Toutouwai
Privacy Policy
Contents
- Who We Are
- What Data We Collect
- How We Collect Data (incl. Cookies, Analytics & Live Chat)
- Purpose of Processing
- Legal Basis for Processing
- Data Sharing & Third Parties
- Cross-Border Data Transfers
- Data Retention
- Data Subject Rights
- Security Measures
- Automated Decision-Making
- Children's Privacy
- Changes to This Policy
- Complaints & Regulator Contact
- Information Officer Contact
- POPIA Conditions Compliance Map
1. Who We Are
Toutouwai provides a managed Hermes AI agent subscription service. We are the Responsible Party (as defined in section 1 of POPIA) for the processing of your personal information.
Legal entity: Daniel Donaldson Digital Pty Ltd, trading as Toutouwai
Contact: [email protected]
2. What Data We Collect
2.1 Account Data (all tiers)
| Data Category | Specific Items | Purpose |
|---|---|---|
| Identity | First and last name, email address, Telegram user ID (once a Telegram agent is connected) | Account creation, authentication |
| Authentication | Email address and a hashed password (Argon2id — we never store your plaintext password), or a linked Google account (OAuth); a device fingerprint derived from your browser/session, bound to your login | Secure sign-in, session/refresh-token binding, fraud and account-takeover prevention |
| Contact | Email address; Telegram handle (if connected) | Verification emails, password resets, support, billing |
| Payment | Card token — card details stored by DodoPayments, our merchant of record | Billing records |
| Technical | IP address, usage metrics, error logs, and the cookies described in §3.2 | Service monitoring, security, session management |
2.2 Web dashboard & authentication
You create and manage your account through our web dashboard using an email address and password, or by signing in with Google (OAuth). We collect the data needed to operate that authentication securely: your email, a one-way hash of your password, OAuth identifiers from Google if you link it, and a device fingerprint we bind to your session to detect token theft. We use Cloudflare Turnstile on sign-in and sign-up forms to distinguish humans from bots; Turnstile is provided by Cloudflare and may process limited technical signals from your browser for that purpose.
3. How We Collect Data
3.1 Sources
- Directly from you: When you create an account on the web dashboard, sign in (email/password or Google), provide your API key, connect a Telegram agent, send messages to your agent, or configure tasks
- Automatically: Usage metrics, error logs, container performance data, and the device fingerprint and cookies described below
- From third parties: Payment confirmation references (no full card or banking details), and, if you sign in with Google, your basic Google profile and verified email
What we do NOT collect:
- We do not sell your personal information to anyone
- We do not collect browsing history or location data beyond IP address
- We do not use advertising or cross-site tracking cookies
3.2 Cookies, analytics & live chat
Essential cookies. When you sign in, we set strictly-necessary cookies to keep you authenticated: an auth_token session cookie, a refresh-token cookie used to renew your session, and a CSRF-protection cookie. These are required for the Service to function and are not used for tracking. We also store a small theme and consent preference in your browser's local storage.
Optional analytics. On our public website we use a privacy-friendly, self-hosted analytics tool (hosted by us at tracking.danieldonaldson.co.za) to understand aggregate site usage. It is loaded only if you accept via the consent banner.
Optional live chat. We offer a live-chat widget powered by Chatwoot (self-hosted by us at chatwoot.toutouwai.com) for support. On the public site it loads only if you accept the consent banner; in the dashboard it likewise loads only after you accept, and, if loaded, is associated with your account so we can assist you. You can decline either at any time.
Presentational assets. Our public site loads an emoji-rendering script (twemoji) from the jsDelivr CDN. It sets no cookies and performs no tracking; because it is purely presentational it is not gated by consent, but using it means the CDN receives your IP address as with any embedded resource.
You can change or withdraw consent for the optional analytics and live chat at any time by clearing the site data / consent preference in your browser, which re-displays the consent banner.
4. Purpose of Processing
| Processing Activity | Purpose | Lawful Basis |
|---|---|---|
| Account management | Operate your account, authenticate you | Contract performance |
| Billing | Process payments, send invoices, maintain payment records | Contract performance / Legal obligation |
| Agent execution | Process your requests, generate responses, run scheduled tasks | Contract performance |
| Service improvement | Diagnose issues, improve performance, monitor usage | Legitimate interest |
| Legal compliance | Comply with POPIA, CPA, ECTA, tax law | Legal obligation |
| Direct marketing | Notify you of new features, updates, promotions (optional) | Consent (opt-in) |
We only send transactional messages (billing notices, service updates) as part of the Service. Marketing communications require your explicit opt-in consent in compliance with POPIA s 69.
5. Legal Basis for Processing
| Basis | Application | POPIA Condition |
|---|---|---|
| Contract performance | Account management, agent execution, billing | s 11(1)(a) — necessary for performance of a contract |
| Consent | Managed memory (Aerie), cross-border transfers, marketing | s 11(1)(a) — free, specific, informed consent |
| Legitimate interest | Service improvement, fraud prevention, security monitoring | s 11(1)(f) — balanced against data subject rights |
| Legal obligation | SARS record-keeping, POPIA compliance obligations | s 11(1)(b) — required by law |
6. Data Sharing & Third Parties
| Third Party | Data Shared | Purpose | Location |
|---|---|---|---|
| Managed LLM provider (Fledgling & Aerie, via our managed proxy) | Conversation text, model selection, usage data | LLM query processing | International |
| Your chosen LLM provider (Nest BYOK — e.g. OpenRouter, OpenAI, Anthropic) | Conversation text, API key usage | LLM query processing | Varies by provider |
| Telegram | Telegram ID, messages | Messaging interface | Global infrastructure |
| Google (OAuth) | Your Google identifier and verified email — only if you choose "Sign in with Google" | Authentication / sign-in | US / global |
| Cloudflare (Turnstile) | Limited browser/technical signals on sign-in & sign-up forms | Bot / abuse prevention | Global |
| DodoPayments (merchant of record) | Billing details, payment-card token (no full card data) | Payment processing, invoicing & sales tax/VAT | Varies by region |
| Email / SMTP provider | Your email address and message content (verification codes, password-reset and magic links) | Transactional email delivery | Varies |
| Self-hosted analytics & Chatwoot (live chat) | Aggregate site-usage events; chat messages and your account association — only with consent (see §3.2) | Product analytics & support | Operated by us |
| Hosting provider | Container data at rest, logs | Cloud hosting | Varies |
What we do NOT share:
- We do not sell your personal information to any third party
- We do not share data for advertising or marketing purposes
- We do not share data with law enforcement except as required by valid legal process
BYOK note: When subscribers provide their own API key, conversation data is transmitted directly to the subscriber's chosen LLM provider. Toutouwai has no control over and accepts no liability for that provider's data handling practices. Review your chosen provider's privacy policy before use.
7. Cross-Border Data Transfers
7.1 By using the Service, you consent to the transfer of your personal information to the following jurisdictions as necessary to provide the Service:
- International: our managed LLM provider's servers (LLM query processing for managed Fledgling & Aerie tiers)
- Germany / Finland: Cloud hosting (container data at rest)
- Any jurisdiction where Telegram maintains messaging infrastructure
7.2 POPIA s 72 compliance: We rely on the following transfer mechanisms:
- Your explicit consent (obtained via these Terms)
- The necessity of transfer for performance of the Service contract
- Where applicable, adequacy determinations or binding corporate rules of our operators
7.3 Risk disclosure: Some of our Operators (our managed LLM provider, Telegram) may transfer data to jurisdictions that do not have the same data protection laws as South Africa. By using the Service, you acknowledge this risk and consent to such transfers.
7.4 Nest BYOK subscriber note: When you provide your own API key, your conversation data is transmitted directly to your chosen LLM provider, which may be located in any jurisdiction. Toutouwai has no control over and accepts no liability for that provider's data handling practices. You should review your chosen provider's privacy policy before use.
8. Data Retention
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account data | Account lifespan + 90 days | Service provision |
| Payment records | 5 years | Tax requirements |
| Logs & metrics (technical) | 90 days | Service monitoring |
| Deleted account data | Purged within 30 days | Data subject right |
9. Data Subject Rights
Under POPIA, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your personal data | Dashboard → Settings → "Export my data", or contact our Information Officer |
| Correction | Correct inaccurate or incomplete data | Via your agent or by contacting us |
| Deletion | Request deletion of your data | Dashboard → Settings → "Delete account" (a 14-day grace period applies, during which you can cancel; after it your account and associated data are anonymised/purged) |
| Objection | Object to processing on legitimate interest grounds | Contact our Information Officer — processed within 21 days (POPIA s 73) |
| Restriction | Restrict processing while a dispute is resolved | Contact our Information Officer |
| Portability | Request data in a machine-readable format | Dashboard → Settings → "Export my data" (downloads JSON) |
| Withdraw consent | For processing based on consent (e.g. analytics, live chat) | Re-open the cookie consent banner (clear site data) to decline, opt-out via your agent, or contact us |
Response time: We will respond within 30 days (POPIA-compliant). Requests may be extended by a further 30 days if complex or high-volume — we will inform you if this applies.
No fee: Exercising your rights is free unless the request is manifestly unfounded, excessive, or repetitive, in which case a reasonable fee may be charged.
10. Security Measures
Technical
- Container isolation (Docker with
--cap-drop ALL,no-new-privileges, user namespace remapping) - Encrypted storage for API keys (Nest BYOK)
- Read-only container filesystem with tmpfs for runtime data
- Per-tenant isolated bridge networks — no inter-container communication
- Outbound-only network access from containers
- TLS/SSL for all external communications
- Regular security updates and container rebuilds
- Rate limiting on API endpoints
- Container resource caps (memory, CPU) per tier
Organisational
- Information Officer appointed (POPIA s 55)
- Data breach response procedure documented
- Staff trained on data protection obligations
- Operator assessments conducted at onboarding and annually
- Access to production data limited to essential personnel
Breach Notification (POPIA s 22)
In the event of a personal information breach, we will:
- Notify the Information Regulator as soon as reasonably possible after discovery
- Notify affected data subjects if there is a reasonable basis to believe the breach may adversely affect their rights
- Provide: description of the breach, steps taken, recommendations to mitigate harm
- Take all reasonable steps to contain and remediate the breach
11. Automated Decision-Making (POPIA s 71)
11.1 The Hermes agent makes automated decisions based on your instructions. This is the core service feature — your agent processes requests and generates responses autonomously.
11.2 The memory "deriver" component synthesises patterns from your conversation history to improve future responses. This is an automated process that learns from your data.
11.3 You have the right to:
- Request human intervention in agent decisions
- Contest automated decisions
- Opt out of automated memory synthesis
11.4 No fully automated decisions that produce legal effects (POPIA s 71) are made without human oversight. Subscription billing is automated as standard business practice but does not produce legal effects concerning the data subject.
12. Children's Privacy
12.1 The Service is not directed at children under 13.
12.2 If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly.
12.3 In accordance with the Children's Act 38 of 2005, we do not knowingly collect personal information from minors without parental consent.
13. Changes to This Policy
13.1 We may update this Privacy Policy with 30 days' notice.
13.2 Material changes will be communicated via Telegram and/or email.
13.3 Continued use after changes take effect constitutes acceptance of the updated policy.
13.4 We will maintain an archived copy of previous versions upon request.
14. Complaints & Regulator Contact
If you believe we have processed your personal information unlawfully, you may lodge a complaint with:
Information Regulator (South Africa)
Website: www.inforegulator.org.za
Email: [email protected]
Phone: +27 (0)10 023 5200
Physical: SALU Building, 315 Thabo Sehume Street, Pretoria
We ask that you first contact our Information Officer at [email protected] to resolve the issue informally. We commit to responding to any complaint within 7 business days.
15. Information Officer Contact
| Role | Details |
|---|---|
| Information Officer | Founder |
| [email protected] | |
| Response commitment | 7 business days for initial response |
16. POPIA Conditions Compliance Map
| # | Condition | Where Addressed | Status |
|---|---|---|---|
| 1 | Accountability (s 8) — Ensure all conditions are met. Appoint Information Officer. | §1, §15 | ✓ Information Officer appointed (Daniel Donaldson). |
| 2 | Processing Limitation (ss 9–12) — Collect only what's necessary. Get consent. Process lawfully. | §2, §3, §4, §5 | ✓ Data collection is tier-specific and minimal. |
| 3 | Purpose Specification (ss 13–14) — Collect for one specific, defined purpose. | §4 | ✓ Processing purposes are explicitly defined per activity. |
| 4 | Further Processing Limitation (s 15) — Secondary use must be compatible with original purpose. | §4, §6 | ✓ We do not repurpose data. Any secondary use requires fresh consent. |
| 5 | Information Quality (s 16) — Keep data accurate and up to date. | §9 | ✓ Users can correct their data. |
| 6 | Openness (ss 17–18) — Maintain documentation. Privacy Policy must be available. | This document, §16 | ✓ This policy is publicly available. |
| 7 | Security Safeguards (ss 19–22) — Implement technical and organisational security. Breach notification. | §10 | ✓ Container isolation, encryption, access controls, breach procedure documented. |
| 8 | Data Subject Participation (ss 23–25) — Allow access, correction, and deletion. | §9 | ✓ Full data subject rights framework with response commitments. |