Privacy Policy

Koldarra (“Koldarra”, “we”, “us” or “our”) is the responsible party for the processing of personal information described in this policy. Our principal place of business is Cape Town, South Africa.

Privacy enquiries and requests can be addressed to our Information Officer at info@koldarra.com.

This policy covers personal information processed when you:

• visit or interact with our website at koldarra.com;
• request a demo or contact us by email or through a form;
• are provisioned as an authorised user of the Koldex platform;
• communicate with us in the course of a business relationship.

Where we process personal information contained in a customer’s queries or content within Koldex, we generally do so as an operator on the customer’s behalf and under the customer’s instructions; the customer remains the responsible party for that information.

• Contact details, name, work email address, company name, and any message you include when requesting a demo or contacting us.
• Account information, for authorised Koldex users: name, work email, role, organisation, and authentication data.
• Usage information, queries submitted to Koldex, feature usage, and technical logs (such as IP address, browser type, device information and timestamps) generated when you use the website or platform.
• Communications, correspondence between you and Koldarra, including with your account manager.

We collect personal information directly from you, from your organisation when it provisions you as a user, and automatically through your use of the website and platform. We do not knowingly collect special personal information (as defined in POPIA) and ask that you do not submit it to us.

We process personal information for the following purposes and on the following lawful grounds under POPIA:

• Responding to enquiries and demo requests, processing is necessary to take steps at your request before entering into a contract, or pursues our legitimate interest in responding to business enquiries.
• Providing and operating Koldex, processing is necessary to perform our contract with you or your organisation, including authentication, generating answers to your queries, support and billing.
• Service improvement and security, our legitimate interests in maintaining, securing and improving the platform, preventing fraud and abuse, and diagnosing technical issues.
• Legal compliance, processing necessary to comply with obligations imposed by law.
• Marketing, only as permitted by section 69 of POPIA: with your consent, or to existing customers in respect of similar services, always with the ability to opt out. See section 12 below.

Questions submitted to Koldex are processed by our systems, including AI components, to generate answers from your organisation’s curated document library. Queries and outputs are logged to operate the service, provide support, maintain security and improve reliability. We do not sell your queries, and we do not use your confidential content to train models made available to other customers.

Our website is designed to be privacy-light. We use only the cookies and similar technologies that are strictly necessary for the website and platform to function (for example, session and security cookies). If we introduce analytics or other non-essential cookies in future, we will update this policy and, where required, request your consent.

We do not sell personal information. We share it only as follows:

• Service providers (operators under POPIA) who host our infrastructure, deliver email, and provide supporting services, bound by contractual confidentiality and security obligations and permitted to process personal information only on our instructions;
• Your organisation, where you use Koldex under your employer’s subscription, account and usage information may be shared with your organisation’s administrators;
• Professional advisers and authorities, where necessary to obtain professional advice, comply with law, enforce our rights, or respond to lawful requests by public authorities;
• Business transfers, in connection with a merger, acquisition or sale of assets, in which case this policy will continue to apply to the transferred information.

Some of our service providers (for example, cloud hosting and email delivery) store or process information outside South Africa. Where personal information is transferred across borders, we do so in accordance with section 72 of POPIA, to recipients subject to laws or binding agreements providing an adequate level of protection substantially similar to POPIA, or where the transfer is otherwise permitted (for example, where it is necessary for the performance of a contract with you or your organisation).

In line with section 19 of POPIA, we implement appropriate, reasonable technical and organisational measures to protect personal information against loss, damage, unauthorised destruction and unlawful access, including encryption in transit, access controls, module-level isolation of customer libraries, and least-privilege access for staff. Should a data breach occur that affects your personal information, we will notify the Information Regulator and affected data subjects as required by section 22 of POPIA.

We retain personal information only for as long as necessary for the purposes described in this policy: for the duration of your organisation’s subscription and a reasonable period thereafter; as needed to comply with legal, accounting or reporting obligations; or as needed to establish, exercise or defend legal claims. Demo-request details that do not lead to a business relationship are deleted or de-identified within a reasonable period.

As a data subject, you have the right to:

• be notified that your personal information is being collected, and of any unauthorised access to it;
• request confirmation of whether we hold personal information about you, and request access to it;
• request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained;
• object, on reasonable grounds, to processing of your personal information;
• withdraw consent where processing is based on consent;
• not be subject, in certain circumstances, to decisions based solely on automated processing;
• lodge a complaint with the Information Regulator.

To exercise any of these rights, contact our Information Officer at info@koldarra.com. We may need to verify your identity before acting on a request.

We will only send you direct marketing by electronic communication where permitted by section 69 of POPIA, that is, with your consent or where you are an existing customer and the communication relates to similar services. Every marketing communication will include a simple way to opt out, and we will honour opt-outs promptly.

Our website and Koldex are intended for business users and are not directed at children. We do not knowingly process the personal information of children. If you believe a child has provided us with personal information, please contact us so we can delete it.

We may update this policy from time to time. The current version will always be published on this page with its effective date, and material changes will be brought to the attention of active customers. Your continued use of the website or Koldex after the effective date constitutes acceptance of the updated policy.

Information Officer, Koldarra, Cape Town, South Africa. info@koldarra.com