Privacy Policy

Privacy Policy

1. Purpose of this Privacy Policy

Almal AI is committed to protecting personal information and building governed, accessible, and responsible AI solutions.

This Privacy Policy explains how Almal AI collects, uses, stores, shares, protects, and manages personal information when people interact with Almal AI, our website, our business channels, our clients, and our KI4ALMAL framework.

This Privacy Policy is intended to comply with applicable privacy and data protection laws, including:

  1. 1. The Protection of Personal Information Act, 4 of 2013, South Africa, known as POPIA.
  2. 2. The General Data Protection Regulation, where GDPR applies to our activities, clients, users, or processing operations.

This Privacy Policy must be read together with any applicable client agreement, data processing agreement, platform agreement, or other formal Almal AI policy.

This Privacy Policy does not repeat our Terms of Service. Our Terms of Service deal with platform use, commercial terms, responsibilities, acceptable use, and service-related conditions.

This Privacy Policy deals only with privacy and personal information.

Deletion, account removal, record removal, and related data lifecycle actions are dealt with in our separate Data Deletion and Retention Policy.

2. Who this Privacy Policy Applies To

This Privacy Policy applies to:

  1. 1. Visitors to our website or online channels.
  2. 2. Prospective clients, clients, partners, vendors, and service providers.
  3. 3. End-users who interact with AI agents, WhatsApp journeys, dashboards, forms, demos, pilots, or supported workflows powered by Almal AI or KI4ALMAL.
  4. 4. People who contact us by email, WhatsApp, web form, phone, meeting, demo, or other communication channel.
  5. 5. Client representatives, administrators, testers, staff members, and authorised users of the KI4ALMAL framework.
  6. 6. Any other person whose personal information is processed by Almal AI in connection with our business, services, or framework.

3. Our Role: Responsible Party, Operator, Controller, or Processor

Depending on the context, Almal AI may act in different legal roles.

3.1 When Almal AI acts for its own business purposes

Almal AI may act as a responsible party under POPIA or as a controller under GDPR when we decide why and how personal information is processed.

This may include processing for:

  1. 1. Business enquiries.
  2. 2. Sales discussions.
  3. 3. Client onboarding.
  4. 4. Demo arrangements.
  5. 5. Supplier management.
  6. 6. Website contact forms.
  7. 7. Governance, compliance, security, and audit purposes.
  8. 8. Internal business administration.

3.2 When Almal AI processes data for a client

Almal AI may act as an operator under POPIA or as a processor under GDPR when we process personal information on behalf of a client and according to the client’s lawful instructions.

This may apply when a client uses KI4ALMAL to operate AI agents, WhatsApp journeys, CRM integrations, dashboards, support workflows, booking workflows, information flows, or other client-approved use cases.

In those cases, the client is normally responsible for deciding the purpose of the processing, the lawful basis, the type of data collected, the retention period, and the instructions given to Almal AI.

3.3 Mixed roles

Some processing may involve both client-controlled processing and Almal AI-controlled processing.

For example, Almal AI may process certain technical records, logs, security alerts, audit information, billing records, or support records for its own legitimate business and compliance purposes.

4. Our Privacy Principles

Almal AI applies the following privacy principles:

  1. 1. We process personal information lawfully, fairly, and transparently.
  2. 2. We collect personal information only for defined and legitimate purposes.
  3. 3. We limit personal information to what is necessary for the relevant purpose.
  4. 4. We use personal information only in ways that are compatible with the reason it was collected.
  5. 5. We take reasonable steps to keep personal information accurate and updated where needed.
  6. 6. We protect personal information through appropriate technical and organizational safeguards.
  7. 7. We limit access to authorized people and systems.
  8. 8. We do not sell personal information.
  9. 9. We support privacy rights, accessibility, human oversight, and responsible AI governance.
  10. 10. We treat sensitive information, special personal information, and children’s information with additional care.

Personal Information We May Collect

The type of personal information we collect depends on the interaction, service, client workflow, or AI journey.

We may collect or process the following categories of personal information:

5.1 Identity and contact information

This may include:

    2. Business name.
  1. 3. Job title or role.
  2. 4. Email address.
  3. 5. Phone number.
  4. 6. WhatsApp number.
  5. 7. Country, city, or general location.
  6. 8. Company registration or business contact details where relevant.

5.2 Communication information

This may include:

  1. 1. Messages sent to Almal AI or a client AI agent.
  2. 2. WhatsApp conversations.
  3. 3. Email messages.
  4. 4. Meeting notes.
  5. 4. Meeting notes.
  6. 5. Voice notes or transcribed content, where applicable.
  7. 6. Support requests.
  8. 6. Support requests.
  9. 7. Demo requests.
  10. 8. Feedback, complaints, or service queries.

5.3 Client and business information

This may include:

  1. 1. Client account details.
  2. 2. Authorized user details.
  3. 3. Project information.
  4. 4. Workflow requirements.
  5. 5. Integration requirements.
  6. 6. CRM, support, ticketing, or booking-related information.
  7. 7. Contract and billing information.
  8. 8. Partner, supplier, or vendor information.

5.4 Technical and usage information

This may include:

  1. 1. IP address.
  2. 2. Device information.
  3. 3. Browser type.
  4. 4. System logs.
  5. 5. Error logs.
  6. 6. Timestamps.
  7. 7. Session information.
  8. 8. Message delivery status.
  9. 9. API events.
  10. 10. Integration activity.
  11. 11. Security and authentication logs.
  12. 12. Dashboard usage and performance information.
  13. 5.5 AI interaction information

    Where a person interacts with KI4ALMAL, we may process information linked to the AI interaction, including:

  14. 1. User prompts or messages.
  15. 2. Agent responses.
  16. 3. Intent classification.
  17. 4. Conversation status.
  18. 5. Human handoff status.
  19. 6. Workflow steps completed.
  20. 7. Confidence indicators.
  21. 8. Retrieval or knowledge-base references used by the agent.
  22. 9. Escalation, safety, or governance flags.
  23. 10. Audit logs needed to monitor quality, safety, and compliance.

5.6 Special personal information

In some client workflows, users may voluntarily provide information that could be considered special personal information or sensitive information.

This may include information about:

  1. 1. Health.
  2. 2. Disability or accessibility needs.
  3. 3. Financial circumstances.
  4. 4. Employment history.
  5. 5. Legal matters.
  6. 6. Biometric information.
  7. 7. Religious, philosophical, political, or similar sensitive matters.
  8. 8. Children or dependants.

Almal AI does not intentionally request special personal information unless it is necessary for a defined and lawful purpose, and only where appropriate safeguards, client instructions, or lawful authorization are in place.

6. How We Collect Personal Information

We may collect personal information directly or indirectly.

6.1 Direct collection

We may collect information directly when a person:

  1. >1. Contacts Almal AI.
  2. 2. Completes a form.
  3. 3. Sends an email.
  4. 4. Sends a WhatsApp message.
  5. 5. Books a demo.
  6. 6. Attends a meeting.
  7. 7. Interacts with an AI agent.
  8. 8. Uses a dashboard or workflow.
  9. 9. Requests support.
  10. 10. Provides information during onboarding, testing, or service delivery.

6.2 Collection through clients

Where Almal AI provides services to a client, we may receive or process personal information that the client collects from its own customers, employees, leads, users, patients, members, partners, or other data subjects.

In those cases, the client is responsible for ensuring that the personal information is collected lawfully and that the data subject receives the required privacy notice or disclosure.

6.3 Collection through third-party platforms and integrations

Personal information may be collected or processed through platforms or integrations used to provide the service, such as:

  1. 1. WhatsApp Business or Meta-related services.
  2. 2. CRM systems.
  3. 3. Hosting providers.
  4. 4. Cloud infrastructure.
  5. 5. Analytics, monitoring, and security tools.
  6. 6. Email, calendar, support, ticketing, or workflow tools.
  7. 7. AI model, automation, retrieval, or language-processing services.

Where third-party platforms are used, those platforms may also process personal information according to their own privacy terms and policies.

7. Why We Use Personal Information

Almal AI uses personal information only where there is a lawful and legitimate reason to do so.

We may use personal information for the following purposes:

7.1 To provide and operate our services

This includes:

  1. 1. Delivering KI4ALMAL functionality.
  2. 2. Running AI agents and approved workflows.
  3. 3. Supporting WhatsApp journeys.
  4. 4. Processing user requests.
  5. 5. Routing conversations.
  6. 6. Enabling human handoff where required.
  7. 7. Creating or updating CRM, lead, support, booking, or ticket records where configured.
  8. 8. Providing dashboards and reporting.
  9. 9. Managing client environments.

7.2 To communicate with clients, users, and partners

This includes:

  1. 1. Responding to enquiries.
  2. 2. Scheduling demos or meetings.
  3. 3. Providing support.
  4. 4. Sending service updates.
  5. 5. Managing onboarding.
  6. 6. Managing business relationships.
  7. 7. Responding to complaints or requests.

7.3 To improve reliability, safety, and quality

This includes:

  1. 1. Testing and improving workflows.
  2. 2. Debugging errors.
  3. 2. Debugging errors.
  4. 3. Monitoring uptime and performance.
  5. 4. Reviewing failed or escalated conversations.
  6. 5. Improving agent responses within approved boundaries.
  7. 6. Maintaining audit records.
  8. 7. Detecting misuse, abuse, or technical failures.

7.4 To support AI governance and responsible automation

This includes:

  1. 1. Applying guardrails.
  2. 2. Monitoring high-risk prompts.
  3. 3. Identifying out-of-scope requests.
  4. 4. Supporting human escalation.
  5. 5. Reviewing safety issues.
  6. 6. Maintaining records for accountability.
  7. 7. Ensuring that AI workflows remain aligned with client-approved use cases.

7.5 To meet legal, regulatory, and contractual obligations

This includes:

  1. 1. Compliance with POPIA, GDPR, PAIA, consumer laws, tax laws, company laws, and other applicable obligations.
  2. to lawful requests from regulators, courts, or authorities.
  3. 3. Managing contracts and agreements.
  4. 4. Maintaining required business records.
  5. 5. Investigating security incidents or unauthorized access.
  6. 6. Protecting legal rights.

7.6 To manage marketing and business development

Where legally allowed, we may use personal information to:

  1. 1. Send business communications.
  2. 2. Follow up on enquiries.
  3. 3. Provide information about Almal AI services.
  4. 4. Invite relevant people to demos, pilots, or business discussions.
  5. 5. Send newsletters or updates where consent or another lawful basis applies.

People may opt out of direct marketing communications at any time.

8. Lawful Bases for Processing

Depending on the context and applicable law, we may rely on one or more of the following lawful bases:

  1. 1. Consent.
  2. 2. Performance of a contract.
  3. 3. Steps taken before entering into a contract.
  4. 4. Compliance with a legal obligation.
  5. 5. Legitimate interests.
  6. 6. Protection of a person’s rights, safety, or vital interests where applicable.
  7. 7. A client’s lawful instruction where Almal AI acts as an operator or processor.
  8. 8. Another lawful basis permitted by POPIA, GDPR, or applicable law.

Where consent is required, consent must be specific, informed, and voluntary.

A person may withdraw consent where the law allows, but withdrawal does not affect processing that was lawful before consent was withdrawn.

9. AI Processing, Automation, and Human Oversight

KI4ALMAL is designed as a governed and accessible AI framework.

AI processing may include:

  1. 1. Understanding a user’s request.
  2. 2. Classifying intent.
  3. 3. Retrieving relevant information.
  4. 4. Generating a response.
  5. 5. Asking follow-up questions.
  6. 6. Triggering an approved workflow.
  7. 7. Escalating the matter to a human.
  8. 8. Creating records in approved systems.
  9. 9. Applying safety, privacy, and scope guardrails.

Almal AI does not design KI4ALMAL to make final legal, medical, financial, employment, credit, insurance, or similarly significant decisions about a person without appropriate human oversight, lawful basis, and client-approved controls.

Where a workflow may materially affect a person, Almal AI recommends that the client applies human review, clear disclosures, and appropriate escalation processes.

10. Use of Personal Information for AI Training and Improvement

Almal AI does not use client-owned personal information to train public or general AI models unless this has been expressly agreed in writing and is lawful.

Where service improvement is required, Almal AI aims to use:

  1. 1. Aggregated information.
  2. 2. De-identified information.
  3. 3. Anonymised information.
  4. 4. Technical performance records.
  5. 5. Limited logs needed for debugging, quality, safety, and compliance.

Where identifiable personal information is required for support, testing, investigation, or improvement, access is limited to authorised people and used only for the relevant purpose.

Client-specific knowledge bases, retrieval systems, prompts, and workflow records are managed according to the applicable client agreement, data processing agreement, access controls, and agreed configuration.

11. Accessibility and Inclusive AI

Almal AI is committed to accessibility and inclusive technology.

Some users may disclose information about disability, accessibility needs, language preferences, assistive technology requirements, or communication barriers when interacting with Almal AI or a client AI agent.

We process this information only where needed to provide the relevant service, support accessibility, improve communication, or comply with a lawful instruction.

We aim to design AI workflows that are clear, respectful, accessible, and suitable for people with different communication needs.

Children’s Personal Information

Almal AI does not intentionally collect personal information from children through its own business channels unless there is a lawful reason to do so.

Where a client workflow involves children’s personal information, the client must ensure that:

  1. 1. There is a lawful basis for collecting and processing the information.
  2. 2. Required parental, guardian, or competent-person consent is obtained where applicable.
  3. 3. The workflow is appropriate for children.
  4. 4. Only necessary information is collected.
  5. 5. Additional safeguards are applied.
  6. 6. The processing complies with POPIA, GDPR, and any other applicable law.

Almal AI may refuse or restrict processing that appears unlawful, unsafe, excessive, or outside the approved client purpose.

13. Special Personal Information and High-Risk Data

Special personal information requires additional care.

Almal AI may process special personal information only where:

  1. 1. The processing is lawful.
  2. 2. The purpose is specific and necessary.
  3. 3. The information is relevant to the approved workflow.
  4. 4. The client has confirmed the lawful basis where the client controls the purpose.
  5. 5. Appropriate safeguards are applied.
  6. 6. Access is limited.
  7. 7. Human escalation is available where appropriate.

such as:

  1. 1. Written client instructions.
  2. 2. A data processing agreement.
  3. 3. A data protection impact assessment.
  4. 4. Stronger access controls.
  5. 5. Human review.
  6. 6. Reduced retention.
  7. 7. Special logging and audit controls.
  8. 8. Explicit user disclosures.

14. WhatsApp, Meta, and Messaging Channels

KI4ALMAL may support WhatsApp or other messaging-based journeys./p>

When a person communicates through WhatsApp or another third-party messaging channel:

  1. 1. The message may be processed by that third-party platform.
  2. 2. The platform may apply its own privacy policy, terms, infrastructure, and security rules.
  3. 3. Message metadata, delivery status, phone number, and interaction data may be processed as part of the channel.
  4. 4. Almal AI and/or the client may receive and process the information needed to respond to the user and complete the approved journey.

Users should not share unnecessary sensitive information through messaging channels.

Where sensitive information is required, it should only be requested in a lawful, limited, and clearly explained way.

15. Sharing of Personal Information

Almal AI may share personal information only where lawful and necessary.

We may share information with:

  1. 1. The relevant client, where Almal AI acts on behalf of that client.
  2. 2. Authorized Almal AI staff, contractors, or support providers.
  3. 3. Hosting and infrastructure providers.
  4. 3. Hosting and infrastructure providers.
  5. 5. CRM, support, ticketing, booking, or workflow providers.
  6. 6. Security, monitoring, logging, and analytics providers.
  7. 7. Professional advisers, including legal, accounting, tax, audit, and compliance advisers.
  8. 8. Regulators, courts, law enforcement, or public authorities where required by law.
  9. 9. Business partners or implementation partners where needed to deliver an approved service.

We require service providers and operators to apply appropriate confidentiality, security, and data protection controls.

We do not sell personal information.

16. Cross-Border Transfers

Almal AI may use systems, hosting providers, infrastructure, support providers, or technical service providers located outside South Africa or outside the country where the data subject is located.

Where personal information is transferred across borders, Almal AI will take reasonable steps to ensure that the transfer is lawful and protected by appropriate safeguards.

These safeguards may include:

  1. 1. Written agreements.
  2. 2. Data processing agreements.
  3. 3. Contractual confidentiality obligations.
  4. 4. Appropriate technical and organizational security measures.
  5. 5. Transfer mechanisms required by applicable law.
  6. 6. Equivalent or adequate privacy protections where required.

Where Almal AI acts as an operator or processor for a client, cross-border processing will also be governed by the relevant client agreement or data processing agreement.

17. Security Measures

Almal AI applies reasonable technical and organizational measures to protect personal information against loss, unauthorized access, misuse, alteration, disclosure, or destruction.

These measures may include:

  1. 1. Access controls.
  2. 2. Authentication.
  3. 3. Role-based permissions.
  4. 4. Encryption in transit where appropriate.
  5. 5. Secure infrastructure configuration.
  6. 6. Monitoring and logging.
  7. 7. Error and incident monitoring.
  8. 8. Secure development practices.
  9. 9. Segregation of client environments where applicable.
  10. 10. Confidentiality obligations.
  11. 11. Vendor review.
  12. 12. Backup and recovery controls.
  13. 13. Incident response processes.13. Incident response processes.
  14. 14. Least-privilege access.
  15. 15. Security review of integrations.

No system can be guaranteed to be completely secure, but Almal AI takes privacy and security seriously and works to reduce risk through governance, controls, and responsible system design.

18. Security Incidents

If Almal AI becomes aware of unauthorized access, loss, disclosure, or compromise of personal information, we will assess the incident and take appropriate steps.

Where required by law, agreement, or client instruction, we will notify the relevant client, responsible party, regulator, or affected data subject.

Where Almal AI acts as an operator or processor, we will notify the client according to the applicable agreement and assist with reasonable information needed for the client to meet its legal obligations.

19. Retention of Personal Information

Almal AI keeps personal information only for as long as necessary for the purpose for which it was collected, for lawful business purposes, for contractual obligations, for security and audit purposes, or where required by law.

Detailed retention periods, deletion processes, account removal steps, and deletion request handling are set out in Almal AI’s separate Data Deletion and Retention Policy.

20. Data Subject Rights

Depending on the applicable law and context, a person may have the right to:

  1. 1. Be informed that personal information is being collected or processed.
  2. 2. Request access to their personal information.
  3. 3. Request correction of inaccurate or outdated personal information.
  4. 4. Request deletion or removal, subject to lawful limitations and the separate Data Deletion and Retention Policy.
  5. 5. Object to processing in certain circumstances.
  6. 6. Withdraw consent where processing is based on consent.
  7. 7. Object to direct marketing.
  8. 8. Request restriction of processing where applicable.
  9. 9. Request data portability where GDPR applies.
  10. 10. Request human review or intervention where automated processing may significantly affect them.
  11. 11. Lodge a complaint with Almal AI, the relevant client, the Information Regulator, or another applicable supervisory authority.

Where Almal AI acts as an operator or processor for a client, we may refer the request to the client because the client is normally responsible for responding to the data subject.

We may need to verify the identity of the person making the request before providing access, correction, deletion, or other action.

21. Direct Marketing

Almal AI may send marketing or business development communications where lawful.

We will not send unlawful unsolicited electronic direct marketing.

Where consent is required, we will request consent. Where a person may opt out, we will provide a reasonable way to unsubscribe or object.

A person may object to direct marketing at any time.

22. Cookies and Website Tracking

Where Almal AI uses cookies, analytics, pixels, or similar technologies on its website or digital platforms, these may collect technical and usage information.

These technologies may be used to:

  1. 1. Operate the website.
  2. 2. Improve website performance.
  3. 3. Understand website usage.
  4. 4. Protect against misuse or security threats.
  5. 5. Support marketing or analytics where lawful.

Where required, users will be provided with cookie notices or consent options.

23. Client Responsibilities

Where a client uses KI4ALMAL to process personal information, the client is responsible for:

  1. 1. Ensuring that the processing has a lawful basis.
  2. 2. Providing required privacy notices to its users.
  3. 3. Defining the approved purpose of each workflow.
  4. 4. Ensuring that the data collected is necessary and not excessive.
  5. 5. Giving lawful written instructions to Almal AI.
  6. 6. Ensuring that special personal information and children’s information are handled lawfully.
  7. 7. Managing user requests where the client is the responsible party or controller.
  8. 8. Approving the wording, journeys, templates, forms, and disclosures used in its own workflows.
  9. 9. Ensuring that AI journeys do not make unlawful or unsupported decisions about people.
  10. 10. Applying human review where required.

Almal AI may request additional information, safeguards, or written confirmation before supporting high-risk workflows.

24. Third-Party Services and Subprocessors

Almal AI may use third-party service providers or subprocessors to deliver, host, secure, monitor, integrate, or support its services.

These providers may include categories such as:

  1. Cloud hosting providers.
  2. Database providers.
  3. Messaging platforms.
  4. CRM and workflow systems.
  5. AI model and language-processing providers.
  6. Monitoring and error-logging providers.
  7. Security providers.
  8. Development and technical support providers.
  9. Professional advisers.

Almal AI aims to use service providers that can support appropriate privacy, confidentiality, and security standards.

Where required, Almal AI will enter into appropriate written agreements with service providers or subprocessors.

25. Links to Other Websites or Platforms

Our website, messages, demos, or workflows may contain links to third-party websites or platforms.

Almal AI is not responsible for the privacy practices of third-party websites or platforms that we do not control.

Users should review the privacy policies of third-party services before sharing personal information with them.

26. Updates to this Privacy Policy

Almal AI may update this Privacy Policy from time to time.

When we make material changes, we will update the effective date and may notify users, clients, or partners where appropriate.

The latest version will apply from the date it is published, unless otherwise stated.

27. Contact Details

For privacy questions, requests, complaints, or concerns, please contact:

Almal AI Privacy Contact / Information Officer

Address: 210 Armarand Ave Pegasus Building 1 Menlyn Maine Waterkloof Glen Ext 2 Pretoria 0181 South Africa

If the matter relates to a client-controlled AI journey, Almal AI may refer the request to the relevant client.

28. Complaints to the Regulator

If a person is not satisfied with how their personal information has been handled, they may contact Almal AI first so that we can try to resolve the matter.

A person may also have the right to lodge a complaint with the South African Information Regulator or another applicable data protection authority.

South African Information Regulator

29. Final Statement

Almal AI’s privacy approach is built on lawful processing, responsible AI, accessibility, security, transparency, and human-centred governance.

We aim to ensure that KI4ALMAL enables useful AI automation while respecting personal information, privacy rights, client responsibilities, and the dignity of every user.