Privacy Policy

1. Introduction

This Privacy Policy was adopted by Backchat Proprietary Limited (Registration Number: 2023/735133/07) ("Backchat", "we", "us", or "our") with effect from 28 February 2026.

This Policy outlines the basis upon which Backchat will Process the Personal Information of its Data Subjects within its commercial ecosystem, including any Users who engage Backchat in connection with the Chatterbox Platform and the corresponding Services, as well as Target Recipients whose Personal Information is Processed through our Services.

All compliance functions associated with this Policy are carried into effect by the Information Officer, contactable at privacy@backchat.co.za.

2. Definitions

The following terms are used throughout this Policy:

• Backchat / Responsible Party: Backchat Proprietary Limited (Registration Number: 2023/735133/07), the entity responsible for determining the purpose and means of Processing Personal Information.
• Chatterbox Platform / Platform: The voice and SMS broadcast platform operated by Backchat at www.backchat.co.za/chatterbox, including all related features and functionality.
• Data Subject: Any natural or juristic person to whom Personal Information relates, including Users and Target Recipients.
• Information Officer: The person designated by Backchat to fulfil its obligations under POPIA, contactable at privacy@backchat.co.za.
• Operator: A third party who Processes Personal Information on behalf of Backchat in terms of a mandate or agreement.
• PAIA: The Promotion of Access to Information Act 2 of 2000.
• Personal Information: Information relating to an identifiable, living natural person or an identifiable, existing juristic person, as defined by POPIA.
• POPIA: The Protection of Personal Information Act 4 of 2013.
• Processing / Process: Any operation or activity concerning Personal Information, including collection, receipt, recording, organisation, storage, updating, retrieval, consultation, use, dissemination, merging, erasure, or destruction.
• Services: The voice broadcast, SMS broadcast, translation, transcription, and related services provided by Backchat through the Chatterbox Platform.
• Target Recipient: A person whose phone number or Personal Information is uploaded to or Processed through the Platform by a User for campaign delivery purposes.
• User: Any person who registers for and uses the Chatterbox Platform.

For a complete list of defined terms used across all Backchat policies, see our Glossary.

3. Information We Collect

3.1 Information You Provide

• Account Information: Email address when you register. If you sign up via SSO (Google, Apple, or Microsoft), your name and email are provided by the identity provider. Phone number is verified separately during campaign setup. No billing information is collected at registration.
• Campaign Data: Recipient phone numbers, message content, call and SMS scripts, Excel contact lists with personalisation variables, and translated message content you create through our platform.
• Payment Information: Billing details you provide for wallet top-ups, processed through our payment provider.
• Communication Records: Records of your communications with us, including support tickets and feedback submissions.

3.2 Information Collected Automatically

• Usage Data: Information about how you use our platform, including campaign statistics, call and SMS outcome data, and feature usage.
• Device Information: Browser type (User-Agent), IP address, and operating system.
• Analytics Events: We track platform events including page views, feature interactions, campaign actions (creation, launch, pause, completion), authentication events, and wallet transactions. Each event may include session identifier, page URL, referrer, and timestamp.
• Geo-Location Data: We derive approximate geographic location (country, province, and city) from your IP address using the MaxMind GeoLite2 database. This data is stored alongside analytics events and user sessions for service improvement purposes.

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our voice and SMS broadcast services
• Process campaign messages through AI services for translation, grammar and tone verification, Hlonipha cultural compliance checks, and campaign classification
• Process wallet transactions and send related information
• Send technical notices, updates, and administrative messages
• Respond to your comments, questions, and support requests
• Monitor and analyse usage patterns to improve user experience
• Detect, prevent, and address technical issues and fraud
• Comply with legal obligations and enforce our terms of service

5. POPIA Compliance

Any Personal Information Processed by Backchat shall be subject to the foundational principles established by POPIA. The Processing of Personal Information is carried out in accordance with the following conditions:

5.1 Accountability

Backchat acknowledges the obligations and duties established by POPIA. All associated compliance functions are carried into effect by the Information Officer.

5.2 Processing Limitation

The Processing of Personal Information by Backchat shall be carried out in a manner that is lawful and consistent with the framework established by POPIA.

5.3 Purpose Specification

Personal Information will only be Processed by Backchat for specific and legitimate purposes emanating from, among other things, the Chatterbox Platform and the corresponding Services.

5.4 Further Processing Limitation

Any Personal Information collected for a specific purpose will not be Processed in a manner that is incompatible with the original purpose.

5.5 Information Quality

Backchat will take all reasonable steps to ensure that the Personal Information Processed by it is complete, accurate, not misleading and up to date.

5.6 Openness

Data Subjects will be informed of the nature of the Personal Information Processed by Backchat. The categories of information collected include, but are not limited to, those detailed in Section 3 of this Policy: registration, verification and User profile data; User payment information; support information; cookies, device and browser information; and location information.

5.7 Security Safeguards

The integrity of the Personal Information collected, Processed and/or retained by Backchat will be treated as a security imperative, subject to ongoing review and management by the Information Officer. The specific technical measures employed are detailed in Section 13 of this Policy.

5.8 Data Subject Participation

Backchat specifically acknowledges the rights of its Data Subjects, including any User or Target Recipient. The full list of rights is set out in Section 6 of this Policy.

6. Data Subject Rights

Backchat acknowledges the following rights of its Data Subjects, including any User or Target Recipient:

• To be notified that their Personal Information is being collected by Backchat
• To be notified in the event of a data breach concerning their data
• To be made aware that Backchat is possessed of Personal Information concerning them
• To request access to their Personal Information held by Backchat
• To request the correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained Personal Information
• To object to Backchat's use of their Personal Information
• To object to the Processing of their Personal Information
• To withdraw consent where Processing is based on consent
• To lodge a complaint with the Information Regulator regarding any alleged infringement of their rights protected under POPIA

To exercise these rights, please contact the Information Officer using the details provided in Section 16 below.

7. Access to Records (PAIA)

Any request for access to the records of third party data (including Personal Information) collected, Processed and/or retained by Backchat shall be subject to the provisions of the Promotion of Access to Information Act (PAIA).

All such requests must be made on the prescribed form, accessible at the Information Regulator website.

The Information Officer will make a determination on the request for access to records within 30 (Thirty) days, unless:

• the request is for a large number of records;
• the search for the records is to be conducted at a premises not situated in the same town or city as the registered address of Backchat; or
• the Data Subject (or third party requestor) and Backchat agree to an extension for any other reason.

In the event that the Information Officer fails to respond to a request for access to records within the prescribed period, the request will be deemed to have been refused on a ground specifically recognised by PAIA, namely:

• in circumstances where the requested record constitutes information subject to professional legal privilege;
• in order to protect commercial (or confidential) information concerning Backchat or any third party;
• in order to protect the safety of individuals or property; or
• in circumstances where granting access to the record would result in the unreasonable disclosure of Personal Information.

Where a request is approved, the Information Officer will advise the requestor of the applicable access fee and format in which access to the record(s) will be granted.

Where a request is denied, the Data Subject (or third party requestor) shall be entitled to appeal the determination of the Information Officer in the manner and form prescribed by PAIA.

8. Information Sharing and Disclosure

We may share your information with the following categories of third parties:

• Telephony Provider: Twilio — for voice call and SMS delivery. Recipient phone numbers and call/SMS metadata are shared to facilitate campaign delivery.
• Payment Provider: PayFast — for processing wallet top-up transactions.
• AI Language Processing: OpenAI — for message translation, message verification and classification, and language detection. Only message text content is sent to OpenAI; recipient phone numbers and personal information are not transmitted.
• Speech Services: Deepgram (speech-to-text and text-to-speech audio generation), Google Cloud (speech recognition), Microsoft Azure (text-to-speech for non-English languages), Amazon Web Services (speech transcription).
• Geo-Location: MaxMind — we use the GeoLite2 database locally to derive geographic information from IP addresses. Your IP address is not transmitted to MaxMind.
• Email Notifications: Microsoft Graph — for delivering email notifications and support communications.
• Authentication: Microsoft Azure AD, Google, and Apple — for SSO authentication.
• Legal Requirements: When required by law, court order, or governmental authority.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.
• With Your Consent: When you have given us explicit permission to share your information.

We do not sell your personal information to third parties.

9. AI Processing Disclosure

Campaign messages may be processed by AI services for the following purposes:

• Translation: Messages are translated between supported South African languages (currently English, isiZulu, and Afrikaans, with additional official languages planned) using AI language models provided by OpenAI.
• Message Verification: Messages are checked for grammar, tone appropriateness, and campaign suitability using AI language models.
• Hlonipha Compliance: Messages in isiZulu are checked for cultural language compliance against Hlonipha principles.
• Campaign Classification: Messages are automatically categorised to help ensure appropriate use of the platform.

Only message text content is shared with AI processors. Recipient personal information (phone numbers, names, addresses) is not transmitted to AI services. AI processors handle data according to their own data usage policies.

10. International Data Transfers

Some of our service providers (including OpenAI, Twilio, Deepgram, Google Cloud, Microsoft Azure, and Amazon Web Services) may process data outside South Africa. When your information is transferred internationally, we ensure appropriate safeguards are in place to protect your information in accordance with POPIA requirements.

11. Cookies and Tracking

We use a single essential session cookie to maintain your authenticated session on the platform. This cookie is configured as HttpOnly (not accessible to JavaScript), Secure (transmitted only over HTTPS), and is required for the platform to function.

We use Google Ads conversion tracking in cookieless mode to measure the effectiveness of our advertising campaigns. This tracking does not set advertising cookies, does not use personal data for advertising personalisation, and does not fingerprint your device. No advertising cookies or marketing trackers are used. Our internal analytics tracking is server-side and does not rely on browser cookies beyond the essential session identifier.

12. Data Retention

We retain your personal information for as long as your account is active and as necessary to provide our services and fulfil the purposes described in this policy. Campaign data, call and SMS logs, and analytics events are retained while your account remains active. We do not store voice call recordings for outbound campaigns.

Upon account termination, we will delete your personal data within a reasonable period unless retention is required by applicable law. You may request earlier deletion of specific data by contacting us at the details provided below.

13. Data Security

Backchat has implemented and shall at all times maintain appropriate technical and organisational security measures to safeguard the Personal Information collected, Processed and/or retained by it in connection with the Chatterbox Platform and the corresponding Services, including:

• AES-256 encryption for sensitive configuration data stored in our database
• Encryption of data in transit (HTTPS/TLS) and at rest
• Secure access controls and authentication (SSO, session-based authentication)
• Regular security assessments and monitoring

Any suspected breach or misuse of the information collected and/or Processed by Backchat will be investigated and, where applicable, reported to the Information Regulator.

Backchat strictly reserves the right to take whatsoever steps as may be necessary to secure the integrity of its data security measures, such systems being subject to ongoing review and management by the Information Officer.

14. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

15. Changes to This Policy

This Policy shall, in the sole and unfettered discretion of Backchat, be subject to all such amendments reasonably necessary to ensure its continued effectiveness, relevance, and compliance with evolving business needs, industry standards and legal or regulatory requirements.

Users will be notified of any updated versions of this Policy on the Platform. Any revised version of this Policy will only take effect on at least 30 (Thirty) calendar days' notice.

16. Contact Us

Any queries, recommendations or requests in connection with this Policy must be directed to the Information Officer:

• Information Officer Email: privacy@backchat.co.za
• Website: www.backchat.co.za

17. Information Regulator

If you are not satisfied with how we handle your personal information, you have the right to lodge a complaint with the Information Regulator:

• Website: www.justice.gov.za/inforeg
• Email: complaints.IR@justice.gov.za