Toutouwai
Privacy Policy
Contents
- Who We Are
- What Data We Collect
- How We Collect Data
- Purpose of Processing
- Legal Basis for Processing
- Data Sharing & Third Parties
- Cross-Border Data Transfers
- Data Retention
- Data Subject Rights
- Security Measures
- Automated Decision-Making
- Children's Privacy
- Changes to This Policy
- Complaints & Regulator Contact
- Information Officer Contact
- POPIA Conditions Compliance Map
1. Who We Are
Toutouwai provides a managed Hermes AI agent subscription service. We are the Responsible Party (as defined in section 1 of POPIA) for the processing of your personal information.
Legal entity: Daniel Donaldson Digital Pty Ltd, trading as Toutouwai
Contact: [email protected]
2. What Data We Collect
2.1 Account Data (all tiers)
| Data Category | Specific Items | Purpose |
|---|---|---|
| Identity | Name, Telegram user ID | Account creation, authentication |
| Contact | Telegram handle, email (optional) | Communication, support, billing |
| Payment | Card token — card details stored by payment provider | Billing records |
| Technical | IP address, usage metrics, error logs | Service monitoring, security |
3. How We Collect Data
- Directly from you: When you create an account, provide your API key, send messages to your agent, or configure tasks
- Automatically: Usage metrics, error logs, container performance data
- From third parties: Limited to payment confirmation references (no full card or banking details)
What we do NOT collect:
- We do not sell your personal information to anyone
- We do not collect browsing history or location data beyond IP address
4. Purpose of Processing
| Processing Activity | Purpose | Lawful Basis |
|---|---|---|
| Account management | Operate your account, authenticate you | Contract performance |
| Billing | Process payments, send invoices, maintain payment records | Contract performance / Legal obligation |
| Agent execution | Process your requests, generate responses, run scheduled tasks | Contract performance |
| Service improvement | Diagnose issues, improve performance, monitor usage | Legitimate interest |
| Legal compliance | Comply with POPIA, CPA, ECTA, tax law | Legal obligation |
| Direct marketing | Notify you of new features, updates, promotions (optional) | Consent (opt-in) |
We only send transactional messages (billing notices, service updates) as part of the Service. Marketing communications require your explicit opt-in consent in compliance with POPIA s 69.
5. Legal Basis for Processing
| Basis | Application | POPIA Condition |
|---|---|---|
| Contract performance | Account management, agent execution, billing | s 11(1)(a) — necessary for performance of a contract |
| Consent | Managed memory (Aerie), cross-border transfers, marketing | s 11(1)(a) — free, specific, informed consent |
| Legitimate interest | Service improvement, fraud prevention, security monitoring | s 11(1)(f) — balanced against data subject rights |
| Legal obligation | SARS record-keeping, POPIA compliance obligations | s 11(1)(b) — required by law |
6. Data Sharing & Third Parties
| Third Party | Data Shared | Purpose | Location |
|---|---|---|---|
| OpenRouter | Conversation text, model selection, usage data | LLM query processing | US servers |
| Your chosen LLM provider | Conversation text, API key usage | LLM query processing | Varies by provider |
| Telegram | Telegram ID, messages | Messaging interface | Global infrastructure |
| Hosting provider | Container data at rest, logs | Cloud hosting | Varies |
What we do NOT share:
- We do not sell your personal information to any third party
- We do not share data for advertising or marketing purposes
- We do not share data with law enforcement except as required by valid legal process
BYOK note: When subscribers provide their own API key, conversation data is transmitted directly to the subscriber's chosen LLM provider. Toutouwai has no control over and accepts no liability for that provider's data handling practices. Review your chosen provider's privacy policy before use.
7. Cross-Border Data Transfers
7.1 By using the Service, you consent to the transfer of your personal information to the following jurisdictions as necessary to provide the Service:
- United States: OpenRouter servers (LLM query processing)
- Germany / Finland: Cloud hosting (container data at rest)
- Any jurisdiction where Telegram maintains messaging infrastructure
7.2 POPIA s 72 compliance: We rely on the following transfer mechanisms:
- Your explicit consent (obtained via these Terms)
- The necessity of transfer for performance of the Service contract
- Where applicable, adequacy determinations or binding corporate rules of our operators
7.3 Risk disclosure: Some of our Operators (OpenRouter, Telegram) may transfer data to jurisdictions that do not have the same data protection laws as South Africa. By using the Service, you acknowledge this risk and consent to such transfers.
7.4 Nest BYOK subscriber note: When you provide your own API key, your conversation data is transmitted directly to your chosen LLM provider, which may be located in any jurisdiction. Toutouwai has no control over and accepts no liability for that provider's data handling practices. You should review your chosen provider's privacy policy before use.
8. Data Retention
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account data | Account lifespan + 90 days | Service provision |
| Payment records | 5 years | Tax requirements |
| Logs & metrics (technical) | 90 days | Service monitoring |
| Deleted account data | Purged within 30 days | Data subject right |
9. Data Subject Rights
Under POPIA, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your personal data | Contact our Information Officer |
| Correction | Correct inaccurate or incomplete data | Via your agent or by contacting us |
| Deletion | Request deletion of your data | Cancel account + request deletion |
| Objection | Object to processing on legitimate interest grounds | Contact our Information Officer — processed within 21 days (POPIA s 73) |
| Restriction | Restrict processing while a dispute is resolved | Contact our Information Officer |
| Portability | Request data in a machine-readable format | Via your agent (where technically feasible) |
| Withdraw consent | For processing based on consent | Opt-out via your agent or contact us |
Response time: We will respond within 30 days (POPIA-compliant). Requests may be extended by a further 30 days if complex or high-volume — we will inform you if this applies.
No fee: Exercising your rights is free unless the request is manifestly unfounded, excessive, or repetitive, in which case a reasonable fee may be charged.
10. Security Measures
Technical
- Container isolation (Docker with
--cap-drop ALL,no-new-privileges, user namespace remapping) - Encrypted storage for API keys (Nest BYOK)
- Read-only container filesystem with tmpfs for runtime data
- Per-tenant isolated bridge networks — no inter-container communication
- Outbound-only network access from containers
- TLS/SSL for all external communications
- Regular security updates and container rebuilds
- Rate limiting on API endpoints
- Container resource caps (memory, CPU) per tier
Organisational
- Information Officer appointed (POPIA s 55)
- Data breach response procedure documented
- Staff trained on data protection obligations
- Operator assessments conducted at onboarding and annually
- Access to production data limited to essential personnel
Breach Notification (POPIA s 22)
In the event of a personal information breach, we will:
- Notify the Information Regulator as soon as reasonably possible after discovery
- Notify affected data subjects if there is a reasonable basis to believe the breach may adversely affect their rights
- Provide: description of the breach, steps taken, recommendations to mitigate harm
- Take all reasonable steps to contain and remediate the breach
11. Automated Decision-Making (POPIA s 71)
11.1 The Hermes agent makes automated decisions based on your instructions. This is the core service feature — your agent processes requests and generates responses autonomously.
11.2 The memory "deriver" component synthesises patterns from your conversation history to improve future responses. This is an automated process that learns from your data.
11.3 You have the right to:
- Request human intervention in agent decisions
- Contest automated decisions
- Opt out of automated memory synthesis
11.4 No fully automated decisions that produce legal effects (POPIA s 71) are made without human oversight. Subscription billing is automated as standard business practice but does not produce legal effects concerning the data subject.
12. Children's Privacy
12.1 The Service is not directed at children under 13.
12.2 If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly.
12.3 In accordance with the Children's Act 38 of 2005, we do not knowingly collect personal information from minors without parental consent.
13. Changes to This Policy
13.1 We may update this Privacy Policy with 30 days' notice.
13.2 Material changes will be communicated via Telegram and/or email.
13.3 Continued use after changes take effect constitutes acceptance of the updated policy.
13.4 We will maintain an archived copy of previous versions upon request.
14. Complaints & Regulator Contact
If you believe we have processed your personal information unlawfully, you may lodge a complaint with:
Information Regulator (South Africa)
Website: www.inforegulator.org.za
Email: [email protected]
Phone: +27 (0)10 023 5200
Physical: SALU Building, 315 Thabo Sehume Street, Pretoria
We ask that you first contact our Information Officer at [email protected] to resolve the issue informally. We commit to responding to any complaint within 7 business days.
15. Information Officer Contact
| Role | Details |
|---|---|
| Information Officer | Founder |
| [email protected] | |
| Response commitment | 7 business days for initial response |
16. POPIA Conditions Compliance Map
| # | Condition | Where Addressed | Status |
|---|---|---|---|
| 1 | Accountability (s 8) — Ensure all conditions are met. Appoint Information Officer. | §1, §15 | ✓ Information Officer appointed (Daniel Donaldson). |
| 2 | Processing Limitation (ss 9–12) — Collect only what's necessary. Get consent. Process lawfully. | §2, §3, §4, §5 | ✓ Data collection is tier-specific and minimal. |
| 3 | Purpose Specification (ss 13–14) — Collect for one specific, defined purpose. | §4 | ✓ Processing purposes are explicitly defined per activity. |
| 4 | Further Processing Limitation (s 15) — Secondary use must be compatible with original purpose. | §4, §6 | ✓ We do not repurpose data. Any secondary use requires fresh consent. |
| 5 | Information Quality (s 16) — Keep data accurate and up to date. | §9 | ✓ Users can correct their data. |
| 6 | Openness (ss 17–18) — Maintain documentation. Privacy Policy must be available. | This document, §16 | ✓ This policy is publicly available. |
| 7 | Security Safeguards (ss 19–22) — Implement technical and organisational security. Breach notification. | §10 | ✓ Container isolation, encryption, access controls, breach procedure documented. |
| 8 | Data Subject Participation (ss 23–25) — Allow access, correction, and deletion. | §9 | ✓ Full data subject rights framework with response commitments. |