Privacy Policy
Effective Date: 9 March 2026 · Version: alpha-v1
This Privacy Policy explains how SpatialEdge (Pty) Ltd (“SpatialEdge”, “we”, “us”), the operator of the EdgeLogic platform (“Platform”), collects, uses, stores, and protects your personal data.
We are committed to protecting your privacy in accordance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa and, where applicable, the General Data Protection Regulation (GDPR) of the European Union.
1. Data Controller & Information Officer
SpatialEdge (Pty) Ltd
Republic of South Africa
Information Officer (POPIA): The head of SpatialEdge (Pty) Ltd serves as the Information Officer as contemplated in Section 55 of POPIA.
Contact: privacy@edgelogic.ai
If you are located in the European Economic Area (EEA) and have questions about how we process your personal data, please contact us at the address above. Given the current scale of our operations, we have not yet appointed an EU representative under GDPR Article 27, as our processing does not meet the thresholds requiring one. We will appoint a representative if and when required.
2. Information We Collect (POPIA Section 18 Notice)
In compliance with POPIA Section 18, we inform you that:
- The provision of your personal information is voluntary, but necessary to use the Platform. If you choose not to provide the required information, you will not be able to create an account or use the Service.
- We collect personal information under the authority of POPIA Section 11 (consent and contract performance) and, for EU data subjects, GDPR Article 6.
- Your personal data may be transferred to third parties and countries outside South Africa as described in sections 4 and 5 below.
2.1 Account Information
When you create an account, we collect information provided through our authentication provider (Clerk), including:
- Email address
- Full name
- Profile picture (if provided)
2.2 Content You Create
When you use the Platform, we store the content you create, including:
- Decisions and decision options
- Policies and governance frameworks
- Chat conversations with the AI assistant
- Knowledge base entries
- Projects and situations
- Comments and feedback
2.3 Usage Data
We automatically collect:
- Feature usage and interaction data (via Vercel Analytics) — anonymised, no cookies, GDPR-compliant by design
- AI conversation usage and credit consumption
- Login timestamps
- Terms acceptance records (timestamp and version)
2.4 Cookies & Local Storage
We do not use tracking cookies or third-party advertising trackers. However, essential cookies are set by our authentication provider (Clerk) to maintain your login session. For full details, see our Cookie Policy.
2.5 Data We Do Not Collect
- We do not sell your personal data to any third party.
- We do not use your data to train AI models.
- We do not use third-party advertising or behavioural tracking.
3. Lawful Basis for Processing
We process your data on the following legal bases under both GDPR and POPIA:
| Purpose | GDPR Basis (Art. 6) | POPIA Basis |
|---|---|---|
| Providing the Service | Contract performance (Art. 6(1)(b)) | Section 11(1)(b) — contract |
| AI processing of your content | Consent (Art. 6(1)(a)) via Terms acceptance | Section 11(1)(a) — consent |
| Service improvement & analytics | Legitimate interest (Art. 6(1)(f)) | Section 11(1)(f) — legitimate interest |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Section 11(1)(c) — legal obligation |
| Essential cookies (authentication) | Legitimate interest (Art. 6(1)(f)) | Section 11(1)(f) — legitimate interest |
4. Third-Party Processors
We share your data with the following third-party service providers, who process it on our behalf under data processing agreements. For a complete and current list, see our Sub-Processor List.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Clerk | Authentication & identity | Email, name, profile picture | United States |
| Anthropic | AI processing (Claude models) | Conversation content, decision data sent for analysis | United States |
| OpenAI | AI processing (GPT models) | Conversation content, decision data sent for analysis | United States |
| AI processing (Gemini models) & cloud infrastructure | Conversation content, decision data; database and application hosting | AI: United States; Infrastructure: South Africa (africa-south1) | |
| Vercel | Frontend hosting & analytics | Anonymised usage analytics, page views | Global CDN |
4.1 AI Data Processing
When you interact with the AI assistant, your conversation content (including decision context, options, and policy data) is sent to third-party AI providers for processing. Important details:
- Data is sent via API and is not used to train the AI providers’ models, as per their API data usage policies:
- Anthropic Privacy Policy — API Data Usage FAQ
- OpenAI Enterprise Privacy — Business Terms
- Google Cloud Data Processing Terms
AI providers may temporarily retain data for abuse monitoring and safety purposes, subject to their respective policies. We do not control provider retention periods but select providers with strong data protection commitments.
5. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States and South Africa. We ensure appropriate safeguards are in place for such transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data processing agreements with all third-party processors
- Technical security measures (encryption in transit and at rest)
Under POPIA Section 72, we ensure that any country to which personal information is transferred has adequate data protection laws or that the transfer is covered by binding agreements that provide an adequate level of protection.
6. Automated Decision-Making & AI
Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
The Platform uses AI to generate advisory recommendations, but:
- No decisions are made solely by AI. All AI outputs are recommendations that require human review before action.
- The Platform is designed as a decision support tool, not a decision-making system.
- You retain full control over whether to accept, modify, or reject any AI-generated recommendation.
- You may contest any AI-assisted recommendation by applying your own professional judgement.
7. Data Retention
- Account data: Retained for as long as your account is active.
- Content data (decisions, policies, conversations): Retained for as long as your account is active.
- After account deletion: All personal data and content will be permanently deleted within 30 days of your deletion request.
- Backup retention: Encrypted database backups may retain data for up to 30 additional days after deletion, after which they are automatically purged.
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the South African Information Regulator as required under POPIA Section 22, and any applicable EU supervisory authority under GDPR Article 33, without undue delay (and within 72 hours where feasible).
- Notify affected users directly if the breach is likely to result in a high risk to their rights and freedoms, as required under GDPR Article 34 and POPIA Section 22.
- Document the breach, its effects, and the remedial actions taken.
9. Your Rights
Under POPIA (Sections 23–25) and, where applicable, GDPR (Articles 15–22), you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion of your personal data (“right to be forgotten”). |
| Portability | Request your data in a structured, machine-readable format. |
| Restriction | Request limitation of processing of your data. |
| Objection | Object to processing based on legitimate interest. |
| Withdraw Consent | Withdraw consent at any time (without affecting the lawfulness of prior processing). |
To exercise any of these rights, contact us at privacy@edgelogic.ai. We will acknowledge your request within 48 hours and respond substantively within 30 days.
10. Data Deletion
You may request complete deletion of your account and all associated data by emailing privacy@edgelogic.ai. Upon receiving your request, we will:
- Confirm your identity.
- Delete all personal data and content within 30 days.
- Notify relevant third-party processors to delete your data from their systems.
- Provide written confirmation of deletion.
11. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Database access controls and network security
- Regular security reviews
- Principle of least privilege for internal access
12. Children
The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Platform. We may require you to re-accept the updated policy before continuing to use the Service.
14. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
- South Africa: The Information Regulator (inforegulator.org.za)
- EU/EEA: Your local data protection supervisory authority
15. Contact
For any questions or requests regarding this Privacy Policy, please contact: privacy@edgelogic.ai