Transitioning to enterprise software. Services live now. First product, RAG Studio, ships Q4 2026. See the roadmap →
sonofgraigsonofgraig isometric mark. Primary. Three-face hexagonal prism. Flat colour.
sonofgraig
LegalPrivacy Notice

Privacy Policy

This notice explains what personal information sonofgraig collects, why we collect it, how long we keep it, who we share it with, and the rights you hold under the Protection of Personal Information Act, 2013 (POPIA).

v3.0Effective 1 May 2026Last updated 1 May 2026POPIA · af-south-1
Need a quick answer?
See section 09 for your POPIA data subject rights, section 14 for our Information Officer's contact details, or visit /popia for the formal regulatory statement.

01 · About this notice

sonofgraig (“sonofgraig”, “we”, “us”, “our”) is the responsible party for the personal information processed through this website, our enterprise platform, and any related services. This notice covers all visitors, prospects, customers, applicants, and any other natural or juristic person whose personal information we receive.

For our formal POPIA Section 11 statement, the registered Information Officer, cookie categories, and the data subject rights request form, see our POPIA page. This privacy policy is the plain-language companion to that document — where the two differ, the POPIA page prevails for regulatory matters.

02 · Who we are

sonofgraig is a South African enterprise software company operating from Cape Town. We process and store South African customer data in the AWS Africa (Cape Town) region (af-south-1) by default, in line with POPIA data residency expectations.

Our Information Officer is Graig Son, CEO & Information Officer. They are responsible for ensuring our compliance with POPIA, dealing with requests from data subjects, and working with the Information Regulator of South Africa where required. Contact details are in section 14.

03 · Information we collect

We only collect information we actually need. The categories below are the only personal information we process today:

3.1 Information you give us directly

  • Identity & contact — name, work email, phone, role, company, country.
  • Account & commercial — organisation name, billing address, plan and billing-cycle preference. We do not store full payment card numbers; payments are processed by Stripe and tokenised at the point of capture.
  • Submissions — anything you choose to type into our contact, early-access, waitlist, careers, or data-subject-rights forms.
  • Content you upload — once you are a customer, the documents, prompts, datasets, and configurations you load into the platform.

3.2 Information we collect automatically

  • Device & technical — IP address (anonymised within 24 hours for analytics), user-agent string, screen size, language, referrer.
  • Usage — pages visited, features used, time on page, high-level navigation events. Used in aggregate, not joined to identity by default.
  • Cookies & similar — see section 10. You control which categories are active via the consent banner.

3.3 Information from third parties

  • Authentication providers — if you sign in with Google or Microsoft, we receive your name, work email, and a stable identifier from them; nothing else.
  • Enrichment — for prospective enterprise accounts we may consult publicly available sources (your company website, LinkedIn) to prepare for a sales conversation.

04 · Lawful basis (POPIA Section 11)

POPIA requires us to identify a lawful basis for every processing activity. We rely on the following bases:

  • Consent — for marketing communications, optional cookies, and any processing not strictly necessary to deliver the service. Consent is collected explicitly via opt-in checkboxes and the cookie banner, recorded with a timestamp, and may be withdrawn at any time without penalty.
  • Performance of a contract — to provide, bill for, and support our products under our customer agreement (e.g. account creation, service delivery, customer success).
  • Legal obligation — to comply with tax, anti-money-laundering, audit, and POPIA itself, including responding to lawful requests from regulators.
  • Legitimate interest — to secure our platform, prevent fraud and abuse, improve product quality, and operate normal business communications. We weigh these interests against your privacy rights and stop if your rights override.

05 · How we use your information

  • To deliver, secure, and improve the sonofgraig platform and website.
  • To respond to enquiries, demos, sales conversations, and support tickets.
  • To send service notifications (billing alerts, security advisories, maintenance windows) — these are not optional while you have an account.
  • To send marketing communications where you have opted in. Every marketing email contains a one-click unsubscribe; that link revokes consent immediately for that channel.
  • To produce aggregated analytics about how the website and platform are used. Aggregated and anonymised data is not personal information.
  • To meet legal, accounting, audit, and regulatory obligations under South African law.

We do not sell personal information. We do not use customer content uploaded to the platform to train foundation models or publicly available models. Customer content remains yours.

06 · Sharing & sub-processors

We share personal information only with operators (sub-processors) acting on our behalf under written data processing agreements aligned to POPIA Section 21. Current categories:

  • Cloud infrastructure — Amazon Web Services (Africa, Cape Town region af-south-1 by default).
  • Payments — Stripe Payments Europe Limited. Card data is tokenised by Stripe and never touches our servers.
  • Email delivery — Resend, used for transactional and consented marketing email.
  • Analytics — first-party Vercel Analytics and self-hosted PostHog with IP anonymisation.
  • Customer support — Plain.com for in-app support conversations.
  • Observability & error reporting — Sentry and self-hosted Langfuse, configured to scrub personally identifying fields.
  • Compliance automation — Vanta for SOC 2 / ISO 27001 control monitoring.

A current, named list of sub-processors and their location is available on request from tumiso@sonofgraig.com.

We may also disclose information if required by a valid court order, subpoena, or other lawful instrument issued by a South African authority. Where the law permits, we will notify you before doing so.

07 · Cross-border transfers

Our default is to keep South African personal information inside South Africa. Some sub-processors (for example, Stripe and Resend) operate from outside South Africa. Where a transfer is necessary, we rely on POPIA Section 72 — the recipient is bound to a comparable level of protection through a written processing agreement, or we obtain your explicit consent.

If you use AI features that route to a foundation model provider (such as OpenAI, Anthropic, Google, or Mistral) under your own configuration, those requests will leave South Africa. We disclose every model provider we route to, you choose which providers are enabled at the project level, and you can disable any provider at any time.

08 · Data retention

We retain personal information only as long as necessary for the purpose it was collected for, plus any minimum period required by law. Indicative retention periods:

  • Account data — for the lifetime of the account, then 30 days after closure for backup expiry.
  • Customer content (uploaded documents, prompts, datasets) — retained while you are a customer; deleted within 30 days of account closure unless you export it first.
  • Billing & tax records — five years from the end of the relevant tax year, as required by SARS.
  • Marketing contact data — until consent is withdrawn, then immediately suppressed.
  • Application / careers data — twelve months after the role closes, unless you ask us to delete it sooner.
  • Security logs — twelve months, then automatic rotation.

09 · Your POPIA rights

Under POPIA you have the right to:

  • Access the personal information we hold about you.
  • Correction of inaccurate or out-of-date information.
  • Deletion of information we no longer have a lawful basis to process.
  • Object to processing based on legitimate interest, including for direct marketing.
  • Withdraw consent at any time for processing that relies on consent.
  • Data portability — receive a structured, machine-readable export of your account and content.
  • Lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za) if you believe we have not complied with POPIA.

We respond to all data subject requests within 10 business days. Submit yours through the form on our POPIA page or by emailing tumiso@sonofgraig.com. We may ask for proof of identity to make sure we send your data to the right person.

10 · Cookies & tracking technologies

Our cookie banner asks you to opt in to five categories before any non-essential cookie is set:

  • Strictly necessary — session, security, theme. Always on.
  • Functional — remember non-essential preferences. Off by default.
  • Analytics — aggregated, IP-anonymised usage measurement. Off by default.
  • Marketing — measure ad performance via LinkedIn Insight Tag and Google Ads. Off by default.
  • Personalisation — content tailored to your role or industry. Off by default.

You can change these choices at any time using the “Cookie preferences” control in the cookie banner. Choices are recorded with a timestamp under the localStorage key popia_consent_v3.

11 · Security

We use industry-standard administrative, physical, and technical safeguards including encryption in transit (TLS 1.2+), encryption at rest (AES-256), role-based access control, multi-factor authentication for staff, organisation-scoped row-level security in our primary database, audit logging, and quarterly third-party penetration testing. Our SOC 2 Type II programme is automated through Vanta with continuous control monitoring.

If we ever experience a security breach involving your personal information, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in line with POPIA Section 22.

12 · Children’s data

The sonofgraig platform is sold to enterprises and is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact our Information Officer and we will delete it.

13 · Changes to this notice

We may update this privacy policy as the platform evolves or as the law changes. The version number and “Last updated” date at the top of this page always reflect the current version. Material changes will be announced on the platform and, where appropriate, by email to account administrators at least 14 days before they take effect.

Previous versions are available on request from tumiso@sonofgraig.com.

14 · Contact our Information Officer

For any privacy question, complaint, or data subject request, contact our Information Officer:

Information OfficerGraig Son, CEO
Emailtumiso@sonofgraig.com
Phone+27 (0) 21 000 0000
Postal addresssonofgraig, Cape Town, South Africa

You may also lodge a complaint directly with the Information Regulator of South Africa. We would always rather try to resolve a concern first — please give us the chance to.

POPIA statement

Formal Section 11 statement, cookie categories, and data-subject-rights form.

Read more
Contact us

General enquiries, partnerships, and sales conversations.

Read more
Security overview

Encryption, certifications, sub-processors, and incident response.

Read more