Legal · Policy

Privacy Policy

This Privacy Policy explains how Truterax (operating as TRUTERA X) collects, uses, stores, and protects personal information. It is aligned with South Africa's Protection of Personal Information Act, 2013 ("POPIA") and the EU General Data Protection Regulation ("GDPR").

Last updated: 12 June 2026 Effective date: 12 June 2026 Version: 1.3
Template notice: This document is a starter template based on common POPIA/GDPR requirements. It has not been reviewed by legal counsel. Before going live, have a qualified attorney (in South Africa, ideally one familiar with POPIA & the Information Regulator's guidance) review and tailor it to your specific operations.

1. Who we are

Trutera X (legal name TRUTERA X (PTY) LTD, CIPC registration 2026/379872/07, effective 18 May 2026) is an AI-first engineering studio based at SPACES, 50 Long Street, Cape Town, 8001, South Africa. References to "we", "us", and "our" in this policy mean Trutera X.

We act as the Responsible Party (POPIA) / Data Controller (GDPR) for personal information we collect through our website and during the provision of our services.

2. Information Officer

As required by POPIA Section 55, Trutera X has designated an Information Officer responsible for ensuring compliance with this Act:

  • Name: The sole director of TRUTERA X (PTY) LTD serves as Information Officer ex officio until otherwise appointed
  • Email: [email protected]
  • Postal address: SPACES, 50 Long Street, Cape Town, 8001

Information Officer registration with the Information Regulator of South Africa is being finalized following CIPC registration. The IO registration reference will be published here once received.

3. What personal information we collect

We collect personal information directly from you and through automated means when you use our website or engage us for services:

3.1 Information you give us

  • Contact information: name, email, company name, phone number
  • Project information: project descriptions, budget ranges, business requirements
  • Communications: emails, meeting notes, support requests

3.2 Information collected automatically

  • Technical data: IP address, browser type, device type, operating system
  • Usage data: pages visited, time on site, referring URL (via privacy-respecting analytics where consented)
  • Cookies & similar: see our Cookie Policy

3.3 Account sign-up & authentication

If you create an account on this website, we process the following on the lawful basis of your explicit consent (POPIA s11(1)(a) / GDPR Art. 6(1)(a)), which you give by ticking the consent box at sign-up. We record the time of consent and the policy version for accountability (POPIA s23):

  • Email address: to create your account, send a verification link, and let you sign in.
  • Password: never stored in plain text. We store only a salted PBKDF2-HMAC-SHA256 hash; we cannot recover or read your password.
  • IP address: processed transiently for security and abuse-prevention (rate-limiting sign-up and login attempts).

Account data is stored in a Cloudflare D1 database; see §6 (operators) and §8 (where it is processed). You may withdraw consent at any time by deleting your account; email [email protected] (see §9).

Launch & product announcements (optional): at sign-up you may tick a separate, optional, never pre-checked box to receive emails about new Trutera X apps and products. This is direct marketing by electronic means under POPIA section 69, processed only on your opt-in consent; we record the date and time of that consent. You can withdraw at any time; every such email contains an unsubscribe option, or email [email protected]. Leaving the box unticked has no effect on your account.

Reviews & testimonials: if you submit a review, we process the display name you choose, your account email (kept private, for verification and abuse-prevention only), the star rating, and the review text you write. Reviews are reviewed before publication; once approved, your display name, star rating, and review text are published publicly on our website. You can ask us to remove a published review at any time by emailing [email protected].

4. Our lawful basis for processing

PurposePOPIA JustificationGDPR Lawful Basis
Responding to enquiriesNecessary for contract / legitimate interestArt. 6(1)(b) / 6(1)(f)
Delivering our servicesPerformance of contractArt. 6(1)(b)
Compliance / accountingLegal obligationArt. 6(1)(c)
Marketing communicationsConsentArt. 6(1)(a)
Analytics & site improvementConsentArt. 6(1)(a)
Account sign-up & authenticationConsent (POPIA s11(1)(a))Art. 6(1)(a)

5. How we use your information

We use personal information to: respond to enquiries and quote requests; deliver, support, and improve our services; manage our contracts and invoicing; comply with our legal obligations; and (where you consent) send you marketing communications.

We will not sell your personal information or use it for purposes incompatible with those listed above.

6. Who we share your information with

We share personal information only with carefully selected operators (POPIA) / processors (GDPR) under written contracts that protect your rights. Categories include:

  • Cloudflare, Inc.: website hosting and our account database (Cloudflare Pages + the D1 database that stores your account record); Cloudflare also provides the Turnstile bot-check on the sign-up form.
  • Resend: sends the account email-verification message (and other transactional email).
  • Analytics: privacy-first analytics (e.g., Plausible), only with consent
  • Payment processors: for invoicing (Stripe, PayFast, or equivalents)
  • Professional advisers: accountants, legal counsel under confidentiality

7. How long we keep your information

We keep personal information only for as long as necessary for the purposes set out above, or as required by law (e.g., SARS retains tax records for 5 years). Typical retention periods:

  • Quote/enquiry records: 24 months from last contact
  • Active client records: duration of engagement + 5 years
  • Marketing list: until you unsubscribe
  • Website analytics: 14 months
  • Account records (email, password hash, consent record): kept until you delete your account or ask us to; unverified accounts may be removed sooner.
  • Security / rate-limit logs (IP addresses of sign-up & login attempts): retained only for abuse-prevention and purged on a rolling basis, typically within 24 hours.

8. International transfers

Because we use international cloud and SaaS providers, your information may be transferred to, and processed in, countries outside South Africa. In particular (POPIA Section 72): your account data is stored in a Cloudflare D1 database hosted in Western Europe, and the verification email is sent via Resend (processed outside South Africa). Where personal information is transferred cross-border we rely on safeguards permitted under POPIA Section 72 / GDPR Chapter V: recipients bound by laws or agreements providing adequate protection, Standard Contractual Clauses, adequacy decisions, or your consent.

9. Your rights

Under POPIA and GDPR, you have the right to:

  • Access the personal information we hold about you
  • Request correction or deletion of inaccurate information
  • Object to processing or withdraw consent
  • Request restriction of processing
  • Data portability (GDPR only)
  • Lodge a complaint with the Information Regulator (SA) or your local supervisory authority

To exercise any of these rights, email [email protected]. We will respond within 30 days.

10. How we protect your information

We follow security practices aligned with ISO/IEC 27001 principles:

  • Encryption in transit (TLS 1.2+) and at rest where applicable
  • Role-based access controls and the principle of least privilege
  • Regular vulnerability scanning and dependency monitoring
  • Multi-factor authentication on administrative accounts
  • Incident response procedures, including breach notification within 72 hours where legally required

11. Cookies

Our use of cookies and similar tracking technologies is described in our Cookie Policy. You can manage your preferences via the cookie banner shown on first visit.

12. Children

Our services are not directed at children under 18 years of age, and we do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us so we can delete it.

13. Governing law & jurisdiction

This Privacy Policy, and any matter relating to it, is governed by the laws of the Republic of South Africa, and the processing described here is undertaken in accordance with POPIA (and, where applicable, the GDPR). Any dispute arising from this policy is subject to the exclusive jurisdiction of the Western Cape Division of the High Court (Cape Town), without prejudice to your right to lodge a complaint with the Information Regulator (South Africa) (see Contact, below).

14. Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be communicated via email or a prominent notice on our site.

15. Contact us

If you have any questions about this Privacy Policy, please contact us:

You may also contact the Information Regulator (South Africa): inforegulator.org.za