SmartAlex POPIA Notice
1. About this Notice
This POPIA Notice explains how THERCSGROUP PTE. LTD., trading as SmartAlex, collects, uses, shares, and protects the personal information of data subjects in the Republic of South Africa, and the rights those data subjects have under the Protection of Personal Information Act, 2013. It is the South Africa specific companion to our general Privacy Policy. Where this Notice and the Privacy Policy differ on a matter governed by POPIA, this Notice prevails for South African data subjects.
This Notice serves two functions. First, it is our notification to data subjects under section 18 of POPIA, given at or before the point at which we collect personal information directly from you. Second, it is a standing transparency statement about our processing, our cross-border transfers, your rights, and how to complain. It applies whether you deal with us as a Customer, as an authorised user of a Customer account, as a prospect or website visitor, or as an End User whose personal information reaches us through a Customer's use of the Services.
This Notice does not, by itself, create a contract or vary the terms of any agreement between you and us. Your contractual relationship with us, if any, is governed by our Terms of Service and, where applicable, our Data Processing Addendum.
2. Definitions
The following defined terms are used in this Notice. Terms defined in POPIA carry the meaning given in POPIA unless this Notice states otherwise.
- POPIA means the Protection of Personal Information Act, 2013 (Act No. 4 of 2013), together with its regulations and any codes of conduct issued under it.
- PAIA means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000).
- Personal information means information relating to an identifiable, living, natural person and, where applicable, an identifiable, existing juristic person, as defined in section 1 of POPIA.
- Special personal information means the categories of personal information listed in section 26 of POPIA, namely information concerning a data subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour to the extent set out in section 26.
- Biometric information has the meaning given in section 1 of POPIA and includes a technique of personal identification based on physical, physiological, or behavioural characterisation, which can include voice characteristics where they are used to identify a person.
- Data subject means the person to whom personal information relates.
- Responsible party means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. This corresponds to a controller under European law.
- Operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that responsible party. This corresponds to a processor under European law.
- Processing has the meaning given in section 1 of POPIA and includes the collection, recording, organisation, storage, updating, use, dissemination, and erasure of personal information.
- SmartAlex, we, us, our means THERCSGROUP PTE. LTD., a private company limited by shares incorporated in the Republic of Singapore, trading as SmartAlex.
- Services or Platform means the SmartAlex platform, websites, applications, and APIs through which Customers configure AI voice agents that place and receive telephone calls, run campaigns, manage contacts, and view analytics.
- Customer, you means the business that contracts for the Services. Where you are an individual using a Customer account, references to your obligations are to the Customer that operates the account.
- End User means an individual the Customer interacts with through the Services, for example a person the Customer calls or who calls a number operated through the Services.
- Subprocessor means a third party we engage to process personal information in connection with the Services.
- Information Regulator means the Information Regulator established under section 39 of POPIA.
3. Who we are, our Information Officer, and our PAIA manual
THERCSGROUP PTE. LTD., a private company limited by shares incorporated in the Republic of Singapore (UEN / Registration No. 202543608D), with its registered office at 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914, trading as SmartAlex, is the responsible party under POPIA when we process the personal information of a data subject in the Republic of South Africa for our own account, billing, security, and product-analytics purposes.
Where we process personal information contained in a Customer's calls, contacts, and messages, we do so as an operator acting on that Customer's documented instructions, and the Customer is the responsible party for that processing. The roles are summarised in the table below.
| Processing activity | Our role under POPIA | Responsible party |
|---|---|---|
| Account, authentication, billing, and subscription management | Responsible party | SmartAlex |
| Security, fraud and abuse prevention, and audit logging | Responsible party | SmartAlex |
| Product analytics and Service improvement using aggregated or pseudonymised data | Responsible party | SmartAlex |
| Call audio, call transcripts, contacts, and message content processed through the Services | Operator | The Customer that operates the account |
| Knowledge bases, prompts, and configuration a Customer uploads | Operator | The Customer that operates the account |
Under POPIA section 55, the head of a private body is its Information Officer by operation of law. Our Information Officer is the head of THERCSGROUP PTE. LTD., who may act through one or more duly authorised deputy Information Officers under section 56. We have registered, or are completing registration of, our Information Officer with the Information Regulator of South Africa as required by the Regulations. You may contact the Information Officer at privacy@getsmartalex.com, and we will handle your request in line with section 23 of POPIA.
We maintain a manual under section 51 of PAIA (the PAIA manual). The PAIA manual describes the records we hold, the procedure for requesting access to them, and the contact details of our Information Officer. You may request a copy of the PAIA manual at any time by writing to privacy@getsmartalex.com, and we will provide it free of charge.
4. Personal information we collect from South African data subjects
The personal information we process about a data subject in South Africa falls into the categories described in our Privacy Policy, which is the source of truth for the full inventory. The table below summarises those categories, the typical sources, and whether we act as responsible party or operator for that category.
| Category | Examples | Source | Our role |
|---|---|---|---|
| Account and profile data | Name, business email, telephone number, role, login credentials, account settings | Provided by you or your account administrator | Responsible party |
| Billing data | Billing contact details, payment-method metadata, transaction and invoice history, plan and usage records | Provided by you and from our payment processor, Stripe | Responsible party |
| Call content | Call audio recordings and call transcripts, including anything an End User says during a call | Generated through the Customer's use of the Services | Operator |
| Contact and campaign data | Contact names, telephone numbers, addresses, notes, call outcomes, message content | Uploaded or generated by the Customer | Operator |
| Configuration data | Knowledge bases, prompts, agent settings, scripts | Provided by the Customer | Operator |
| Technical and device data | IP address, device and browser identifiers, session data, log data | Collected automatically when you use the Services | Responsible party |
| Website analytics data | Page interactions, referral data, analytics and advertising identifiers | Collected with your cookie-consent choice | Responsible party |
| Support and correspondence data | Messages you send us, support tickets, and our responses | Provided by you | Responsible party |
Most of this information is collected through your use of the Services. Some is collected from third parties, such as our payment processor for billing, and from public sources where you enable an enrichment feature. We set non-essential website-analytics and advertising cookies only with your consent, as described in our Cookie Policy.
5. Whether supplying information is voluntary or mandatory
Where you provide personal information directly to us, supplying it is generally voluntary. However, if you do not provide information that is necessary to create or operate an account, to verify your identity, or to deliver the Services, we may be unable to provide some or all of the Services to you. Where a law requires us to collect particular information, we will tell you so at the point of collection and explain the consequences of not providing it.
For End Users whose personal information reaches us through a Customer's use of the Services, the question of whether providing information is voluntary or mandatory is a matter between the End User and the Customer that operates the account, because the Customer is the responsible party for that information and determines what it collects and why.
6. Purposes for which we process personal information
We process personal information for the following purposes. Each purpose is matched to a lawful basis in the Lawful basis section below.
- To create, operate, secure, and support your account and to authenticate users.
- To provide, maintain, and improve the Services, including delivering call handling, transcription, qualification, routing, campaign management, and analytics features.
- To process payments, manage subscriptions, issue invoices, and prevent payment fraud.
- To protect the Services, our Customers, and other users against fraud, abuse, security threats, and misuse.
- To communicate with you about the Services, including service, security, and administrative messages.
- To send direct marketing where this is permitted under section 69 of POPIA.
- To comply with our legal and regulatory obligations and to establish, exercise, or defend legal claims.
- To produce aggregated or pseudonymised statistics that do not identify you and that we use to understand and improve how the Services are used.
7. Lawful basis under POPIA
POPIA section 11 requires that processing be justified by at least one of: consent, performance of a contract, compliance with a legal obligation, protection of a legitimate interest of the data subject, performance of a public-law duty, or the legitimate interests of the responsible party or of a third party to whom the information is supplied. We rely on the following lawful bases, depending on the purpose:
- Performance of a contract with you, or with the Customer that operates the SmartAlex account under which your personal information is processed.
- Compliance with a legal obligation to which we are subject, for example retention obligations arising from financial or tax law, or under foreign laws to which we are subject as a global service provider.
- The legitimate interests of SmartAlex or of a third party (for example, securing the Services against fraud and abuse, improving the Services, or exercising or defending legal claims), where those interests are not overridden by your interests, rights, or freedoms.
- Your consent, where required for direct marketing under POPIA section 69 or for the use of non-essential cookies under our Cookie Policy. You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
The table below maps the principal processing purposes to the lawful basis we rely on. Where more than one basis applies, we identify the primary basis.
| Purpose | Primary lawful basis under section 11 |
|---|---|
| Creating and operating your account; providing the Services | Performance of a contract |
| Processing payments and managing subscriptions | Performance of a contract; legal obligation for tax and accounting records |
| Securing the Services and preventing fraud and abuse | Legitimate interests |
| Improving the Services using aggregated or pseudonymised data | Legitimate interests |
| Service, security, and administrative communications | Performance of a contract; legitimate interests |
| Direct marketing to existing customers about similar goods or services | Legitimate interests, subject to section 69 and an opt-out |
| Direct marketing to others | Consent under section 69 |
| Non-essential website-analytics and advertising cookies | Consent |
| Meeting legal and regulatory obligations; defending claims | Legal obligation; legitimate interests |
8. Purpose specification and further processing (sections 13 and 15)
We collect personal information for a specific, explicitly defined, and lawful purpose related to a function or activity of SmartAlex. We do not process personal information further in a way that is incompatible with the purpose for which it was originally collected, unless section 15 of POPIA permits that further processing.
When we assess whether further processing is compatible with the original purpose, we take into account the relationship between the purposes, the nature of the information, the consequences for you, the manner in which the information was collected, and any contractual rights and obligations between us. Processing for historical, statistical, or research purposes, or as required by law, is treated as compatible to the extent permitted by section 15.
9. Special personal information and voice (sections 26 to 33)
We do not process special personal information about a South African data subject for our own purposes, except where one of the authorisations in POPIA section 27 applies. The categories of special personal information are listed in the Definitions section above.
Call audio and transcripts processed through the Services may contain special personal information, and a person's voice may constitute biometric information where it is used to identify them. Where this information forms part of a Customer's calls, we process it only on that Customer's documented instructions in our capacity as an operator. The responsibilities allocate as follows:
- the Customer is responsible for establishing an authorisation under section 27 or another lawful basis for processing special personal information through the Services, typically the data subject's consent;
- the Customer is responsible for limiting that processing to its specified, lawful purpose and for not processing it further in an incompatible way;
- the Customer is responsible for giving any notices required to its End Users, including any notice required before a call is recorded or before voice characteristics are used for identification; and
- we are responsible for processing the information only on the Customer's documented instructions, for applying the security safeguards described in the Security section below, and for not using it for our own purposes.
Our Acceptable Use Policy prohibits Customers from uploading sensitive personal information into the Services without an appropriate legal basis, and prohibits the use of voice characteristics for identification without a lawful authorisation and the notices the law requires.
10. Automated decision-making (section 71)
SmartAlex does not make decisions about a data subject based solely on automated processing, including profiling, that produce legal effects concerning the data subject or that affect the data subject to a substantial degree. Our AI is used for call handling, routing, transcription, qualification, and analytics under the Customer's control. The Customer is responsible for any decision it takes on the basis of the output of the Services.
Section 71 of POPIA, and the corresponding right described in the Rights section below, apply to any solely-automated decision that has a legal effect or that affects a data subject to a substantial degree. Where a Customer configures the Services in a way that would produce such a decision, the Customer is the responsible party for that decision and must meet the section 71 conditions, including providing an opportunity for the data subject to make representations.
11. Telling End Users they are speaking with an AI
The Services place and receive calls handled by an AI voice agent. Where required by law, an End User must be told clearly and unconditionally that they are interacting with an artificial intelligence system rather than a person. The Customer that operates the account is responsible for enabling and permitting this disclosure and for the content and conduct of its calls.
This disclosure obligation operates alongside any recording-consent and direct-marketing requirements that apply to the same call. Our Telephony and Call Recording Notice sets out the consent and recording responsibilities that the Customer must meet, including the limitation that the Services are not a substitute for, and cannot reliably reach, emergency services.
12. Direct marketing (section 69)
We do not send unsolicited electronic communications for the purpose of direct marketing to a South African data subject who is not already a customer of SmartAlex unless that data subject has consented to receive such communications. Where you are already a customer, we may send you electronic communications about goods and services that are similar to those you have already obtained from us, and you may opt out of such communications at any time. To opt out, follow the unsubscribe instructions in any marketing message or write to privacy@getsmartalex.com.
Marketing is opt-in or soft opt-in and is never bundled into account creation. We do not require you to consent to marketing as a condition of using the Services.
Customers of SmartAlex are themselves responsible for section 69 compliance in respect of the outbound communications they conduct through the Services. The Services provide mechanisms to record consent and to honour opt-out requests, and the Customer is responsible for configuring and using those mechanisms, for maintaining its own suppression lists, and for honouring requests from End Users not to be contacted.
13. Children's data (sections 34 and 35)
POPIA section 34 prohibits the processing of personal information about a child (a person under the age of 18) except on one of the grounds in section 35. The Services are not directed to children and we do not knowingly collect personal information from a child for our own purposes.
If you believe we have inadvertently collected personal information about a child, contact privacy@getsmartalex.com and we will delete it without undue delay. Where a Customer processes a child's personal information through the Services, the Customer is the responsible party for that processing and must establish a section 35 ground, such as the consent of a competent person, before doing so.
14. Information quality and security safeguards (sections 16, 19, 20, 21, and 22)
We take reasonable steps to ensure that personal information is complete, accurate, not misleading, and updated where necessary, having regard to the purpose for which it is collected or further processed.
We maintain appropriate and reasonable technical and organisational measures to secure the integrity and confidentiality of personal information in our possession or under our control, including measures against loss, damage, destruction, and unauthorised or unlawful access or processing. These measures include the following:
| Area | Measures we apply |
|---|---|
| Encryption | Encryption of personal information in transit using current transport-layer security, and encryption at rest in our databases, storage, and backups |
| Access control | Role-based access control, least-privilege principles, and multi-tenant isolation so that one Customer's data is logically separated from another's |
| Authentication | Strong authentication for administrative access and credential-management controls |
| Network and application security | Network segmentation, web application protection, and secure software-development practices |
| Logging and monitoring | Audit logging of access to personal information and monitoring for anomalous activity |
| Operator oversight | Written contracts with subprocessors requiring security measures consistent with section 21, and periodic review of those subprocessors |
| Resilience | Backups, recovery procedures, and measures to restore availability after an incident |
| Personnel | Confidentiality obligations, access on a need-to-know basis, and security awareness for staff |
A summary of these measures is published in our Trust and Security Overview and is available in greater detail under a confidentiality undertaking on request. We are working towards SOC 2 readiness, and our infrastructure subprocessors maintain SOC 2 or ISO 27001 attestations. We do not currently hold our own SOC 2 or ISO 27001 attestation.
Where we engage an operator or subprocessor to process personal information on our behalf, we do so under a written contract that requires the operator to establish and maintain the security measures referred to in section 21 and to process the information only with our knowledge or authorisation, in line with sections 20 and 21.
If we have reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and the affected data subjects as soon as reasonably possible after discovering the compromise, in accordance with POPIA section 22. The notification will be in writing and will, to the extent known, describe the possible consequences of the compromise, the measures we intend to take or have taken to address it, and a recommendation about what the data subject can do to mitigate the possible adverse effects.
15. How long we keep personal information
POPIA section 14 requires that records of personal information not be retained for longer than is necessary for the purpose for which they were collected or processed, unless a longer period is authorised. We retain personal information for the periods set out below, or for as long as one of the criteria in this section applies, after which we delete it or de-identify it.
| Category | Retention period or criterion |
|---|---|
| Account and profile data | For the life of the account, then deleted or de-identified within a defined period after account closure, subject to legal-hold and record-keeping needs |
| Billing and transaction records | For the period required by applicable tax, accounting, and company-law obligations, typically several years after the transaction |
| Call audio recordings and transcripts (operator data) | For the retention period configured by the Customer, who is the responsible party; deleted or returned on termination of the Customer's agreement in line with our Data Processing Addendum, subject to short-term backup cycles |
| Contacts, campaign, and configuration data (operator data) | For as long as the Customer maintains them in the account; deleted or returned on termination in line with our Data Processing Addendum |
| Technical, device, and log data | For a limited period proportionate to security, troubleshooting, and audit needs |
| Website-analytics and cookie data | For the period stated in our Cookie Policy or until you withdraw consent, whichever is shorter |
| Support and correspondence data | For as long as needed to handle the matter and a reasonable period afterwards for quality and record-keeping |
| Backups | Held on a rolling basis and overwritten on the ordinary backup cycle; data deleted from live systems is purged from backups within that cycle |
Where we are required by law to retain personal information for longer, or where we need to retain it to establish, exercise, or defend a legal claim, we will keep it for the period the law or that purpose requires and then delete or de-identify it.
16. Cross-border transfers of personal information (section 72)
We operate from Singapore and process personal information using cloud infrastructure providers and other subprocessors situated outside South Africa, including in the United States and the European Economic Area. We rely on the following section 72 bases for cross-border transfers:
- Adequate-level laws or binding rules at the receiving subprocessor, for example where a subprocessor is bound by laws or rules that uphold principles for the reasonable processing of personal information substantially similar to the conditions in Chapter 3 of POPIA and that include provisions, substantially similar to section 72, on onward transfer.
- Contracts with subprocessors that effectively uphold those principles, in the form of the executed data processing terms between SmartAlex and each subprocessor, mirroring the obligations SmartAlex owes to its Customers.
- Your consent, where given specifically for a transfer that does not otherwise meet section 72(1)(a), (c), or (d).
- Performance of a contract between SmartAlex and you, or implementation of pre-contractual measures taken in response to your request, where the transfer is necessary for that performance.
Where the transfer also involves personal data subject to European, United Kingdom, or Swiss law, we additionally rely on the relevant standard contractual clauses, the United Kingdom international data transfer addendum, the Swiss addendum, and supplementary measures, including encryption in transit and at rest and access controls. A copy of the relevant safeguards is available from privacy@getsmartalex.com.
A current list of the subprocessors we use, including their legal names, locations, and processing purposes, is published in our Subprocessor List. We give written notice of changes to that list as required by our Data Processing Addendum, which also governs the obligations we impose on each subprocessor and our right to object to new subprocessors.
17. Rights of data subjects (sections 23, 24, and 25)
As a data subject located in South Africa, you have the following rights under POPIA:
- The right to access the personal information we hold about you and to be informed of the third parties who have, or have had, access to that information.
- The right to correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully, and the right to have a record destroyed or deleted where we are no longer authorised to retain it.
- The right to object, on reasonable grounds relating to your particular situation, to the processing of your personal information, including the right to object to processing for direct marketing under section 69.
- The right not to be subject to a decision based solely on the automated processing of your personal information intended to provide a profile of you that has legal effect or that affects you to a substantial degree, except in the circumstances described in section 71.
- The right to complain to the Information Regulator, as set out in the Complaints section below, and to institute civil proceedings regarding an alleged interference with the protection of your personal information.
- The right to withdraw consent at any time, where our processing is based on your consent, without affecting the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, follow the procedure set out in our Data Subject Access Request Procedure or write to privacy@getsmartalex.com. We may ask you to verify your identity before we act on a request, and we will use the prescribed forms where POPIA or its regulations require them. We will respond within 30 calendar days of receiving a verifiable request, which we adopt as a reasonable time for the purposes of section 23. Where a request is complex or we receive a number of requests, we may extend that period and will tell you if we do so. We will not charge a fee for most requests, but we may charge the prescribed fee for a request for access where POPIA permits it, and we will tell you the fee in advance.
Where SmartAlex acts as an operator for a Customer that is the responsible party, we will forward your request to the relevant Customer and assist them in fulfilling it. The Customer is the appropriate first point of contact in that case, because the Customer determines the purpose and means of the processing and holds the primary relationship with you.
18. Complaints to the Information Regulator (section 74)
If you are not satisfied with our response to a request, or with any aspect of our processing, you have the right to lodge a complaint with the Information Regulator of South Africa. Your statutory rights and remedies as a data subject are separate from any commercial dispute-resolution clause in our agreements, and you are not required to arbitrate to exercise them. We ask, but do not require, that you raise your concern with us first so that we have the opportunity to resolve it.
The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal: P.O. Box 31533, Braamfontein, Johannesburg, 2017
Telephone: +27 (10) 023 5200
Complaints: complaints.ir@inforegulator.org.za
Web: https://inforegulator.org.za
19. Changes to this Notice
We may update this Notice from time to time to reflect changes in our processing, our subprocessors, or the law. When we make a material change, we will update the version and effective date below and, where appropriate, notify you through the Services or by other reasonable means. We encourage you to review this Notice periodically.
20. Contact
For any question concerning this Notice or our processing of your personal information under POPIA, write to:
Information Officer
Email: privacy@getsmartalex.com
Postal: THERCSGROUP PTE. LTD., Attn: Information Officer, 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914.
21. Version and effective date
This POPIA Notice is version 1.1 and is effective from 1 June 2026.