ask us to correct inaccurate or incomplete information
Erasure
Request deletion of your personal data in certain circumstances
Restriction
Ask us to limit the processing of your data
Objection
Object to processing based on public tasks or legitimate interests
Portability
Request the transfer of your data to another organization
Contact us at privacy@aultech.ai. There is no charge for exercising your rights, and we will respond within 30 calendar days.
Regulatory Authorities
You have a right to complain to the regulator in the country where you reside or operate:
| Australia | Office of the Australian Information Commissioner | oaic.gov.au |
| Botswana | Information and Data Protection Commission | bocra.org.bw |
| EU Member States | Equivalent authority in any EU member state | edpb.europa.eu |
| Mauritius | Data Protection Office | dataprotection.govmu.org |
| South Africa | Information Regulator | inforegulator.org.za |
| United Kingdom | UK Information Commissioner's Office | ico.org.uk |
| Zimbabwe | Postal and Telecommunications Regulatory Authority | potraz.gov.zw |
Links to Third Party Services
Our services may include links to third-party platforms or websites that we do not operate or control. Your interactions with these third-party services are governed by their respective privacy policies. We are not responsible for the privacy practices or security of external platforms.
Changes to this Notice
We may update this Privacy Notice to reflect new technologies, industry practices, regulatory requirements, or other purposes. If these changes are material, we will notify you as required by applicable law. Notice may be provided by email to your last known email address, by posting on our sites and platforms, or by other means consistent with applicable law. If you are participating in a beta service or pilot phase, we may provide separate or supplementary privacy disclosures applicable to those features.