Privacy Policy

Version: 2026-06-19 · Effective: 21 June 2026

This policy explains what data we collect, why, who we share it with, and what rights you have. We comply with POPIA (South Africa) and GDPR (EU/UK).

1. Controller

doubleBaRRiL (Pty) Ltd, Gauteng, South Africa. Data protection contact: [email protected].

2. What we collect

• Account data: first/last name, email, hashed password, company, primary website
• Site & audit data: domains you add, crawl results, issues detected, integration metadata
• Integration OAuth tokens: Google Search Console, Bing Webmaster Tools, Google Business Profile, GA4, Microsoft 365 — all encrypted at rest
• Billing: plan, billing cycle, last 4 of card (via Payfast — we never see card PANs). Payfast is the payment processor; they hold the card data, not us
• Usage telemetry: IP address, user-agent, page accessed, timestamps — used for security and to debug issues
• Support tickets: what you type + auto-captured page URL/referrer + plan/role snapshot

3. Why we process it (lawful basis)

• Contract — to give you the Service you signed up for
• Legal obligation — to keep invoice records (7 years per South African tax law)
• Legitimate interest — fraud detection, abuse prevention, product improvement
• Consent — non-essential cookies, marketing emails (you can opt out anytime in Settings → Notifications)

4. Sub-processors

We share data with these third parties only to operate the Service:

• Microsoft (Graph API, Azure) — transactional email + Bing data
• Google — Search Console, Business Profile, Analytics 4, PageSpeed Insights APIs (only with your OAuth consent)
• Payfast (South Africa) — payment processing
• Cloudflare — TLS termination, DDoS protection
• Elitehost (South Africa) — hosting

See our Data Processing Addendum for the full list with versions and locations.

5. Retention

• Account & site data — until you delete the account
• Audit results & issues — 12 months
• Error logs — 90 days (auto-pruned)
• Invoices & payment records — 7 years (legal requirement)
• Support tickets — 24 months after resolution
• Audit trail (admin actions) — append-only, retained for the lifetime of the account

6. International transfers

Microsoft Graph & Cloudflare may process data in regions outside South Africa, including the EU and the US. We rely on Standard Contractual Clauses and equivalent safeguards.

7. Your rights

POPIA & GDPR give you the right to:

• Access — export your data at Settings → Privacy & data → Export my data
• Correct — edit your profile in Settings
• Delete — close your account at Settings → Privacy & data → Delete my account
• Object or restrict — email [email protected]
• Complain — to the South African Information Regulator (inforegulator.org.za) or your EU/UK data-protection authority

8. Security

HTTPS everywhere. Passwords hashed with Argon2. Integration secrets encrypted with AES-256. Optional 2FA (TOTP). Failed-login rate limiting. Cloudflare Turnstile on signup. Audit log of all admin actions, append-only at the database level.

9. Cookies

See our Cookies notice for the full inventory and your preferences.

10. Changes

Material changes get email notice + an in-app re-acceptance prompt.

← Back to home