Skip to Content

Privacy Policy

DRAFT: This document is pending review by a South African POPIA-specialist lawyer before launch. Bracketed placeholders ([…]) will be filled before go-live.

Privacy Policy + Terms of Service Templates

These are DRAFTS to start from. Before launch they need review by a SA lawyer with POPIA expertise (~R 5-10k for review, well worth it). Section headers map to POPIA's eight conditions.

Privacy Policy (Phila / Stormberg Produce)

Version 1.0 · Last updated: 2026-05-12 · Effective: [LAUNCH_DATE]

1. Who we are

Stormberg Produce (Pty) Ltd (registration [TO_BE_REGISTERED]), a South African company operating from Burgersdorp, Eastern Cape, trading as: - Stormberg Produce (food + freeze-dried product line) at stormberg.co.za - Phila (or final coach brand name) at app.stormberg.co.za / phila.coach

We are the Responsible Party under the Protection of Personal Information Act, 2013 (POPIA).

Information Officer: George Hayter Contact: privacy@stormberg.co.za Postal address: [TO_BE_ADDED]

2. What information we collect

Account information (when you sign up): - Name, email address, password (hashed, never stored in plain text) - Optional: phone number, city, language preference

Health-related information (Special Personal Information under POPIA Section 26): - Height, weight, target weight, age, sex - Dietary preferences, allergies, intolerances - Religious / cultural dietary practices - Medications (only if you choose to share, for drug-food interaction warnings) - Cooking preferences and household details

Usage information: - Chat conversations with the AI coach - Meal logs (foods you tell us you've eaten) - Recipe favourites + ratings - Forum posts (if you participate) - Voice recordings (only if you use voice features; processed in real-time and not stored beyond 24 hours)

Technical information: - IP address (for security and location detection) - Device type, browser, operating system - Pages visited, features used

Payment information: - We do NOT see or store your card details. Payment processing is handled by PayFast / Yoco / Peach Payments (subject to their own privacy policies).

3. How we use your information

Purpose Lawful basis under POPIA
Provide the coaching service Performance of contract
Personalise meal plans + AI coaching Your consent (Section 11(1)(a))
Process Special Personal Information (health data) Your explicit consent (Section 27(1)(a))
Send transactional emails (account, billing) Performance of contract
Send marketing emails (newsletter, product updates) Your separate consent (revocable)
Comply with legal obligations (tax, regulator) Compliance with law
Protect security + prevent fraud Our legitimate interests

4. Sharing your information

We share information only with:

  • Service providers under signed Data Processor Agreements:
  • AI inference: DeepInfra (USA) [until Phase 5b]; then self-hosted in SA
  • Voice STT/TTS: OpenAI Whisper API + ElevenLabs (USA) [Pro tier; until Phase 5b]
  • Email: Postmark / SendGrid
  • Hosting: Hetzner (Johannesburg)
  • Payment: PayFast / Yoco / Peach
  • Messaging platforms (only if you opt in):
  • WhatsApp (Meta): your conversations flow through Meta's servers. Meta has its own privacy policy.
  • Telegram, Discord (similar)
  • Legal authorities: only when compelled by valid SA court order

We do NOT: - Sell your data to anyone - Use your data to train third-party AI models - Show ads in the product - Share your data with insurers, employers, or marketers without separate explicit consent

5. Cross-border data transfer

Some service providers are outside South Africa. Under POPIA Section 72, we ensure: - Contractual safeguards (Data Processor Agreements + Standard Contractual Clauses where applicable) - Your explicit consent at sign-up - A clear path to using only SA-hosted infrastructure (Phase 5b roadmap)

If you choose not to consent to cross-border AI processing, you can use the platform with limited AI features (recipe lookup, RDI tracking) using only SA-hosted infrastructure.

6. Your rights under POPIA

You can at any time: 1. Access your data — download a complete copy via /me/data-export 2. Correct inaccurate data — through Settings or by emailing privacy@stormberg.co.za 3. Delete your account — via Settings (soft-delete immediate, hard-delete after 30 days) 4. Object to specific processing — e.g., revoke marketing consent 5. Withdraw consent at any time 6. Complain to the Information Regulator at https://inforegulator.org.za

7. Data security

  • Encryption in transit (TLS 1.3 on all endpoints)
  • Encryption at rest (LUKS volume encryption + column-level for Special Personal Information)
  • Access controls (no employee accesses production data without logged justification)
  • Annual security audit
  • Incident reporting: data breaches reported to Information Regulator + affected users within 72 hours

8. Children

The platform is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we'll delete their account.

9. Retention

Data type Retention period
Account data Until you delete your account (+30 day grace)
Chat conversations Until you delete your account or per-session deletion
Meal logs 5 years (for longitudinal coaching)
Voice recordings 24 hours (auto-deleted)
Consent log Indefinitely (audit trail requirement)
Payment records 7 years (SA tax law)
Inactive accounts Soft-deleted after 36 months of inactivity

10. Cookies

We use: - Essential cookies (session, security) — no consent required - Analytics cookies (Plausible, self-hosted, no personal data) — opt-in - We do NOT use third-party tracking cookies (Google Analytics, Meta Pixel, etc.)

11. Updates to this policy

We'll notify you of material changes via email + in-app banner. Continued use after the effective date constitutes acceptance.

12. Contact

Information Officer: privacy@stormberg.co.za | postal address [TO_BE_ADDED]

Terms of Service (Phila / Stormberg Produce)

← Back to home