This Privacy Policy explains how Astrium Software Solutions CC (Registration Number 2002/061588/23) ("Astrium", "we", "us", or "our") collects, uses, stores, and protects personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA").
1. Information Officer
Our designated Information Officer responsible for POPIA compliance is:
2. What Personal Information We Collect
Depending on how you interact with us, we may collect:
- Website visitors: Name, email address, phone number, and message content submitted via our contact form.
- SaaS subscribers: Name and email address provided during account registration.
- Astrium Connect users: Organisation name, team member details, contact databases you upload or create, conversation content between you and your customers.
3. Purpose of Processing
We process personal information for the following purposes:
- Providing and maintaining our software products and services
- Processing payments and managing subscriptions
- Responding to enquiries submitted through our website
- Sending service-related communications (account notifications, security alerts)
- Improving our products and user experience
- Complying with legal and regulatory obligations
4. Legal Basis for Processing
We process personal information on the following grounds as permitted by POPIA:
- Consent: Where you have given us explicit consent (e.g. submitting a contact form)
- Contract: Where processing is necessary to perform our obligations under a service agreement
- Legal obligation: Where we are required to process information by law
- Legitimate interest: Where processing is necessary for our legitimate business interests, provided your rights are not overridden
5. Data Sharing
We do not sell, rent, or share your personal information with third parties for marketing purposes. Your data may be shared with the following categories of service providers solely for the purpose of delivering our services:
- Payment processors: To process subscription payments (e.g. Paystack, Netcash)
- Cloud infrastructure providers: For hosting and data storage
- Meta (WhatsApp Cloud API) & Telegram: For message delivery in Astrium Connect
- AI providers (OpenAI / Anthropic): For AI bot processing in Astrium Connect, when enabled by the customer
All third-party processors are contractually bound to protect your data.
6. Cross-Border Transfers
Some of our third-party processors may store or process data outside South Africa. Where this occurs, we ensure that adequate safeguards are in place as required by Section 72 of POPIA, including contractual protections and ensuring the recipient country has adequate data protection laws or the transfer falls within a POPIA exemption.
7. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
- Contact form submissions: Retained for up to 12 months after the enquiry is resolved
- Active account data: Retained for the duration of your subscription plus 90 days
- Conversation data: Retained for the duration of your subscription; deleted within 90 days of account closure
- Payment records: Retained for 5 years as required by tax legislation
8. Your Rights Under POPIA
As a data subject, you have the right to:
- Access: Request confirmation of what personal information we hold about you
- Correction: Request that inaccurate or incomplete information be corrected
- Deletion: Request that your personal information be deleted where it is no longer necessary
- Object: Object to the processing of your personal information on reasonable grounds
- Data portability: Request your personal information in a structured, machine-readable format
- Withdraw consent: Withdraw previously given consent at any time
- Complaint: Lodge a complaint with the Information Regulator if you believe your rights have been infringed
To exercise any of these rights, contact our Information Officer at cornebeukes@astrium.co.za. We will respond within 30 days.
9. Security Measures
We implement appropriate technical and organisational measures to protect personal information, including:
- AES-256-GCM encryption for sensitive tokens and credentials
- HMAC SHA-256 webhook signature verification
- PostgreSQL Row-Level Security for tenant data isolation
- Role-based access control across all systems
- JWT-based authentication with secure token handling
- Regular security reviews and updates
10. Data Breach Notification
In the event of a personal information breach that poses a risk to data subjects, we will:
- Notify the Information Regulator as soon as reasonably possible
- Notify affected data subjects as required by Section 22 of POPIA
- Take immediate steps to contain and remediate the breach
11. Cookies and Analytics
Our website uses localStorage to remember your theme preference (light/dark mode). We do not use tracking cookies or third-party analytics on this website.
12. Children's Information
Our services are not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via our website and email to active subscribers. The "Last updated" date at the top of this policy indicates when it was last revised.
14. Contact
For questions about this Privacy Policy or to exercise your data protection rights:
15. Information Regulator
If you are not satisfied with how we handle your personal information, you may lodge a complaint with the Information Regulator: