StratCon
Privacy

What we collect,
and why.

Last updated: 20 May 2026

StratCon (Pty) Ltd operates in line with South Africa’s Protection of Personal Information Act (POPIA). This page explains, in plain English, what data we hold about you and what we do with it.

1. What we collect

Account data — the things you tell us when signing up:

  • Name, email address, company name (if you give it).
  • Password (stored as a one-way hash; we never see your actual password).
  • VAT number (optional, if you want it on your invoices).

Payment data — held by Paystack, not us:

  • Card numbers, CVV, and expiry are stored by Paystack (PCI-DSS Level 1). We never see them.
  • We hold a reusable authorisation token, plus display-only metadata: last 4 digits, card brand, expiry month/year, issuing bank. Enough for you to recognise your own card on the settings page.

Service data — what your account uses:

  • The agents you’ve created (name, personality config, channel details like a Telegram bot token).
  • Per-day token usage counts for billing.
  • The messages you exchange with your assistant, retained for context across conversations.

Operational data — standard server stuff:

  • IP addresses and timestamps for sign-in attempts and rate-limiting.
  • Application logs for debugging and security.

2. Why we collect it

  • To provide the service — running your agents, processing your messages, charging your card.
  • To bill correctly — usage tracking, invoice generation, VAT compliance.
  • To support you — so when you email us we can find your account and help.
  • To keep the platform secure — spotting abuse, debugging incidents, complying with our model providers’ rules.

3. Who we share it with

As few parties as possible. Specifically:

  • Paystack — for payment processing. They’re a registered SA payment provider and PCI-DSS Level 1 compliant.
  • Model providers (Anthropic, OpenAI, etc.) — the conversations you send to your assistant are processed by whichever model you’ve selected. They process inbound messages to generate replies and don’t store conversations long-term or use them to train models, per their own data policies.
  • SendGrid — for delivering transactional email (invoices, welcomes, payment receipts).
  • Hetzner — our hosting provider. Data is encrypted in transit and at rest on their infrastructure.

We never sell your data, and we don’t share it with advertisers, data brokers, or marketing platforms.

4. Where it lives

Our primary database is hosted in Germany (Hetzner’s Nuremberg region). This means your data crosses borders for storage. Hetzner is bound by GDPR (which has more stringent requirements than POPIA in most respects), and your data remains under the protection of POPIA contractually.

5. How long we keep it

  • Account and service data: for as long as your account is active, plus 7 years after closure to meet South African tax record requirements.
  • Assistant conversation history: indefinitely while your account is open, so your assistant remembers context. You can request deletion at any time.
  • Payment records: 7 years, per SARS / VAT Act requirements.
  • Server logs: 30 days for general logs, 12 months for security-related logs.

6. Your rights

Under POPIA you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Correct — ask us to fix anything inaccurate.
  • Delete — ask us to remove your data (subject to legal record-keeping requirements; we can’t delete invoice records before the 7-year SARS window expires, but we can anonymise other data).
  • Object — tell us to stop processing your data for specific purposes.
  • Complain — to us first, please, but also to the Information Regulator of South Africa if you’re unsatisfied with how we handle a complaint.

To exercise any of these rights, email hello@stratcon.solutions. We’ll respond within five business days.

7. Security

Data in transit is encrypted with TLS. Data at rest is encrypted on the database disk. Sensitive fields (Telegram bot tokens, Paystack authorisation codes) are additionally encrypted at the application layer. Passwords are hashed with bcrypt. We follow standard security practices but no system is 100% secure — if we ever experience a breach affecting you we’ll notify you within 72 hours.

8. Cookies and tracking

We use one session cookie to keep you signed in. We don’t use third-party tracking, ad pixels, or analytics that profile individual users. We may add lightweight aggregate analytics (page-view counts) later — if so this page will be updated.

9. Children

The service is not designed for children under 18 and we don’t knowingly collect data from anyone under that age.

10. Changes to this policy

Material changes get emailed to you 30 days before taking effect. Minor changes are noted by updating the “last updated” date above.

11. Information Officer

The Information Officer for StratCon (Pty) Ltd is Riaan van Straaten. Contact: hello@stratcon.solutions.