Privacy Notice

Effective date: [EFFECTIVE_DATE]  ·  Last updated: [EFFECTIVE_DATE]

This notice explains how Aurélie — Boutique Companions ("Aurélie", "we", "us") collects and uses your personal information, and your rights, under the Protection of Personal Information Act, 2013 (POPIA). It applies together with our Terms of Service, Disclaimer and Cookie Policy.

1. Who is responsible for your information

The responsible party is [OPERATOR_LEGAL_NAME] (registration no. [OPERATOR_REG_NUMBER]), [OPERATOR_ADDRESS].

Our Information Officer is [INFO_OFFICER_NAME], who can be reached at [INFO_OFFICER_EMAIL] for any privacy question, request or complaint. General privacy enquiries: [PRIVACY_CONTACT_EMAIL].

2. What we collect, why, and our lawful basis

We collect only what we need for the purposes below.

InformationWhy we use itLawful basis (POPIA s11)
Account details — email address, password (stored only as a secure hash), display name, and (for advertisers) phone number To create and secure your account, sign you in, and contact you about your account Performance of our agreement with you; our legitimate interest in account security
Advertiser profile — name shown, description, age, contact phone/email, rates, services, availability, location, and photos you upload To publish your advertisement and let users find and contact you Performance of our agreement with you
Phone verification — your phone number and a one-time code (stored only as a hash; the code itself is not retained) To confirm a number is yours and show a "verified" badge Our legitimate interest in trust and anti-fraud; your consent to receive the verification SMS
Reviews you write — author name, rating, comment, and the IP address used To publish reviews and detect abuse Our legitimate interest in a trustworthy platform
Chat messages — message content (encrypted at rest) and who sent them To deliver messages between users and allow moderation of abuse reports Performance of our agreement with you; legitimate interest in safety
Payments — bank-deposit reference, amount, date and description, imported from our bank statements (we do not collect card details) To match a deposit to your listing and activate or extend it Performance of our agreement with you; legal obligation to keep financial records
Forum posts and support tickets — content you submit and the IP address used To run the community forum and respond to support requests Performance of our agreement; legitimate interest in support and safety
Usage and security logs — search queries and IP addresses, and a tamper-evident audit log of significant actions (with IP address) To operate, secure and improve the site and meet our accountability duties Our legitimate interest in security and POPIA accountability
Age attestation — the date and IP address on which you confirmed you are 18+ To record that you confirmed you are an adult Legal obligation / legitimate interest in restricting adult content to adults
Consents — your cross-border-transfer consent and your marketing opt-in, with the date each was given To prove the choices you made Consent; POPIA accountability

3. Listings sourced from elsewhere

Some listings may be compiled from information that is already published on other public advertising sites. Where this applies, the lawful basis, notice to the people concerned, and an easy opt-out are being finalised before go-live (see our Report & Takedown page). If you are featured and want your listing changed or removed, contact us and we will action it. [#181 — confirm lawful basis and opt-out wording with counsel before launch.]

4. Direct marketing

We send marketing (such as promotional email or SMS) only to people who have explicitly opted in, and you can withdraw consent at any time — from your profile settings, via an unsubscribe link, or by contacting us. We do not sell your information.

5. Who we share information with

We share personal information only with service providers ("operators") who help us run the service, under contract and only as needed:

  • Hosting — [HOSTING_PROVIDER] hosts the website and database ([HOSTING_COUNTRY]).
  • Email delivery — our email provider sends account and notification emails (currently routed via Google / Gmail SMTP).
  • SMS delivery — our SMS gateway (e.g. Clickatell or BulkSMS) sends verification and notification messages; it receives the recipient's phone number and the message text.
  • AI text-extraction providers — where listings are compiled from public sources, listing text may be processed by an AI provider (Google Gemini, OpenAI or OpenRouter) to structure it. This does not apply to your account or private messages.

We may also disclose information where the law requires it, or to protect safety, rights or property.

6. Cross-border transfers

Our hosting and some of the providers above are located outside South Africa (for example [HOSTING_COUNTRY], and the United States for some email/SMS/AI providers). This means your personal information may be processed in other countries. In line with POPIA s72 we ask for your consent to this transfer when you register, and we take steps so that your information continues to receive a comparable level of protection. You can withdraw this consent, though doing so may mean we can no longer provide the service. [#176/#177 — confirm final providers, countries and safeguards with counsel.]

7. How long we keep it

We keep personal information only for as long as needed for the purposes above or as the law requires. As a guide: search and message-delivery logs are kept for a limited rolling period (around 90 days); financial records are kept as long as the law requires; and the security audit log is retained for its integrity. When you delete your account (see below) we anonymise your personal information rather than keep it. [#183 — confirm the full retention schedule before go-live.]

8. How we protect your information

We use reasonable technical and organisational safeguards, including encryption of chat messages and sensitive credentials at rest, hashed passwords and verification codes, access controls and two-factor authentication for administrators, and a tamper-evident audit log. No system is perfectly secure, but we work to protect your information and to respond appropriately if something goes wrong.

9. Cookies

We use a small number of strictly necessary cookies — for example to keep you signed in and to remember that you confirmed you are 18+. See our Cookie Policy for details.

10. Your rights

Under POPIA you have the right to:

  • Access a copy of your personal information — you can download all of your data from your Privacy settings.
  • Correct or update your information — edit your profile, display name, consents and security settings at any time.
  • Delete your account — from your Privacy settings. This anonymises your personal information; a minimal, legally-required record (such as the security audit trail and financial records) is retained.
  • Object to processing and withdraw consent (including for marketing and cross-border transfer) at any time.
  • Complain — to us first, and to the Information Regulator.

11. Complaints to the Information Regulator

If you are unhappy with how we handle your information you may complain to the Information Regulator (South Africa): JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 — enquiries@inforegulator.org.za / POPIAComplaints@inforegulator.org.za. [Verify current Regulator contact details at go-live.]

12. Changes to this notice

We may update this notice from time to time; the effective date above shows the current version. Where a change is material and affects registered users, we will give notice (for example by email or an in-account notice).

Questions about your privacy? Email [INFO_OFFICER_EMAIL] or contact us.