Privacy Policy

CapeAI (Pty) Ltd(“CapeAI”, “we”) is the responsible party / data controller for personal information processed through 1Chat. We are committed to handling your information in line with the Protection of Personal Information Act 4 of 2013 (“POPIA”).

Information Officer: Nicky (acting) · our contact form.

We process personal information on the following POPIA-recognised grounds:

• Contractual necessity — to provide the Service you signed up for.
• Consent — for optional cookies, marketing emails and trial notifications.
• Legitimate interest — for fraud prevention, abuse detection, security and product analytics.
• Legal obligation — tax, accounting and lawful requests from authorities.

• Account information — email, display name, password hash or OAuth identifier, subscription tier, billing status.
• Chat and image content — the prompts you submit, the outputs returned, conversation titles and uploaded attachments.
• Usage metrics — model usage, credit consumption, feature usage, approximate location (from IP), device/browser type, timestamps.
• Payment metadata — partial card details (last 4, brand, expiry), transaction IDs, invoice history. Full card numbers are handled by our payment providers and never touch our servers.
• Support correspondence — emails, WhatsApp messages and in-app messages you send us.
• Technical logs — error traces, request logs, diagnostic data.

• Operate, maintain and improve the Service.
• Route prompts to the AI provider you select and return the response to you.
• Bill you, handle refunds and prevent payment fraud.
• Respond to support queries and send service-related notifications.
• Enforce our Terms and keep the platform safe.
• Comply with tax, accounting and other legal obligations.

We do not sell your personal information. We do not use your chat content to train our own models.

We rely on reputable sub-processors to deliver the Service. Each is bound by appropriate confidentiality and data-protection terms.

• Infrastructure & hosting — Vercel (hosting), Cloudflare (CDN, DNS, DDoS protection), Supabase (database, authentication, storage).
• AI model providers — OpenAI, Anthropic, Google (Gemini & Imagen), xAI (Grok), DeepSeek, Moonshot (Kimi), Groq, Alibaba (Qwen), Fal and Replicate (image models including Flux and SDXL).
• Email — Resend (transactional email delivery).
• Payments — Yoco and Paystack (card processing, subscriptions).
• Monitoring — Sentry (error tracking), Vercel Analytics (aggregate traffic).
• Support — WhatsApp (Meta) for conversational support, Gmail for admin email.

When you select an AI model, your prompt (and any attached content) is transmitted to the corresponding provider for processing. Each provider has its own privacy policy; by using a model you accept that the prompt will be processed by that provider under their terms.

Several sub-processors are located outside South Africa, primarily in the United States and the European Union. Where your information is transferred outside South Africa we rely on the POPIA section 72 grounds — either the recipient is subject to a law providing substantially similar protection, the transfer is necessary to perform our contract with you, or you have consented. You acknowledge these cross-border transfers are an inherent part of using the Service.

• Account data — kept while your account is active and for up to 12 months after deletion (for billing disputes and regulatory obligations), unless a longer period is required by law.
• Chats and images — kept while your account is active; you can delete individual conversations at any time. On account deletion, chat content is removed within 30 days.
• Payment records — retained for 5 years to meet SARS and Companies Act obligations.
• Logs & security events — typically retained for up to 90 days.
• Support emails — retained for up to 3 years.

As a data subject you have the right to:

• access the personal information we hold about you;
• request correction of inaccurate or incomplete information;
• request deletion of your information (subject to legal retention duties);
• object to processing based on legitimate interest;
• withdraw consent where processing is based on consent;
• lodge a complaint with the Information Regulator (South Africa).

To exercise any of these rights, email our contact form. We will respond within a reasonable period and in any event within 30 days.

Information Regulator (South Africa) — JD House, 27 Stiemens Street, Braamfontein, Johannesburg · inforeg@justice.gov.za.

We use encryption in transit (TLS), encryption at rest for the database, row-level security on user data, password hashing, and least-privilege access controls. No system is perfectly secure; you use the Service at your own risk and should not submit information you would not wish to disclose.

We use a small number of strictly necessary cookies to keep you signed in, remember your theme preference and prevent abuse. With your consent, we may also use analytics cookies (aggregate, via Vercel Analytics) to understand how the Service is used. You can manage consent via the cookie notice shown on first visit and withdraw it at any time by clearing site data.

The Service is not directed at children under 13. Users aged 13 to 17 require verifiable parental consent (see our Terms).

We will notify you of material changes to this policy by email or in-app at least 14 days before they take effect.

CapeAI (Pty) Ltd, Western Cape, South Africa · our contact form.