Privacy Policy | Alethia Intelligence
Legal

Privacy Policy

Effective Date: February 8, 2026 Last Updated: February 8, 2026

1. Introduction

Alethia Intelligence ("Alethia", "we", "our", or "us") operates the Alethia platform — an AI-powered marketing infrastructure tool accessible at alethia-intelligence.ai. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.

By using Alethia, you agree to the collection and use of information in accordance with this policy. If you do not agree with these terms, please do not use our services.

This policy applies to all users of the Alethia platform regardless of your location. We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Protection of Personal Information Act (POPIA), and other applicable data protection laws.

2. Data We Collect

2.1 Account Data

When you register for Alethia, we collect:

  • Name — to personalise your account
  • Email address — for authentication and communications
  • Password — stored as a hashed value using PBKDF2 with a per-user salt (never stored in plain text)
  • Company or agency name — for account context and multi-tenant management
  • Account preferences and settings — to customise your experience

2.2 Usage Data

We collect information about how you use Alethia, including:

  • Actions performed within the platform (audits run, changes approved, reports generated)
  • Features accessed and frequency of use
  • Error logs and diagnostic information
  • Session timestamps and duration

This data is used to improve the platform, diagnose issues, and calculate usage against your plan limits.

2.3 Platform Integration Data

When you connect your advertising and marketing platforms to Alethia, we access data from those platforms on your behalf. See Section 3 for full details on what we access from each platform.

2.4 Contact Form Data

If you submit a contact form, we collect your name, email address, company name, and the content of your message in order to respond to your enquiry.

2.5 Technical Data

We may collect limited technical data to operate and secure the service:

  • IP address (for security logging and rate limiting — not used for tracking or profiling)
  • Browser and device type (for compatibility)
  • Referring URL (to understand how users find us)

3. Platform Integration Data

Alethia integrates with seven advertising and marketing platforms. When you connect a platform, we request OAuth 2.0 authorisation to access that platform's API on your behalf. We request only the minimum permissions necessary.

3.1 Google Tag Manager

  • What we access: GTM container configurations, tags, triggers, variables, workspaces, and version history
  • Read access: Container structure and configuration data
  • Write access: Creating workspaces, publishing versions — all writes require your explicit approval through our 3-layer safety chain
  • Why: To audit your GTM setup, detect issues, and apply approved fixes

3.2 Google Ads

  • What we access: Campaign structure, ad groups, keywords, bids, budgets, performance metrics, conversion data
  • Scopes: google.ads.readonly and google.ads.management (all mutations require your approval)
  • Why: To analyse campaign performance and recommend optimisations

3.3 Meta Ads (Facebook)

  • What we access: Campaign structure, ad sets, creatives, audience definitions, and performance metrics
  • Scopes: read_insights, ads_read (read-only access to ad data)
  • Why: To analyse Meta campaign performance and provide recommendations
  • Data deletion: We have implemented Meta's data deletion callback. When requested, all Meta-sourced data is deleted from our systems within 30 days.

3.4 LinkedIn Ads

  • What we access: Campaign performance data, ad analytics, audience reporting
  • Scopes: r_ads, r_ads_reporting (read-only)
  • Why: To analyse LinkedIn campaign performance and provide reporting

3.5 TikTok Ads

  • What we access: Campaign structure, ad groups, creatives, audience data, TikTok Pixel events, and performance metrics
  • Scopes: TikTok Ads API — campaign management with human approval required on all write operations
  • Why: To manage TikTok advertising campaigns and validate TikTok Pixel implementation
  • Data handling: TikTok platform data is processed on your behalf and stored in your isolated tenant database partition. We do not use TikTok data for any purpose other than providing the Alethia service to you.
  • Retention: TikTok OAuth tokens are deleted immediately upon disconnecting the platform. Cached metrics are retained for 24 hours, then purged.

3.6 Google Analytics 4 (GA4)

  • What we access: Website analytics data including sessions, users, pageviews, events, conversions, ecommerce transactions, and real-time visitor information
  • Scopes: analytics.readonly (read-only access to reporting data), analytics.edit (property and stream configuration management)
  • Why: To provide acquisition reporting, conversion tracking, campaign performance analysis, audience insights, and cross-platform ROAS validation

3.7 Google Search Console

  • What we access: Search performance data (queries, pages, clicks, impressions, CTR, position), URL inspection results, sitemap submission status, and index coverage reports
  • Scopes: webmasters.readonly (read-only access to Search Console data)
  • Why: To analyse organic search performance, monitor indexing status, manage sitemaps, and cross-reference organic data with paid campaign performance

3.8 OAuth Token Handling

All OAuth access tokens from all platforms are:

  • Encrypted at rest using AES-256
  • Stored in your isolated tenant database partition
  • Used only to make API calls on your behalf
  • Deleted immediately when you disconnect a platform
  • Never shared with third parties
  • Never used for any purpose other than operating the Alethia service

4. How We Use Your Data

We use your personal information for the following purposes:

  • Service delivery: To operate the Alethia platform, process your requests, and provide the features you've subscribed to
  • Account management: To create and manage your account, authenticate you, and enforce your access permissions
  • Usage metering: To calculate your usage against your plan limits and enforce fair-use policies
  • Customer support: To respond to your questions, troubleshoot issues, and communicate important service updates
  • Security: To detect and prevent fraud, abuse, and security threats; to enforce our Terms of Service
  • Service improvement: To understand how the platform is used, identify bugs, and improve features
  • Legal compliance: To comply with applicable laws, regulations, and legal processes
  • Billing: To process payments and manage your subscription (payment processing is handled by our payment processor, PayFast — we do not store card details)

We do not: sell your data, use your data for advertising, share your data with data brokers, or use platform-sourced data for any purpose other than operating the Alethia service for you.

5. Data Sharing & Third Parties

We do not sell, trade, or rent your personal information to third parties.

We may share information with the following categories of third parties in order to operate the service:

5.1 Infrastructure Providers

  • Google Cloud Platform (GCP): Hosting, compute, and database infrastructure
  • Supabase: Database management and authentication infrastructure
  • Cloudflare: CDN, DDoS protection, and DNS management

5.2 Payment Processing

  • PayFast: Payment processing for subscription billing. PayFast processes payment data under their own privacy policy. We do not store card numbers or payment credentials.

5.3 Legal Disclosure

We may disclose your information if required by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or protect the safety of our users.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, user data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

6. Data Storage & Retention

Data is stored on Google Cloud Platform infrastructure in data centres that meet SOC 2 Type II standards. All data is encrypted at rest and in transit.

Data Type Retention Period
Account data (name, email, settings) Until account deletion + 30 days
OAuth platform tokens Until platform disconnected — then immediately deleted
GTM audit results 90 days
Ad platform data (cached metrics) 24 hours
Action audit logs 90 days
Session tokens 24 hours maximum
Contact form submissions Until the enquiry is resolved + 90 days
Security logs (IP, timestamps) 30 days

7. Security Measures

We implement industry-standard security measures to protect your personal information:

  • Encryption in transit: All data is transmitted over HTTPS with TLS 1.2 or higher
  • Encryption at rest: All stored data is encrypted using AES-256
  • Password security: Passwords are hashed using PBKDF2 with per-user salts — never stored in plain text
  • OAuth security: OAuth state parameters are HMAC-signed to prevent CSRF attacks
  • Database isolation: Row-level security (RLS) policies enforce tenant isolation at the database layer
  • Access controls: Minimum privilege access; internal access to production systems is restricted and logged
  • Cloudflare protection: DDoS mitigation, WAF, and bot management at the network edge

While we implement robust security measures, no system is 100% secure. We encourage you to use a strong, unique password for your Alethia account and to report any security concerns to [email protected].

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights Under GDPR (EU / EEA Users)

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing: Request that we limit how we process your data
  • Right to data portability: Request your data in a machine-readable format
  • Right to object: Object to processing of your data for certain purposes
  • Rights related to automated decision-making: Opt out of solely automated decisions that significantly affect you

8.2 Rights Under CCPA (California Users)

  • Right to know: Request disclosure of the categories and specific pieces of personal data we've collected about you
  • Right to delete: Request deletion of your personal data
  • Right to opt-out: We do not sell personal data — there is nothing to opt out of
  • Right to non-discrimination: You will not be discriminated against for exercising your privacy rights

8.3 Rights Under POPIA (South African Users)

  • Right to access: Request access to personal information we hold about you
  • Right to correction/deletion: Request that we correct, destroy, or delete your personal information
  • Right to object: Object to the processing of your personal information
  • Right to complain: Lodge a complaint with the Information Regulator (South Africa)

To exercise any of these rights, contact us at [email protected] or through our contact page. We will respond within 30 days (or within the timeframe required by applicable law).

9. Data Deletion

All users, regardless of location or jurisdiction, may request deletion of their personal data at any time. This right is not limited to users in GDPR, CCPA, or POPIA jurisdictions — it applies to everyone.

To request deletion of your data:

  • Account deletion: Delete your account through the Settings page in the Alethia dashboard. Your account data will be deleted within 30 days.
  • Platform data: Disconnect any platform integration to immediately delete the associated OAuth tokens and stop data access from that platform.
  • Full data deletion request: Email [email protected] with subject line "Data Deletion Request" and we will permanently delete all data associated with your account within 30 days.

Following deletion, your data will be purged from all active systems. Backup systems may retain data for up to an additional 30 days before being overwritten by routine backup rotation.

10. Cookies & Tracking

Alethia uses minimal tracking technology:

10.1 Session Tokens

We use localStorage (not cookies) to store your authentication session token. This token identifies your authenticated session and expires after 24 hours. It is not accessible to third-party scripts and is not transmitted to any party other than Alethia's servers.

10.2 No Tracking Cookies

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not track you across websites. We do not use Google Analytics, Facebook Pixel, or similar cross-site tracking technologies on the Alethia platform itself.

10.3 Essential Cookies

If any cookies are used (e.g., for CSRF protection or load balancing), they are strictly necessary for the operation of the service and do not track you across sessions or across sites.

11. Children's Privacy

Alethia is a professional business-to-business service not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately at [email protected] and we will delete the information promptly.

12. Data Protection Officer

Alethia Intelligence has designated a point of contact for all data protection matters. For GDPR-related enquiries, data subject requests, or questions about our data processing practices, please contact:

Data Protection Contact
Alethia Intelligence
Cape Town, South Africa
Email: [email protected]

EU residents may also lodge a complaint with their local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

South African residents may lodge a complaint with the Information Regulator of South Africa at justice.gov.za/inforeg.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Sending an email notification to your registered email address
  • Displaying a prominent notice on the Alethia platform
  • Updating the "Last Updated" date at the top of this policy

Your continued use of Alethia after the effective date of any changes constitutes your acceptance of the updated policy. If you disagree with any changes, you may delete your account before the effective date.

14. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Alethia Intelligence
Cape Town, South Africa
General: [email protected]
Privacy: [email protected]
Security: [email protected]

We take all privacy enquiries seriously and aim to respond within 5 business days.

Questions about our policies?

Contact Us [email protected]