Privacy Policy (POPIA)

Information Officer

As required by POPIA, our designated Information Officer can be contacted for any privacy-related queries, access requests, or complaints:

• Email: privacy@mafutai.co.za
• Postal: MafutaAI (Pty) Ltd, Johannesburg, South Africa

You may also lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.

Information We Collect

• Account information: email address, name, and authentication credentials.
• Billing data: payment method details (processed by third-party payment processors — we do not store full card numbers), transaction history, Token balances, and invoices.
• Usage metadata: rental records, Instance start/stop times, GPU selection, template choices, and billing totals.
• Technical logs: IP addresses, browser user-agent strings, node identifiers, API access logs, and security events.
• Telemetry: GPU temperature, utilisation, and power metrics from Provider hardware (no Customer workload data).
• Communications: support tickets, emails, and chat messages you send to us.

We do not inspect Customer code, datasets, or model weights beyond automated abuse detection.

Lawful Basis for Processing

Under POPIA section 11, we process Personal Information on the following grounds:

• Consent: where you have given explicit consent (e.g., marketing communications).
• Contract: processing necessary to fulfil our agreement with you (e.g., billing, provisioning Instances).
• Legal obligation: processing required by South African law (e.g., tax records, financial reporting).
• Legitimate interest: processing for platform security, fraud prevention, and service improvement, balanced against your rights.

How We Use Information

• Provide, maintain, and improve the Platform, including provisioning and billing rentals.
• Process payments, issue refunds, and compensate Providers.
• Secure the Platform, detect abuse, and investigate security incidents.
• Communicate with you about your account, service updates, and (with consent) marketing.
• Comply with legal obligations, including tax reporting and financial record keeping.
• Generate aggregated, anonymised statistics about Platform usage (which are not Personal Information).

Data Sharing

We may share Personal Information with:

• Payment processors and banks that help us collect or disburse funds (e.g., Stripe).
• GPU Providers — limited billing context only (rental ID, duration). We never share your code, datasets, or model outputs with Providers.
• Infrastructure providers — hosting, monitoring, and email delivery services that process data on our behalf under written agreements.
• Legal authorities — when required by South African law, court order, or to protect the rights, safety, or property of Mafutai or others.
• Professional advisors — lawyers, auditors, and insurers where necessary.

We do not sell Personal Information. We do not share Personal Information with advertisers.

Cookies & Tracking

• Essential cookies: session tokens, CSRF protection, and authentication state. These are strictly necessary for the Platform to function.
• Preference cookies: theme, language, and UI preferences.
• Analytics: we may use privacy-respecting analytics to understand usage patterns. No data is shared with third-party advertisers.

You can manage cookie preferences via the cookie consent banner or your browser settings.

Cross-Border Transfers

Our primary infrastructure is located in South Africa. Where data is transferred outside South Africa (e.g., to payment processors or infrastructure providers), we ensure that:

• The recipient country has adequate data protection laws, or
• Appropriate contractual safeguards (such as standard contractual clauses) are in place, or
• You have provided explicit consent to the transfer.

This is in compliance with POPIA section 72.

Data Security

• All data in transit is encrypted with TLS 1.2 or higher.
• Sensitive data at rest (credentials, API keys) is encrypted using industry-standard algorithms.
• Access to production systems is restricted to authorised personnel with MFA.
• We conduct periodic security reviews and address vulnerabilities promptly.
• GPU Instances are isolated per Customer — no shared memory, no shared filesystems.

Data Retention

• Account data: retained while your account is active and for 12 months after closure.
• Billing/rental records: retained for 5 years as required by South African tax law (Income Tax Act, VAT Act).
• Security logs: retained for up to 12 months, or longer if needed for an ongoing investigation.
• Support communications: retained for 24 months after resolution.
• Customer workloads: deleted when an Instance is terminated. We do not retain copies of your code, data, or models after Instance shutdown.

Data Breach Notification

In the event of a data breach that poses a risk to your rights, we will:

• Notify the Information Regulator as required by POPIA section 22.
• Notify affected data subjects as soon as reasonably possible, describing the breach, the data involved, and the steps we are taking.
• Take immediate steps to contain the breach, assess its impact, and prevent recurrence.

Your Rights Under POPIA

You have the right to:

• Access: request confirmation of what Personal Information we hold about you and obtain a copy.
• Correction: request correction or deletion of inaccurate or outdated data.
• Deletion: request deletion of your Personal Information where we no longer have a lawful basis to retain it.
• Object: object to processing based on legitimate interest or for direct marketing purposes.
• Restrict: request that we restrict processing in certain circumstances.
• Portability: request an export of your Personal Information in a commonly used, machine-readable format.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact our Information Officer at privacy@mafutai.co.za. We will respond within 30 days.

Children's Data

The Platform is not intended for users under the age of 18. We do not knowingly collect Personal Information from children. If you believe a child has provided us with Personal Information, please contact us and we will delete it.

Automated Decision-Making

We may use automated processes for fraud detection, abuse prevention, and hardware verification. These processes may result in account suspension. You have the right to request human review of any automated decision that significantly affects you.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before they take effect. The "Effective date" at the top of this page indicates the latest revision.

Governing Law

This Privacy Policy is governed by the laws of the Republic of South Africa, including POPIA. Disputes fall under the jurisdiction of South African courts, subject to the dispute resolution process described in the Terms of Service.