Privacy PolicyLast updated: 22 August 2025

This Privacy Policy explains how Zentrya (“Zentrya”, “we”, “us” or “our”) collects, uses, discloses and safeguards Personal Information when you visit our websites, use our WhatsApp/Meta-integrated solutions, live-agent tools, and related services, or otherwise interact with us. It is intended to comply with the Protection of Personal Information Act, 4 of 2013 (POPIA) and, where applicable, the EU/UK GDPR. Where we provide services to business clients (“Clients”), we act as an operator/processor on their instructions; for our own website, accounts, and direct dealings, we act as a responsible party/controller.

1) Who we are & contact

Responsible Party (controller): Zentrya ({Registered company name & number here}).
Registered address: {Physical address here} (South Africa).

Data Protection Contact / Information Officer: privacy-security@zentrya.co.za • General enquiries: s.finger@zentrya.co.za.

Controller vs Operator (POPIA): For our website visitors, leads, and account holders, Zentrya is a Responsible Party. For end users interacting with Client solutions we provide (e.g., a Client’s WhatsApp chatbot), Zentrya is an Operator processing on the Client’s documented instructions.

2) Scope & applicability

This Policy covers: (i) zentrya.co.za and related subpages; (ii) our hosted services, APIs, chatbots and live-agent tools; and (iii) interactions with Zentrya-powered Client solutions. Where you use a Client’s solution, the Client’s own privacy policy also applies and will prevail for their purposes.

3) Key definitions (POPIA-aligned)

  • Personal Information includes information relating to an identifiable, living natural person, and where applicable, an identifiable, existing juristic person (company), such as names, contact details, identifiers, online identifiers, and records.
  • Special Personal Information includes, inter alia, children’s data, health, biometric, or criminal behaviour information; we do not intentionally collect such data unless necessary and lawful (e.g., on Client instruction with proper consent/authority).
  • Responsible Party and Operator have the meanings in POPIA (controller/processor analogues).

4) Information we collect & typical sources

  • Contact & account data: name, email, phone, company, role, login identifiers, authentication metadata.
  • Communications & content: messages and media sent via our services (e.g., WhatsApp Business Platform), support chats, delivery/read metadata from messaging platforms (for routing, analytics, and troubleshooting).
  • Business assets & IDs: Client-provided assets (e.g., Facebook Pages, Instagram Business accounts, WhatsApp Business Accounts, catalogs) and configuration data to enable features.
  • Commerce & operational records: order references, appointments, tickets, audit trails, where integrated with systems such as WooCommerce or IQ Retail.
  • Technical & analytics data: device/browser, IP address, cookies, usage logs, crash reports, performance metrics.

5) Lawful bases & POPIA conditions

We process Personal Information in accordance with POPIA’s conditions of lawful processing, including: Accountability; Processing Limitation (lawfulness, minimality, consent/justification); Purpose Specification; Further Processing Limitation; Information Quality; Openness; Security Safeguards; and Data Subject Participation. Depending on context we rely on: consent; performance of a contract; legitimate interests (e.g., operating and improving our services, preventing abuse); legal obligations; and, when acting for a Client, the Client’s written instructions.

6) How we use information (purposes)

  • Provide, operate, secure and improve Zentrya services and Client solutions.
  • Enable messaging, automation, catalog lookup, analytics, and live-agent handoff.
  • Comply with platform terms (e.g., Meta) and enforce acceptable use.
  • Communicate service updates, security notices, and billing/administration.
  • Debugging, monitoring, and quality assurance.
  • Legal, regulatory and tax compliance; record-keeping.

7) Direct marketing (POPIA s69)

We do not send direct electronic marketing without the required consent or a lawful basis. You may opt out at any time via in-message controls or by emailing privacy-security@zentrya.co.za.

8) Sharing & disclosure

  • Clients: Where we act as Operator, we process and disclose information as instructed by the Client and to their authorised staff.
  • Service providers / sub-processors: hosting, cloud, analytics, communications, security, payment or CRM providers engaged under written contracts imposing confidentiality and appropriate safeguards. A list of principal sub-processors is available on request.
  • Platform providers: Meta platforms (e.g., WhatsApp Business Platform, Facebook, Instagram) as necessary to deliver requested features in line with their terms and policies.
  • Legal & compliance: disclosures required by law, legal process, or to protect rights, safety, systems, and integrity.
  • Business transfers: in connection with mergers, acquisitions, financing or similar transactions, subject to continued protections.

9) Cross-border transfers (POPIA s72)

We may process/store data in South Africa and other countries. Where cross-border transfers occur, we implement appropriate safeguards (e.g., contractual clauses; binding agreements with Operators) or rely on an applicable justification (consent; necessity for a contract; interests of the data subject; or adequate protection in the recipient jurisdiction).

10) Security (POPIA s19)

We maintain appropriate technical and organisational measures, including access controls, encryption in transit, logging, least-privilege principles, and backups. While no system is perfectly secure, we continuously assess and improve our safeguards. Report suspected incidents to privacy-security@zentrya.co.za.

11) Breach notification (POPIA s22)

In the event of a reasonable belief that a security compromise has occurred, we will notify the Information Regulator and affected data subjects without undue delay, in the manner required by law and our contractual commitments.

12) Children

Our services are not directed to children under 13 (or the age defined by local law). We do not knowingly process children’s Personal Information without appropriate consent/ authorisation and Client instruction where applicable. If you believe a child has provided Personal Information to us contrary to this clause, contact privacy-security@zentrya.co.za.

13) Cookies & tracking

We use essential cookies and similar technologies to operate the site and optional analytics to understand usage. Where required, we obtain consent for non-essential cookies. Your browser may offer settings to manage cookies. Disabling certain cookies may affect functionality.

14) Your rights (POPIA & GDPR where applicable)

Subject to limits in law and our role (Responsible Party vs Operator), you may have rights to access, correct/rectify, delete/erasure, restrict, object to processing (including direct marketing), withdraw consent, and data portability. We will respond in accordance with applicable law and our contracts with Clients.

  • If you used a Client’s solution: please address your request to the Client (Responsible Party). We will assist them as Operator.
  • If you interacted directly with Zentrya: email privacy-security@zentrya.co.za.

15) Retention

We retain Personal Information only as long as necessary for the purposes set out in this Policy (or as required by law/contract). Where we act as Operator, retention is governed by the Client’s documented instructions. On expiry, we delete or de-identify data, unless continued retention is legally permitted or required.

16) Meta/WhatsApp-specific disclosures

  • Our solutions may use the WhatsApp Business Platform and Meta APIs (e.g., Facebook/Instagram). Message content and delivery/read events may be processed to route, respond, prevent abuse, and provide analytics as authorised by you or a Client.
  • Your use of Meta properties remains subject to Meta’s terms and policies. We do not sell Personal Information and do not share it for independent third-party direct marketing.
  • Data Deletion Instructions: If you interacted with a Zentrya-operated bot or service and wish to request deletion, you may (i) send “DELETE MY DATA” via the same channel you used (e.g., the WhatsApp conversation), or (ii) email privacy-security@zentrya.co.za with sufficient detail to identify your records (phone number/email used, service name, and approximate dates). If your interaction was with a Client’s service, we will notify and assist the Client (Responsible Party) to action the request.

17) Third-party sites & services

Our site or services may link to third-party sites or services. Their privacy practices are governed by their own notices and terms. We are not responsible for third-party policies, content, or practices.

18) Operator agreements & sub-processors

Where we act as Operator for a Client, our processing is governed by a written agreement meeting POPIA requirements. We engage sub-processors under written contracts imposing equivalent protections. A current list of principal sub-processors is available on request and may include hosting providers, analytics, communications and security vendors, and Meta platforms.

19) Complaints & regulator contact

If you have concerns, please contact us first at privacy-security@zentrya.co.za. If unresolved, you may lodge a complaint with the Information Regulator (South Africa) via its official website or prescribed channels.

20) Changes to this Policy

We may update this Policy from time to time to reflect legal, technical, or business changes. Material changes will be highlighted or communicated where appropriate. The Last updated date above reflects the effective date of the current version.

21) Governing law & jurisdiction

This Policy and any dispute or claim arising out of or in connection with it shall be governed by the laws of the Republic of South Africa. Subject to applicable law, you agree to the non-exclusive jurisdiction of the courts of South Africa (Gauteng).

Implementation notes (non-binding): populate registered details and address; keep a sub-processor register; align cookie banner to your analytics; and ensure your deletion flow (keyword or help menu) routes requests to privacy-security@zentrya.co.za or the Client where we act as Operator. Maintain records of processing and breach playbooks under POPIA.