Stackalot logo

Privacy Notice

Last updated: 19 May 2026

This Privacy Notice explains how CRC (Pty) Ltd, a company registered in South Africa ("CRC", "we", "us"), collects, uses and shares personal information when you use Stackalot (the "Service"). CRC is the data controller (or "responsible party" under South Africa's POPIA) for personal information processed in connection with the Service.

1. Information we collect

  • Account data — name, email address, password hash, authentication provider (e.g. Google), profile preferences.
  • Content you upload — Takealot product URLs, product photos, notes, PPC reports (CSV/XLSX), keywords, and AI prompts you submit.
  • Generated content — listings, images, scores, analyses and other outputs produced for your account.
  • Usage & telemetry — feature usage, request counts, error logs, device and browser information, IP address, approximate location derived from IP.
  • Support communications — messages you send us via email or in-app support.
  • Payment information — handled by Paddle. We receive limited data such as your country, billing email, transaction ID, plan and status. We do not see your full card number.

2. Why we use it (purposes & legal basis)

  • Provide the Service — account creation, running AI analyses, generating images, storing your products and reports. Legal basis: performance of contract.
  • Security and fraud prevention — abuse detection, rate limiting, audit logs. Legitimate interests.
  • Improving the Service — aggregated, de-identified analytics to understand which features work. Legitimate interests.
  • Customer support — answering your questions. Performance of contract / legitimate interests.
  • Billing & tax compliance — via our Merchant of Record (Paddle). Performance of contract / legal obligation.
  • Product updates and marketing — only where you have opted in or where allowed by law. Consent / legitimate interests.

3. Who we share data with

We share personal data with the following categories of recipients:

  • Paddle.com — our payments provider and Merchant of Record. Paddle processes payments, manages subscriptions, handles billing, tax, invoicing and refunds. See Paddle's Privacy Notice.
  • Cloud hosting and database providers (Lovable Cloud / Supabase, Cloudflare) — to host the application, store your data, and serve content.
  • AI model providers — Google (Gemini) and OpenAI (GPT family). Prompts and content you submit may be sent to these providers solely to generate the requested output. We do not authorise them to train their general models on your content.
  • Email and authentication providers — to send transactional emails and authenticate sign-in (e.g. Google OAuth).
  • Professional advisers — lawyers, accountants and auditors where reasonably necessary.
  • Authorities — where required by law, court order, or to protect rights and safety.

We do not sell your personal information.

4. International transfers

Some of our service providers are located outside South Africa (including the European Union, United Kingdom and United States). Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy decision, in line with POPIA and (where applicable) the GDPR.

5. Data retention

We keep personal data for as long as your account is active and for a reasonable period afterwards to meet legal, accounting and security obligations. You can request deletion at any time (see Section 7). Backups containing your data are rotated and eventually overwritten.

6. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit (HTTPS), encryption at rest for the database, row-level security, scoped API keys, audit logs and access controls. No system is perfectly secure — please use a strong, unique password.

7. Your rights

Subject to applicable law (including POPIA in South Africa and, where it applies, the GDPR), you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Request deletion of your data ("right to be forgotten").
  • Restrict or object to certain processing.
  • Receive a copy of your data in a portable format.
  • Withdraw consent at any time (without affecting prior processing).
  • Lodge a complaint with a supervisory authority — in South Africa, the Information Regulator (inforegulator.org.za).

To exercise these rights, email support@stackalot.co.za. We aim to respond within 30 days.

8. Cookies

We use a small number of cookies and similar technologies:

  • Essential — sign-in sessions, security tokens, basic preferences. The Service cannot function without these.
  • Analytics — to understand how features are used (where enabled).

You can manage cookies through your browser settings.

9. Children

Stackalot is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

10. Changes to this notice

We may update this Privacy Notice from time to time. Material changes will be announced in-app or by email. The "Last updated" date at the top reflects the latest version.

11. Contact

CRC (Pty) Ltd, South Africa.
Email: support@stackalot.co.za