Privacy Policy

Last Updated: March 19, 2026

---

1. Introduction

1.1 Our Commitment to Privacy

Welcome to Haagah ("Haagah", "we", "our", or "us"). We are committed to protecting the privacy and personal data of every person who interacts with our platform — including the business owners who use Haagah to run their sales operations and the customers who contact them through WhatsApp.

We will never sell, rent, or share your personal data with third parties for marketing or commercial purposes.

1.2 Acceptance of This Policy

By accessing or using Haagah, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service. If you do not agree, you must not use our Services.

1.3 What Haagah Is

Haagah is an AI-powered commerce platform that enables businesses to receive and process sales enquiries via WhatsApp, manage product inventory, and complete transactions — automatically, around the clock. The platform serves businesses across multiple industry sectors and product categories.

The platform serves two distinct groups:

• Business Owners (Suppliers): Businesses that register on Haagah to deploy an AI sales agent.
• End Customers: Members of the public who send WhatsApp messages to a registered business and interact with the AI agent.

1.4 Scope of This Policy

This Privacy Policy applies to all information collected through:

• Our website at https://haagah.com and all associated subdomains
• Our web dashboard used by business owners
• Our WhatsApp-based AI commerce agent
• Email communications, customer support, and other touchpoints with our Services

1.5 Applicable Law

Haagah is built in South Africa and complies primarily with the Protection of Personal Information Act (POPIA), No. 4 of 2013. For users in other jurisdictions, we apply equivalent standards as described in Section 14.

---

2. Information We Collect

2.1 Information About Business Owners

2.1.1 Account Registration Data

• Business name, email address, and phone number
• Business industry and product category classification
• Operating currency preference

2.1.2 WhatsApp Integration Data

• The WhatsApp Business phone number identifier used to connect the business owner's number to the platform

2.1.3 Payment Infrastructure Data

• Payment processor subaccount identifier
• Bank settlement details including bank name, account holder name, and bank code
• Bank account number, stored encrypted at rest

2.1.4 Agent Configuration Data

Business owners configure an AI agent persona that includes an agent name, business description, tone preference, staff contact details for customer handoffs, and any special instructions. This configuration data is used exclusively to power the agent.

2.1.5 Inventory Data

Business owners upload product inventory files. This data is stored and indexed to power the AI agent's product search capability. It is used exclusively for that purpose.

2.1.6 Subscription and Billing Data

• Active subscription plan and status
• Billing records associated with the owner's account

2.1.7 Platform Usage Data

• Aggregated daily performance metrics including conversations handled and sales activity

2.2 Information About End Customers

End customers interact with Haagah only through WhatsApp and do not register accounts.

2.2.1 Identity Data

• WhatsApp phone number, as provided by the WhatsApp API
• Name, if voluntarily shared during conversation

2.2.2 Conversation Data

• Message content and timestamps for every message in a customer conversation
• Message identifiers used for deduplication

2.2.3 Order and Payment Data

If a customer confirms a purchase:

• An order record linking the customer to the product and payment
• The Paystack transaction reference and payment status
• The customer's phone number, for post-payment notification

2.3 Technical and Usage Data

For all users:

• Authentication state and session data
• IP addresses, for security and geographic authentication
• Error logs for debugging purposes
• Inventory upload status records

---

3. How We Use Your Information

3.1 Providing Services to Business Owners

We use business owner data to:

• Create and authenticate accounts
• Deploy and operate the AI WhatsApp sales agent
• Index uploaded inventory for AI-powered product retrieval
• Route inbound WhatsApp messages to the correct owner's agent
• Generate payment links and process split payments
• Notify staff on confirmed sales
• Provide dashboard analytics
• Manage subscription billing

3.2 Operating the AI Agent for End Customers

We use end customer data to:

• Receive and process inbound WhatsApp messages
• Retrieve relevant products from the supplier's inventory
• Generate accurate AI responses
• Maintain conversation context across message turns
• Detect purchase intent and generate payment links
• Confirm payment and notify the customer
• Prevent duplicate message processing

3.3 Platform Analytics and Intelligence

Transaction data is aggregated across the platform to generate anonymised economic intelligence — tracking trends in supply, demand, and pricing by industry sector. No individual business or customer is identifiable in this aggregated data.

3.4 Security and Fraud Prevention

We use data to verify the authenticity of incoming webhook events from payment and messaging providers, and to detect and prevent unauthorised access or abuse.

3.5 Platform Improvement

Aggregated and anonymised data is used to improve AI response quality, inventory processing reliability, and the overall platform experience.

3.6 How We Do NOT Use Your Information

• ❌ We do not sell or rent personal data to third parties
• ❌ We do not use end customer data for any purpose beyond processing their enquiry
• ❌ We do not use business owner data for advertising or profiling
• ❌ We do not include individual supplier or customer data in cross-tenant analytics
• ❌ Haagah products are entirely ad-free. We do not display advertisements or use any data for advertising targeting.

---

4. Legal Basis for Processing Personal Data

4.1 Business Owners

• Contractual necessity: Account management, agent deployment, and payment processing are necessary to perform our contract with the business owner.
• Legitimate interests: Analytics, security monitoring, and platform improvement are pursued under legitimate interests.
• Legal obligation: Retention of transaction records to comply with applicable financial regulations.

4.2 End Customers

• Legitimate interests: Processing WhatsApp messages to facilitate the sales transaction the customer initiated.
• Contractual necessity: Where a customer confirms an order, processing is necessary to fulfil that transaction.
• Legal obligation: Retention of transaction records as required by law.

End customers are informed at the start of their interaction that they are communicating with an AI assistant.

---

5. How We Share Your Information

We do not sell, rent, or share personal data with third parties for marketing or commercial purposes.

5.1 Sharing Within the Platform

Business owner data is accessible only to the business owner via their dashboard and to Haagah administrators for support and compliance. End customer data is accessible only to the business owner whose number the customer messaged and to Haagah administrators.

5.2 Third-Party Service Providers

We share data with carefully selected infrastructure, AI, payment, and messaging providers who are contractually bound to use data only for the specific service they provide, to implement appropriate security measures, and to comply with applicable data protection law. We do not share data with advertising networks, data brokers, or marketing companies.

Categories of providers include:

• Cloud infrastructure and database providers
• AI language and embedding providers — customer query text and product descriptions are processed to generate search results and AI responses
• Payment processors — business owner and customer payment data is processed to complete transactions
• Messaging infrastructure — messages pass through the WhatsApp Business API operated by Meta

5.3 Legal and Safety Disclosures

We may disclose personal data when required to comply with a court order, lawful legal process, law enforcement request, or mandatory reporting obligation under South African law. We will notify affected users where permitted by law.

5.4 Business Transfers

In the event of a merger, acquisition, or asset sale, personal data may transfer to the successor entity under equivalent privacy protections. Users will be notified of any material change.

5.5 Aggregated Economic Data

Anonymised, aggregated transaction data is used to generate economic intelligence across the platform. This data contains no personally identifiable information and no individual business or customer can be identified from it.

---

6. Data Security

6.1 Technical Measures

• All data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted using industry-standard encryption
• Bank account numbers are encrypted before storage using a separate encryption key
• Webhook events from payment and messaging providers are cryptographically verified before processing
• Haagah does not store card data. Payment card processing occurs within our payment provider's PCI-DSS compliant environment.

6.2 Access Controls

Business owner data is strictly scoped so that no business owner can access another's data through any platform function. All data access and modification requires verified ownership.

6.3 Incident Response

In the event of a breach, we will notify the Information Regulator of South Africa within the timeframes required by POPIA and notify affected data subjects promptly.

---

7. Data Retention and Deletion

7.1 Business Owner Data

• Active accounts: all data retained while the account is active
• On account deletion: personal contact data deleted within 30 days; transaction and payment records retained for 7 years to comply with financial regulations; inventory data deleted immediately

7.2 End Customer Data

• Conversation messages: retained for 12 months from the date of the last message, then deleted
• Order and payment records: retained for 7 years from the transaction date

7.3 Inventory Data

Each inventory upload replaces the previous one entirely. No historical inventory files are retained in the operational system beyond the current upload.

7.4 Aggregated Data

Anonymised, aggregated platform data may be retained indefinitely as it contains no personally identifiable information.

---

8. Your Rights and Choices

8.1 Business Owner Rights

Business owners have the right to:

• Access: Request a copy of personal data we hold
• Correction: Update account information via the dashboard
• Deletion: Request deletion of their account and data, subject to legal retention obligations
• Portability: Request a data export in a machine-readable format
• Object: Object to processing based on legitimate interests

8.2 End Customer Rights

End customers have the right to:

• Access: Request information about data held relating to their phone number
• Deletion: Request deletion of their conversation history, subject to retention obligations for completed transactions
• Object: Object to the processing of their personal data

To exercise any right, contact privacy@haagah.com.

8.3 Rights Under POPIA

All data subjects have the right to be notified of data collection, access their data, request correction or deletion, object to processing, and lodge a complaint with the Information Regulator.

Information Regulator of South Africa:

• Website: https://www.justice.gov.za/inforeg/
• Email: inforeg@justice.gov.za

8.4 Response Timeline

• General privacy inquiries: 7 business days
• Rights requests: 30 days, extendable to 60 days for complex requests
• Security incidents: per POPIA requirements

---

9. Cookies and Session Data

Haagah uses minimal cookies. See our Cookie Policy for full details. We do not use cookies for advertising, cross-site tracking, or commercial profiling.

---

10. International Data Transfers

Haagah's infrastructure involves international data transfers to service providers operating in multiple jurisdictions. We implement appropriate contractual safeguards with all providers. For South African users, we comply with POPIA Section 72 requirements for cross-border transfers.

---

11. Changes to This Privacy Policy

For material changes, we will notify business owners via their registered email address at least 30 days before changes take effect and display a dashboard notification. Continued use of the platform constitutes acceptance.

---

12. Contact Information

Privacy Inquiries: privacy@haagah.com

Information Officer (POPIA): infoofficer@haagah.com

Security Reports: security@haagah.com

Postal Address: Haagah, Privacy Department Johannesburg, Gauteng, South Africa

---

Effective Date: March 19, 2026

Last Reviewed: March 19, 2026

Next Scheduled Review: September 19, 2026

Approved By: Haagah Legal and Operations Team

---

Your privacy matters to us. Contact us at privacy@haagah.com with any questions.