LTV Labs
Request access
POPIA-compliantEffective 16 May 2026

Privacy Policy

LTV LABS SA · Registration 2026/383498/07

This Privacy Policy explains how LTV LABS SA (registration number 2026/383498/07) ("LTV Labs", "we", "us") collects, uses, shares, and safeguards personal information when you visit ltvlabs.co.za or use the LTV Labs platform (the "Service").

We comply with the Protection of Personal Information Act, 2013 (POPIA) of the Republic of South Africa. By using the Service or submitting personal information to us, you confirm that you have read and understood this policy.

1. Who we are

LTV LABS SA is a South African private company registered with the Companies and Intellectual Property Commission (CIPC) under enterprise number 2026/383498/07. Our registered address is 144 Thabo Mbeki Drive, Potchefstroom, North West, South Africa.

For matters relating to this policy, contact our Information Officer:

2. Our role — Responsible Party vs Operator

POPIA distinguishes two roles in data processing. LTV Labs acts as:

  • Responsible Party for the personal information of our own users (people who register accounts, submit our contact form, or visit our marketing site).
  • Operatorfor the personal information of our clients' end customers, which we process strictly on their behalf and on their documented instructions (for example, WhatsApp messages, contact details, and orders flowing through the Service).

If you are an end customer of one of our clients (for example, you message a brand running on LTV Labs), the responsible party for that processing is the brand, not us. Direct data-subject requests to the brand. We will support them in responding.

3. Personal information we collect

3.1 From visitors to our marketing site

  • Information you submit via the contact form (name, email, company, message).
  • Technical information collected automatically: IP address (hashed at rest with a secret salt — we do not retain raw IP), user agent, referrer, and pages visited.
  • Cookies and analytics identifiers — see Cookies & analytics below.

3.2 From client account users (staff at our client companies)

  • Name, email address, role within their organisation.
  • Authentication data: password hash (bcrypt, 12 rounds) and/or WebAuthn passkey credentials.
  • Session and audit-log activity tied to actions performed in the platform.

3.3 As an Operator, on behalf of our clients

  • End-customer phone numbers and WhatsApp identifiers.
  • Message content (text, images, audio, documents) exchanged via WhatsApp.
  • Order, fulfilment, and contact data synced from connected e-commerce stores (Shopify, WooCommerce).
  • Behavioural metadata used for retention scoring (last order date, purchase totals, lifecycle tags).

4. Lawful basis and purpose of processing

We process personal information for the following purposes:

  • Contract performance (POPIA s.11(1)(b)): providing the Service to our clients, including delivering messages, syncing orders, and generating analytics dashboards.
  • Consent (POPIA s.11(1)(a)): sending marketing or transactional messages to end customers who have opted in through their interaction with our clients.
  • Legitimate interest (POPIA s.11(1)(f)): protecting platform security, preventing fraud and abuse, and improving our Service.
  • Legal obligation (POPIA s.11(1)(c)): responding to lawful requests from authorities and complying with applicable tax and accounting laws.

5. Sharing and sub-processors

We share personal information only as needed to operate the Service. Our sub-processors include:

  • Meta Platforms (WhatsApp Business Cloud API) — message delivery and receipt.
  • Shopify and WooCommerce — e-commerce data sync (only for clients who connect these integrations).
  • Anthropic and OpenAI — AI processing of messages, when enabled by the client. Provider data-use terms apply; we have configured them to not train on customer data where the provider supports that flag.
  • Resend / SMTP provider — transactional email delivery.
  • Cloud hosting provider — infrastructure for the Service.

Sub-processors are bound by data-processing agreements that require them to process personal information only on our documented instructions and to maintain appropriate security measures.

6. International transfers

Some of our sub-processors are based outside South Africa. When personal information is transferred outside the Republic, we ensure either that the recipient is in a country with adequate data protection laws, that the transfer is necessary for performance of the contract, or that appropriate safeguards (such as standard contractual clauses) are in place — as required by POPIA s.72.

7. Retention

  • Marketing-site contact submissions: retained for up to 24 months from submission, then deleted unless a client relationship has been established.
  • Client account data: retained for the duration of the client relationship plus six years for accounting and tax compliance.
  • End-customer data (Operator role): retained for as long as the client account remains active. On termination, exported to the client on request and then securely deleted within 30 days unless legal hold applies.
  • Server logs and security audit trails: retained for 12 months.

8. Security measures

We implement reasonable, technically and organisationally appropriate measures to secure personal information, including:

  • Encryption of API credentials and access tokens at rest using AES-256-GCM.
  • Database row-level security to isolate each client's data.
  • TLS encryption for all data in transit.
  • Bcrypt password hashing (12 rounds) and optional WebAuthn passkey authentication.
  • Audit logging of administrative actions.
  • Principle-of-least-privilege access for our own staff.

Despite these measures, no online service can guarantee absolute security. If a security compromise affects your personal information and the Information Regulator requires notification, we will notify affected data subjects without undue delay as required by POPIA s.22.

9. Your rights as a data subject

Under POPIA, you have the right to:

  • Be notified that personal information about you is being collected (s.18).
  • Request access to personal information we hold about you (s.23).
  • Request correction or deletion of inaccurate or out-of-date information (s.24).
  • Object to the processing of your personal information (s.11(3)).
  • Lodge a complaint with the Information Regulator (inforegulator.org.za).

To exercise any of these rights, email admin@ltvlabs.co.za. We will respond within 30 days.

10. Cookies and analytics

We use a small set of cookies and analytics identifiers strictly necessary to run the site and understand how it is used:

  • Authentication cookies — required for signed-in users to maintain a session.
  • Google Analytics 4 (when enabled) — used in anonymize-IP mode. We do not share GA4 data with other Google properties for advertising.

Most browsers let you refuse or delete cookies. Disabling authentication cookies will prevent you from signing in.

11. Children

The Service is not intended for individuals under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently done so, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email to account holders or via a prominent notice on the site at least 14 days before they take effect.

13. Contact

Questions about this policy or your personal information? Contact us or email admin@ltvlabs.co.za.