Privacy Policy
Effective date: 11 April 2026 • Last updated: 11 April 2026 • Version: 1.0
This Privacy Policy explains how Sociaal (Pty) Ltd ("Sociaal", "we", "us", or "our") collects, uses, stores, shares, and protects your personal information. It applies to all users of our platforms, including sociaal.co.za and sca.al (collectively, "the Platform").
We are committed to processing your personal information lawfully, and in accordance with the Protection of Personal Information Act, No. 4 of 2013 ("POPIA") and, where applicable, the Consumer Protection Act, No. 68 of 2008 ("CPA").
Please read this Policy carefully. By using the Platform, you acknowledge that you have read and understood how we handle your personal information. If you do not agree with this Policy, you should stop using the Platform immediately.
Contents
Part A — Who We Are
Part B — What We Collect
Part C — Why We Collect It
Part D — How We Share It
Part E — Cross-Border Transfers
Part F — Retention
Part G — Security
Part H — Cookies & Tracking
Part I — Your Rights
Part J — Direct Marketing
Part K — Automated Decisions
Part L — Children
Part M — Platform-Specific
Part N — General
Part A — Who We Are and How to Contact Us
1. About Sociaal
Sociaal is a South African creator monetisation platform. We connect content creators with their fans and brands. Our services include link-in-bio profile pages, fan tipping and subscription management, digital product sales, a campaign marketplace connecting creators with brands, a creator directory, short-link management (via sca.al), and content performance analytics.
2. Our Details
Responsible Party (as defined in POPIA):
Sociaal (Pty) Ltd
[Registered Address]
South Africa
Information Officer:
[Full Name of Information Officer]
Email: privacy@sociaal.co.za
Telephone: [Telephone Number]
The Information Officer is the person designated in terms of POPIA to ensure that Sociaal complies with its obligations under the Act.
3. The Information Regulator
You have the right to lodge a complaint with South Africa's supervisory authority:
Website: www.inforegulator.org.za
General enquiries: enquiries@inforegulator.org.za
Complaints: complaints.IR@justice.gov.za
Telephone: 012 406 4818
Part B — What Personal Information We Collect
We collect different categories of personal information depending on how you use the Platform and what role you hold (creator, fan, or brand).
4. Account Information
Collected from all registered users: full name, email address, password (stored as a one-way cryptographic hash — we never store your actual password), phone number (where provided), account creation date, and your role on the Platform (creator, fan, or brand).
5. Profile Information
Collected from creators who set up a public profile: display name or username, profile biography, avatar or photo, social media handles, location (if voluntarily provided), website URL, custom link-in-bio content, and theme and display preferences.
6. Financial Information
Collected from creators who receive payouts and from fans or brands who make payments: bank account details (for payout disbursement), transaction history, payout records, payment method tokens (managed by Paystack — we do not store full card numbers), and VAT registration number (for brands, where applicable).
7. Creator Data
Uploaded content (videos, images, digital products), earnings and revenue data, subscriber lists, campaign participation history, creator score, and CSV export records.
8. Brand Data
Company name, company registration number, campaign briefs and creative requirements, campaign spend history, creator relationship history, and contact person details.
9. Fan Data
Subscription history, purchase history, tip history (amounts and recipients), and watchlist and favourite creators.
10. Connected Social Platform Data
When creators voluntarily connect a third-party social media account (such as Instagram or TikTok) via OAuth, we access the following data with the creator's explicit permission:
- Profile information: username, display name, biography, profile picture URL, follower count, following count, and post count.
- Media and engagement data: recent posts with like counts and comment counts, used to calculate engagement rate and display verified analytics.
- Access tokens: encrypted OAuth tokens used to access the creator's data on their behalf. Tokens are refreshed automatically and can be revoked by the creator at any time by disconnecting the account in their dashboard settings.
We do not: post, modify, or delete content on connected accounts; access private messages; access private or archived content; or share connected account data with third parties.
How this data is used: to display verified metrics on the creator's dashboard and public media kit page, to calculate engagement scores for the creator directory, and to provide brands with verified creator analytics for campaign evaluation.
Data deletion: when a creator disconnects a social account, the OAuth token is deleted immediately. Historical snapshots (follower counts and engagement metrics) are retained for trend analysis but can be fully deleted upon request by emailing privacy@sociaal.co.za. If a user deauthorizes Sociaal from within the social platform (e.g. Instagram Settings > Apps and Websites), we process the deauthorization callback and delete the connection and tokens automatically.
11. Technical and Usage Data
Collected automatically: IP address (stored in hashed form only), browser type and version, device type and operating system, referring URL, pages visited and links clicked on sca.al, session duration, and user agent string (stored in hashed form).
12. Cookie and Authentication Data
JWT authentication token stored in an httponly cookie on your browser after login, and session state data.
Part C — Why We Collect Your Personal Information
12. Purposes of Processing and Lawful Basis
We only collect and use your personal information for specific, legitimate purposes:
| Category | Purpose | Lawful Basis |
|---|---|---|
| Account info | Create and manage your account; authenticate identity | Contract |
| Account info | Prevent fraud and unauthorised access | Legitimate interest |
| Profile info | Display your public creator profile page | Contract; consent |
| Financial info (creators) | Process payouts to your bank account | Contract; legal obligation |
| Financial info (fans/brands) | Process payments via Paystack | Contract |
| Transaction history | Maintain financial records; earnings reports; support disputes | Contract; legal obligation |
| Creator data — earnings CSV | Enable you to self-report income to SARS | Contract; legitimate interest |
| Brand data | Match brands with creators; manage campaigns | Contract |
| Fan data | Enable subscriptions, tipping, and digital product access | Contract |
| Technical data | Maintain security; investigate abuse; aggregate analytics | Legitimate interest |
| sca.al click data | Track short-link performance; provide analytics | Legitimate interest; contract |
| JWT cookie | Maintain your authenticated session | Contract |
| Email (transactional) | Send account, payment, and campaign notifications | Contract |
| Email (marketing) | Send promotional communications | Consent (opt-in only) |
| Creator score inputs | Campaign marketplace matching algorithm | Legitimate interest; consent |
Part D — How We Share Your Personal Information
13. We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes.
14. Service Providers (Operators)
14.1 Paystack Payments Africa Ltd
Role: Payment processing and disbursement. Data shared: name, email, payment details, transaction amounts. Paystack is PCI-DSS certified.
14.2 Cloudflare, Inc.
Role: Content delivery network (CDN), media hosting (Cloudflare Stream), and DDoS protection. Data shared: IP addresses (in transit), uploaded media files, web traffic.
14.3 Email Service Provider
Role: Transactional email delivery. Data shared: name, email address, and content of transactional notifications.
15. Legal Disclosure
We may disclose your personal information to law enforcement agencies, courts, or government authorities when required by law or valid legal process, or when we believe disclosure is necessary to protect the rights, property, or safety of Sociaal, our users, or the public.
16. Tax Reporting
Sociaal is not a tax agent and does not submit tax filings on behalf of creators. Creators are solely responsible for declaring their own income to SARS. We provide CSV data exports to assist you. You should consult a tax professional regarding your obligations.
Part E — Cross-Border Transfers
17. Processing Outside South Africa
POPIA Section 72 restricts the transfer of personal information to countries outside South Africa unless adequate protections are in place. Some of our service providers operate data centres outside South Africa:
- Cloudflare, Inc. — Headquartered in San Francisco, USA. Data may be processed in data centres outside South Africa. Cloudflare maintains standard contractual clauses.
- Paystack Payments Africa Ltd — Operates primarily in Africa. Transaction data may be processed on infrastructure outside South Africa.
We take reasonable steps to ensure cross-border transfers are subject to enforceable protections substantially equivalent to POPIA's.
Part F — How Long We Keep Your Information
18. Data Retention
| Category | Retention Period | Reason |
|---|---|---|
| Account info (active) | Duration of account + 3 years after closure | Fraud prevention; legal disputes |
| Account info (inactive) | 2 years of inactivity, then deleted after notice | Storage limitation |
| Profile information | Deleted within 30 days of account closure | Contract |
| Financial transaction records | 5 years from the date of the transaction | SARS record-keeping (Tax Administration Act) |
| Bank account details | Deleted within 30 days after payout or account closure | Minimisation |
| Creator earnings and payouts | 5 years | Tax and legal compliance |
| sca.al click analytics (hashed) | 13 months (rolling) | Analytics comparison |
| Page view data (aggregate) | 13 months (rolling) | Analytics |
| JWT cookies | Session-based; max 30 days | Security |
| Email records | 3 years | Legal and dispute resolution |
| Uploaded media | Deleted within 60 days of account closure | Contract |
| Support correspondence | 3 years from resolution | Legal and quality |
Part G — How We Protect Your Information
19. Security Measures
Technical safeguards:
- All data transmitted between your browser and our servers is encrypted using HTTPS (TLS 1.2 or higher)
- Passwords are stored as one-way cryptographic hashes (bcrypt)
- JWT authentication tokens are stored in httponly cookies, preventing access by client-side scripts
- IP addresses used for click analytics are hashed using a daily-rotating salt — the original IP is never stored
- Cloudflare provides DDoS protection and WAF at the network perimeter
- Payment card data is never stored on our servers — all card processing is handled by Paystack (PCI-DSS certified)
Organisational safeguards:
- Access to personal information is restricted on a need-to-know basis
- Staff handling personal information are subject to confidentiality obligations
No system is completely secure. If you believe your account has been compromised, contact us immediately at privacy@sociaal.co.za.
Data breach notification: In the event of a security compromise likely to prejudice you, we will notify you and the Information Regulator as required by POPIA Section 22.
Part H — Cookies and Tracking
20. Cookies and Tracking Technologies
20.1 Authentication Cookie (JWT)
When you log in, we set a single httponly cookie containing a signed JSON Web Token. This cookie is essential for the platform to function, is marked httponly and Secure, expires at the end of your session (or max 30 days with "remember me"), and cannot be used for cross-site tracking. We do not use advertising cookies, third-party tracking pixels, or behavioural retargeting cookies.
20.2 sca.al Click Tracking
When someone clicks a short link on sca.al, we record the time, target link, referring URL, and a hashed version of the user agent and IP address. The hashing uses a daily-rotating salt combined with an application secret — the raw IP address is never stored. This means we can detect duplicate clicks within a single day but cannot re-identify visitors across days.
20.3 Page View Beacons
Public creator profile pages send a lightweight page view beacon to record aggregate page views. No personally identifying information is sent in the beacon payload.
20.4 No Third-Party Advertising Tracking
We do not embed Facebook Pixel, Google Ads tags, TikTok Pixel, or any other third-party advertising or behavioural tracking technology on our Platform.
Part I — Your Rights as a Data Subject
21. Your Rights Under POPIA
You can exercise these rights by contacting our Information Officer at privacy@sociaal.co.za. We will respond within 30 days.
- Right to Access (Section 23): Ask whether we hold personal information about you and request a copy.
- Right to Correction (Section 24): Request correction of inaccurate, incomplete, or misleading information.
- Right to Deletion: Request deletion where the information is no longer necessary, consent is withdrawn, or processing was unlawful.
- Right to Object (Section 11(3)): Object on reasonable grounds to processing based on legitimate interest.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw at any time without affecting prior processing.
- Right to Complain: Lodge a complaint with the Information Regulator (see Section 3 above).
How to exercise your rights: Email privacy@sociaal.co.za with subject line "Data Subject Rights Request — [Your Name]". We may verify your identity before processing.
Part J — Direct Marketing
22. Direct Marketing and Opt-In Consent
We will only send you direct marketing communications where you have given explicit prior consent, as required by POPIA Section 69.
Transactional emails are not marketing: Emails necessary for account operation (subscription confirmations, payout receipts, password resets, campaign updates) are sent as part of our contractual obligations.
Opting out: Unsubscribe via the link in any marketing email, update your notification preferences in account settings, or email privacy@sociaal.co.za. We will process your opt-out within 5 business days.
Part K — Automated Decision-Making
23. Creator Scoring and Algorithmic Matching
What it is: A numerical rating calculated automatically based on your Sociaal account data, used to rank and recommend creators to brands in the campaign marketplace.
Inputs: Social media follower counts, profile completeness, campaign performance history, platform activity consistency, and content category.
How it affects you: The score influences visibility in brand search results and campaign invitations. It does not affect access to other features (tipping, subscriptions, link-in-bio).
Your rights: Request a description of how your score is calculated (privacy@sociaal.co.za), request human review of any decision, or opt out of the marketplace entirely through your account settings.
Part L — Children
24. Children and Minors
The Platform is intended for users who are 18 years of age or older. Users between 16 and 17 may access the Platform only with verifiable consent of a parent or legal guardian (POPIA Section 35). We do not knowingly collect personal information from children under 16. If we become aware of such collection, we will delete it promptly.
Part M — Platform-Specific Disclosures
25. sca.al Short-Link Service
sca.al is a companion service to sociaal.co.za providing short-link redirection and public creator profile pages. Click data is recorded as described in Section 20.2. Public profile pages are visible to anyone on the internet — information you add to your public profile is genuinely public. Tip button links use HMAC cryptographic signatures to prevent tampering.
26. Cloudflare Stream Video Hosting
Videos uploaded to the Platform are hosted on Cloudflare Stream. Cloudflare may log viewer IP addresses at the CDN level for delivery and security purposes. We do not have access to viewer-level playback logs.
Part N — General Provisions
27. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will post the updated Policy with a revised "Last Updated" date and send a notification to your registered email at least 14 days before the changes take effect.
28. Complaints and Disputes
If you have a concern about how we have handled your personal information, contact our Information Officer at privacy@sociaal.co.za. We will investigate and respond within 30 days. If unsatisfied, you may escalate to the Information Regulator.
29. Governing Law
This Privacy Policy is governed by the laws of the Republic of South Africa.
30. Definitions
- "Personal information" — as defined in POPIA Section 1
- "Processing" — any operation performed on personal information
- "Responsible party" — Sociaal (Pty) Ltd
- "Operator" — a third party processing data on our behalf (e.g., Paystack, Cloudflare)
- "Data subject" — you, the individual whose information is processed
- "POPIA" — Protection of Personal Information Act, No. 4 of 2013
- "Information Regulator" — the regulatory authority established under POPIA
Contact: For any privacy-related queries, contact our Information Officer at privacy@sociaal.co.za. For complaints, you may also contact the Information Regulator at complaints.IR@justice.gov.za or 012 406 4818.