1. Responsible Party
For the purposes of the Protection of Personal Information Act 4 of 2013 (POPIA), the responsible party (data controller) for personal information processed through the Pocket Friend service is:
| Detail | Information |
|---|---|
| Responsible Party | Pocket Friend (Pty) Ltd |
| Registration Number | 2026/135783/07 |
| Postal Address | PO Box 188, Suite 23, Robertson, Western Cape, South Africa, 6705 |
| support@pocketfriend.co.za | |
| Information Officer | Contactable at support@pocketfriend.co.za |
For users located in the European Economic Area (EEA), Pocket Friend (Pty) Ltd acts as the data controller under the General Data Protection Regulation (GDPR). We do not currently maintain a representative in the EEA but will appoint one if required under Article 27 of the GDPR as our user base grows.
For users located in the United Kingdom, Pocket Friend (Pty) Ltd acts as the data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
A copy of our PAIA Manual, prepared in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000, is available at pocketfriend.co.za/paia.html.
2. Definitions
In this Privacy Policy:
- "Personal information" means information relating to an identifiable, living, natural person, as defined in POPIA Section 1 and GDPR Article 4 ("personal data").
- "Processing" means any operation performed on personal information, including collection, storage, use, modification, dissemination, or deletion.
- "Service" means the Pocket Friend wellbeing and personal reflection companion service delivered via WhatsApp and Telegram.
- "You" / "User" means the individual using the Pocket Friend service.
- "We" / "Us" / "Our" means Pocket Friend (Pty) Ltd.
- "Third-party processor" / "Operator" (POPIA) / "Data processor" (GDPR) means a person or organisation that processes personal information on our behalf.
3. Information We Collect
We apply the principle of data minimisation — we collect only the personal information that is necessary to provide and operate the service. We do not collect information for speculative or unrelated purposes.
3.1 Information You Provide Directly
| Data Category | Examples | Purpose |
|---|---|---|
| Phone number | Your WhatsApp or Telegram number in international format | Account identification, message delivery |
| Display name | Your WhatsApp or Telegram profile name | Personalisation |
| Nickname | Your chosen display name within the service | Personalisation |
| Companion name | Your chosen name for your AI companion | Service personalisation |
| Conversation content | Text messages, transcribed voice notes, image descriptions, PDF document summaries, AI responses | Service delivery, conversation memory |
| Voice recordings | Voice notes you send | Transcription to text (not stored after transcription) |
| Images | Photos you send via WhatsApp or Telegram | AI interpretation (not stored after processing) |
| PDF documents | Documents you send for summarisation | AI summarisation (original file not stored after processing) |
| Location data | Location pins or Google Maps links you voluntarily share | Conversation context enrichment (included in conversation history) |
| Email address | If voluntarily provided | Receipts, notifications, formal communications |
| Persona preference | Your selected companion style | Service configuration |
3.2 Information Generated Through Use
| Data Category | Examples | Purpose |
|---|---|---|
| Account balance | Current credit balance | Billing, top-up triggers |
| Transaction records | Deposits, deductions, top-ups with amounts and timestamps | Billing, financial records |
| Usage metadata | Message type (text/voice/image/document/location), token counts, cost per message, timestamps | Cost calculation, service improvement |
| Onboarding status | Your progress through the setup process | Service delivery |
| Conversation summaries | AI-generated summaries of your conversation patterns | Long-term memory continuity across sessions |
| OTP verification codes | Temporary 6-digit codes for website portal login | Authentication (auto-expire after use or timeout) |
| Session tokens | Temporary authentication tokens for the website portal | Website portal sessions (auto-expire) |
| Support ticket records | Ticket number, subject, messages, status | Support request management |
| Dialling code | Derived from your phone number | Currency and VAT determination |
| Currency preference | Your transaction currency (ZAR/USD/GBP/EUR/AUD) | Billing |
| Payment provider reference | Whether you pay via Paystack or Peach Payments | Payment routing |
| Payment card reference | Last 4 digits and card brand (for display only) | Card identification in portal |
3.3 Information We Do NOT Collect
- We do not routinely collect your location data. However, if you voluntarily share a location pin or a Google Maps link via WhatsApp or Telegram, we process the location information to enrich the conversation context. Location coordinates are not stored in a separate database — they are included in the conversation history and subject to the same 90-day retention period.
- We do not store your voice recordings after transcription. Voice notes are transcribed to text in real time and the audio is discarded.
- We do not store images you send after they have been interpreted. Images are processed by the AI and a text description is stored — the original image file is discarded.
- We do not store PDF documents you send after they have been summarised. The original file is discarded after processing.
- We do not store your full card number, CVV, or banking details. Payment processing is handled entirely by Paystack (South African users) or Peach Payments (international users), and we store only tokenised references.
- We do not deliberately collect or request biometric data, health data, genetic data, or other special categories of personal information as defined in POPIA Section 26 or GDPR Article 9. However, given the wellbeing nature of the service, you may voluntarily share information relating to your health, emotional state, or personal circumstances during conversations. Any such information is stored as part of your conversation history (subject to the 90-day retention period) and may be reflected in conversation summaries. We do not extract, categorise, or separately process this information — it is treated identically to all other conversation content.
4. How We Collect Your Information
We collect personal information through the following channels:
- WhatsApp messages: When you send text, voice, image, document, or location messages to Pocket Friend, WhatsApp delivers them to our systems via the WhatsApp Business API. Meta's processing of your data on the WhatsApp platform is governed by WhatsApp's Privacy Policy.
- Telegram messages: When you send text, voice, image, document, or location messages to Pocket Friend on Telegram, Telegram delivers them to our systems via the Telegram Bot API. Telegram's processing is governed by Telegram's Privacy Policy.
- Payment processing: When you make a payment, your card details are collected by Paystack (South African users) or Peach Payments (international users), who provide us with a tokenised reference. Each processor's data handling is governed by their own privacy policy.
- Website portal: When you log in to the Pocket Friend website portal, we collect your phone number for OTP verification and create temporary session tokens. Profile updates and support tickets submitted through the portal are stored in our database.
- Email: If you voluntarily provide your email address via WhatsApp, Telegram, or the website portal.
5. Why We Process Your Information (Purpose Limitation)
We process your personal information for specific, explicitly defined, and legitimate purposes only. We will not process your information for any purpose incompatible with those listed below without obtaining your consent.
| Purpose | Description |
|---|---|
| Service delivery | To receive your messages, generate AI responses, and deliver them back to you via WhatsApp or Telegram. |
| Conversation memory | To store conversation history so the AI can maintain context and continuity across sessions. |
| Billing and payments | To calculate message costs, manage your account balance, process payments, and execute automatic top-ups. |
| Account management | To create and maintain your account, track onboarding progress, and manage your preferences. |
| Communications | To send you service-related messages (payment confirmations, balance notifications) and formal email communications if you provide your email address. |
| Service improvement | To analyse aggregate, anonymised usage patterns (message volumes, message type distribution, persona popularity) to improve the service. We do not analyse individual conversation content for this purpose. |
| Legal compliance | To comply with legal and regulatory obligations, respond to lawful requests, and protect our legal rights. |
6. Lawful Basis for Processing
We process your personal information on the following legal bases:
6.1 Under POPIA (South Africa)
| Lawful Basis (POPIA Section) | Applicable Processing |
|---|---|
| Section 11(1)(a) — Consent | You provide explicit consent during onboarding by replying "AGREE" to the disclaimer, which references the Terms and this Privacy Policy. Consent for automatic top-ups is given when you provide card details. |
| Section 11(1)(b) — Necessary for contract performance | Processing your messages, generating AI responses, managing your account balance, and processing payments are all necessary to perform the service you have contracted for. |
| Section 11(1)(d) — Legitimate interest | Aggregate, anonymised usage analytics for service improvement, and fraud prevention. |
| Section 11(1)(c) — Legal obligation | Retention of transaction records as required by tax and financial regulations. |
6.2 Under GDPR (European Economic Area)
If you are located in the EEA, the following lawful bases apply:
| Lawful Basis (GDPR Article) | Applicable Processing |
|---|---|
| Article 6(1)(a) — Consent | Explicit consent provided during onboarding for data processing, including cross-border transfers and AI processing of your data. |
| Article 6(1)(b) — Contract performance | Processing necessary to deliver the service you have requested: message processing, AI response generation, billing. |
| Article 6(1)(f) — Legitimate interests | Anonymised analytics, fraud prevention, and service security. We have conducted a balancing test and concluded these interests do not override your rights. |
| Article 6(1)(c) — Legal obligation | Financial record-keeping, tax compliance, and lawful data requests. |
6.3 Under UK GDPR (United Kingdom)
If you are located in the United Kingdom, the lawful bases under the UK GDPR and the Data Protection Act 2018 are substantially the same as those under the EU GDPR listed in Section 6.2 above.
You may withdraw your consent at any time by cancelling your account (see Section 12). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
7. How We Use Your Information
7.1 AI Processing of Conversations
When you send a message to Pocket Friend, we transmit the following to OpenAI's API for processing:
- Your current message (text, transcribed voice note, image description, document summary, or location context).
- Your recent conversation history (up to 50 previous messages) to maintain context.
- A summary of your earlier conversations (if available) for long-term memory.
- The system prompt for your selected persona (this does not contain your personal information).
OpenAI processes this data to generate a response. According to OpenAI's data usage policy for API customers, data submitted through the API is not used to train or improve OpenAI's models unless you explicitly opt in. We have not opted in to model training with user data.
OpenAI retains API inputs and outputs for up to 30 days for abuse monitoring purposes, after which they are automatically deleted. Pocket Friend does not have a Zero Data Retention (ZDR) agreement with OpenAI. For more information, see OpenAI's data controls documentation.
7.2 What We Do NOT Do With Your Data
- We do not sell, rent, or trade your personal information to third parties.
- We do not use your conversations for advertising or marketing purposes.
- We do not provide your data to advertisers or data brokers.
- We do not use your data to train AI models.
- We do not profile you for marketing, credit scoring, or automated decision-making with legal effects.
- We do not share your conversations with other users.
8. Third-Party Data Processors
We use the following third-party services to operate Pocket Friend. Each processes your data only for the specific purposes described and under contractual obligations to protect your data:
| Processor | Location | Purpose | Data Processed |
|---|---|---|---|
| Meta / WhatsApp (WhatsApp Business API) | United States / EU | Message delivery platform (WhatsApp users) | Phone number, display name, message content in transit |
| Telegram (Telegram FZ-LLC) | United Arab Emirates | Message delivery platform (Telegram users) | Telegram user ID, chat ID, first name, message content in transit |
| OpenAI | United States | AI text generation, speech-to-text, text-to-speech | Message content, conversation history, voice audio (transient) |
| Supabase (PostgreSQL hosting) | European Union | Database storage | All stored data: user records, conversation history, transactions |
| Paystack | South Africa | Payment processing (South African users) | Payment card details (tokenised), transaction amounts |
| Peach Payments | South Africa | Payment processing (international users) | Payment card details (tokenised), transaction amounts |
| Resend | United States | Email delivery | Email address (if provided), email content |
| N8N GmbH | Germany (EU) | Workflow automation | Message data in transit during processing |
We require all third-party processors to process personal information only on our documented instructions and to implement appropriate technical and organisational security measures. Where required, we maintain Data Processing Agreements (DPAs) with these processors.
9. International Data Transfers
Your personal information may be transferred to and processed in countries outside South Africa and outside the European Economic Area (EEA), specifically the United States (for OpenAI, Meta, and Resend processing) and the United Arab Emirates (for Telegram processing).
9.1 Safeguards for International Transfers
We implement the following safeguards for cross-border data transfers:
- POPIA Section 72: Transfers are made to recipients bound by law, binding agreement, or binding corporate rules that provide an adequate level of protection (Section 72(1)(a)).
- Consent: By agreeing to the Terms and this Privacy Policy during onboarding, you provide informed consent to these international transfers (POPIA Section 72(1)(b) and GDPR Article 49(1)(a)).
- Contractual necessity: Transfers to OpenAI, WhatsApp, and Telegram are necessary to perform the service you have contracted for (GDPR Article 49(1)(b)).
- Standard Contractual Clauses (SCCs): Where applicable, we rely on EU-approved Standard Contractual Clauses with processors located outside the EEA.
We assess the data protection laws and practices of destination countries and implement supplementary measures where necessary to ensure an essentially equivalent level of protection.
10. Data Retention
We retain your personal information only for as long as necessary for the purposes described in this policy, or as required by law. Specific retention periods are:
| Data Type | Retention Period | Reason |
|---|---|---|
| Conversation history | 90 days from creation | Conversation memory and continuity. Automatically deleted after 90 days. |
| Conversation summaries | Until account deletion | Long-term memory continuity across 90-day conversation cycles. Deleted when you delete your account. |
| User account data | Duration of account + 30 days | Service operation. Deleted 30 days after account cancellation. |
| Transaction records | 5 years from transaction date | Tax and financial regulatory requirements (Income Tax Act, VAT Act). |
| Voice recordings | Not retained | Discarded immediately after transcription to text. |
| Images | Not retained | Discarded immediately after AI interpretation. Only a text description is stored. |
| PDF documents | Not retained | Discarded immediately after summarisation. Only a text summary is stored. |
| Payment card tokens | Duration of account | Automatic top-up processing (Paystack and Peach Payments tokens). Deleted upon account cancellation. |
| Email address | Duration of account + 30 days | Formal communications. Deleted with account data. |
| Support tickets | Duration of account + 30 days | Support record-keeping. Deleted with account data. |
| OTP codes | Until used or expired (max 24 hours) | Website portal authentication. Automatically purged. |
| Session tokens | Duration of session (default 1 hour) | Website portal access. Automatically expired. |
When retention periods expire, data is permanently deleted from our systems and from our third-party processors' systems where technically feasible. We run automated cleanup processes daily to enforce these retention periods.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:
11.1 Technical Measures
- Encryption in transit: All data transmitted between your device and our systems, and between our systems and third-party processors, is encrypted using TLS 1.2 or higher (HTTPS).
- Encryption at rest: Database storage (Supabase) uses AES-256 encryption for data at rest.
- Access controls: Database access requires authentication with service role keys. API keys are stored securely and are not exposed in client-side code.
- Tokenised payments: Full card numbers are never stored on our systems. Payment processing uses PCI-DSS compliant tokenisation through Paystack and Peach Payments.
- Immediate media disposal: Voice recordings, images, and PDF documents are processed in memory and discarded — they are not written to persistent storage.
11.2 Organisational Measures
- Access to personal information is limited to authorised personnel only.
- Third-party processors are selected based on their security practices and are contractually required to maintain appropriate security measures.
- We regularly review and update our security measures in line with industry best practices.
11.3 Limitations
No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. WhatsApp provides end-to-end encryption for messages between users, but messages received via the WhatsApp Business API are decrypted for processing. This is a requirement of the WhatsApp Business API and is outside our control.
12. Your Rights
You have the following rights regarding your personal information. These rights apply under both POPIA and GDPR (where applicable):
12.1 Right of Access
You may request a copy of the personal information we hold about you, including your conversation history. We will provide this in a commonly used electronic format (JSON or CSV) within 30 days of your request.
12.2 Right to Correction
You may request that we correct or update any inaccurate personal information we hold about you.
12.3 Right to Deletion ("Right to Be Forgotten")
You may request that we delete all personal information we hold about you. To exercise this right, delete your account via the Pocket Friend website portal, or email support@pocketfriend.co.za. Upon verified request, we will:
- Delete your user account record.
- Delete all conversation history and summaries associated with your account.
- Delete your payment token (preventing further charges).
- Retain transaction records only where required by law (financial/tax regulations — see Section 10).
Deletion will be completed within 30 days of your verified request. Please note that deletion is permanent and cannot be reversed.
12.4 Right to Data Portability
You may request that we provide your personal information in a structured, commonly used, machine-readable format (JSON) so that you may transfer it to another service. This includes your conversation history and account data.
12.5 Right to Object
You may object to the processing of your personal information where we rely on legitimate interest as the lawful basis. If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
12.6 Right to Restrict Processing
You may request that we restrict the processing of your personal information while we verify the accuracy of the data, assess whether our legitimate interests override your rights, or determine whether processing is unlawful.
12.7 Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time. The simplest way to do this is to delete your account via the website portal. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
12.8 How to Exercise Your Rights
To exercise any of these rights:
- Via the website portal: Log in at pocketfriend.co.za/portal to manage your profile, view your data, or delete your account.
- Via email: Send your request to support@pocketfriend.co.za including the phone number associated with your account.
- Via post: Write to Pocket Friend (Pty) Ltd, PO Box 188, Suite 23, Robertson, Western Cape, 6705, South Africa.
We will respond to all requests within 30 days. If a request is complex, we may extend this by an additional 60 days and will inform you of the reason. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.
13. Automated Decision-Making
In accordance with POPIA Section 71 and GDPR Article 22, we inform you of the following automated processing:
| Automated Process | Description | Impact |
|---|---|---|
| AI response generation | Your messages are processed by AI to generate conversational responses. | Determines the content of AI replies. No legal or similarly significant effect. |
| Language detection | The system automatically detects the language of your message and responds accordingly. | Determines response language. No significant effect. |
| Dynamic pricing | Message costs are calculated automatically based on AI processing costs. | Determines the amount charged. Financial impact is minimal (fractions of a Rand, Dollar, Pound, Euro, or Australian Dollar per message). |
| Automatic top-up | Your card is automatically charged when your balance drops below the threshold. | Financial impact — you consented to this during onboarding and may cancel at any time. |
None of these automated processes produce decisions with legal effects or similarly significant effects on you. You have the right to request human review of any automated decision by contacting us.
14. AI Transparency and Disclosure
In compliance with OpenAI's usage policies and the EU AI Act (Regulation (EU) 2024/1689), we provide the following transparency disclosures:
- AI system interaction: Every response from Pocket Friend is generated by an artificial intelligence system. You are never communicating with a human.
- AI-generated voice content: Voice notes sent by Pocket Friend are synthetic speech generated by AI text-to-speech technology. They are not recordings of any real person.
- AI-generated text content: All text responses are generated by AI language models provided by OpenAI and may contain inaccuracies or fabricated information. The specific models used may change over time as technology evolves.
- Machine-readable marking: In accordance with EU AI Act Article 50(2), AI-generated audio and text content may include machine-readable markers indicating its artificial origin, where technically feasible.
- No model training: Your conversations are not used to train or improve AI models. OpenAI's API data usage policy confirms that API inputs and outputs are not used for model training.
- Persona configuration: Each companion persona has pre-configured instructions that shape the AI's tone and style. These instructions do not contain your personal information. The persona you select affects the style of responses but not the AI technology used.
15. Children's Privacy
Pocket Friend is strictly for users aged 18 and older. We do not knowingly collect personal information from anyone under 18.
In South Africa, POPIA Section 35 requires prior consent from a competent person (parent or guardian) for processing the personal information of children (persons under 18). Given the nature of this service — a paid companion with automatic financial transactions — parental consent alone is insufficient. We require users to be 18 or older.
If we become aware that a user is under 18, we will immediately suspend the account and delete all associated personal information. If you believe a child under 18 is using Pocket Friend, please contact us at support@pocketfriend.co.za.
16. Cookies and Tracking Technologies
The Pocket Friend service operates primarily through WhatsApp and Telegram. We do not use cookies, pixels, tracking scripts, or similar technologies within the messaging service itself.
Our website at pocketfriend.co.za uses sessionStorage (a browser feature similar to cookies) to manage your login session on the website portal. This data is temporary and is cleared when you close your browser tab. We do not use persistent cookies for tracking purposes.
Our website loads fonts from Google Fonts, which involves requests to Google's servers. No other third-party tracking or analytics services are currently in use on our website.
If we introduce any analytics or third-party cookies in the future, we will update this section and implement a cookie consent mechanism in accordance with applicable law. Website analytics, if introduced, will not track or link to your WhatsApp or Telegram activity or Pocket Friend account.
17. United Kingdom Data Protection
If you are located in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to our processing of your personal data. Your rights under UK data protection law are substantially similar to those described in Section 12.
The supervisory authority for data protection in the United Kingdom is the Information Commissioner's Office (ICO). You may contact the ICO at ico.org.uk or by calling 0303 123 1113.
18. US State Privacy Rights
If you are a resident of California, Colorado, Connecticut, Virginia, or another US state with comprehensive privacy legislation, you may have additional rights regarding your personal information. These include:
- The right to know the categories and specific pieces of personal information we have collected about you.
- The right to request deletion of your personal information (subject to certain legal exceptions).
- The right to opt out of the sale or sharing of your personal information — Pocket Friend does not sell or share personal information with third parties for advertising or marketing purposes.
- The right not to be discriminated against for exercising your privacy rights.
Categories of personal information collected (per CCPA/CPRA definitions): Identifiers (phone number, email address, nickname); Commercial information (transaction records, account balance); Internet or electronic network activity (message metadata, timestamps); Inferences (conversation summaries generated by AI).
To exercise any of these rights, contact us using the details in the Contact Information section.
19. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Information Regulator (South Africa) as soon as reasonably possible, as required by POPIA Section 22.
- Notify you directly via email (and WhatsApp or Telegram where possible) as soon as reasonably possible after becoming aware of the breach.
- Where the breach affects users in the EEA, notify the relevant Supervisory Authority within 72 hours as required by GDPR Article 33, and notify affected individuals without undue delay where there is a high risk to their rights (GDPR Article 34).
- Where the breach affects users in the United Kingdom, notify the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR.
Notification will include a description of the nature of the breach, the likely consequences, the measures taken to address the breach, and recommendations for you to protect yourself.
20. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- The updated policy will be published at pocketfriend.co.za/privacy.html with a new "Last Updated" date.
- For material changes (changes to what data we collect, how we use it, or who we share it with), we will notify you via email at least 14 days before the changes take effect. It is your responsibility to ensure you have a valid email address on file (see our Terms and Conditions, Section 16.1).
- Continued use of the service after the effective date constitutes acceptance of the updated policy.
21. Complaints
If you believe your personal information has been processed in violation of this policy or applicable data protection law, you have the right to lodge a complaint with:
21.1 The Information Regulator (South Africa)
| Website | inforegulator.org.za |
| complaints.IR@justice.gov.za | |
| Phone | 010 023 5207 |
21.2 EEA Data Protection Authorities
If you are located in the EEA, you may lodge a complaint with the Supervisory Authority in your country of residence. A list of EEA Data Protection Authorities is available at the European Data Protection Board website.
21.3 UK Information Commissioner's Office
| Website | ico.org.uk |
| Phone | 0303 123 1113 |
| Post | Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom |
21.4 United States
Users in the United States may contact the Attorney General of their state of residence.
21.5 Internal Complaints
We encourage you to contact us first so we can try to resolve your concern directly. You can reach us at support@pocketfriend.co.za. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.
22. Contact Information
For any questions, requests, or concerns about this Privacy Policy or our data practices:
| support@pocketfriend.co.za | |
| Send a message to Pocket Friend | |
| Telegram | Send a message to Pocket Friend on Telegram |
| Post | Pocket Friend (Pty) Ltd, PO Box 188, Suite 23, Robertson, Western Cape, 6705, South Africa |