Privacy Policy
Product: ContextPlus
Data Operator / Processor: As identified in the Commercial Term Sheet (HaikuCode (Pty) Ltd or OneOneEleven BV — together, the "Service Provider")
Effective Date: 4 May 2026
Version: 1.0
1. Introduction and Scope
This Privacy Policy explains how the Service Provider collects, uses, stores, and protects personal information in connection with the ContextPlus platform (the "Service"). It applies to:
- Clients — organisations that have accepted the ContextPlus Terms of Service and been granted access to the Service;
- Authorised Users — individuals who access the Service on behalf of a Client; and
- Visitors — individuals who visit the ContextPlus website or communicate with the Service Provider.
This Policy must be read alongside the ContextPlus Terms of Service and, where applicable, the Data Processing Agreement (DPA) between the Service Provider and the Client.
The Service Provider entity that applies to the Client is identified in the Commercial Term Sheet. Where no Commercial Term Sheet has been executed, the relevant entity is determined by the Client's location: if the Client is based in South Africa, HaikuCode (Pty) Ltd is the relevant entity; if the Client is based in Europe or elsewhere, OneOneEleven BV is the relevant entity.
1.1 Two Distinct Data Relationships
ContextPlus operates in two distinct data protection roles:
(a) Service Provider as Operator / Data Processor
When a Client uploads documents, knowledge bases, or other content (CIK) into the Service, the Service Provider processes that content strictly on the Client's instructions and for no other purpose. In this context, the Client is the responsible party / data controller, and the Service Provider is the operator / data processor. The Service Provider makes no independent decisions about that data.
(b) Service Provider as Responsible Party / Data Controller
The Service Provider independently determines the purposes and means of processing certain personal information about Clients and Authorised Users — namely, account registration data, billing information, and platform usage analytics. In this context, the Service Provider is the responsible party / data controller.
This Policy addresses both roles. The DPA between the Service Provider and the Client separately governs the processing described in (a) above.
2. Privacy Contact, Data Protection Officer, and Information Officer
The Service Provider has designated a privacy contact who serves as both the Data Protection Officer (DPO) for the purposes of the GDPR and the Information Officer for the purposes of POPIA (section 55). All requests relating to personal information held by the Service Provider — including access requests, correction requests, and objections to processing — should be directed to:
Email: privacy@contextplus.ai
3. What Personal Information We Collect
3.1 Account and Registration Data (Service Provider as Controller)
When a Client creates an account or is onboarded to the Service, we collect:
- full name and job title of the primary account contact;
- organisation name and registered address;
- email address;
- billing and invoicing contact details; and
- communication records between the Service Provider and the Client.
During the Testing Period, no fees are charged and no payment data is collected. If a payment processor is engaged in a future commercial phase, this Policy will be updated and Clients will be notified in advance.
3.2 Authorised User Data (Service Provider as Controller)
When Authorised Users are provisioned by a Client, we collect:
- full name;
- business email address; and
- role or access level within the Client's account.
3.3 Usage and Technical Data (Service Provider as Controller)
When Authorised Users access the Service, we automatically collect:
- login timestamps and session duration;
- feature usage data (which features are used and how frequently);
- error and diagnostic logs;
- device type, browser type, and operating system; and
- IP address (which may be considered personal information under applicable law).
We use this data to operate, maintain, and improve the Service, to investigate security incidents, and to fulfil our legal and regulatory obligations. We do not use usage data to identify, profile, or make decisions about individual Authorised Users beyond what is necessary to provide the Service.
3.4 Client CIK and Submitted Personal Data (Service Provider as Processor)
Clients may upload or process CIK through the Service that contains personal information relating to the Client's own employees, clients, or customers. The Service Provider processes this information strictly as an operator / data processor on the Client's instructions. The Service Provider does not access, use, or disclose this information for any purpose beyond providing the Service.
The personal information in this category may include:
- employee names, contact details, and organisational information;
- client names and business information;
- proprietary documents, emails, and other business records; and
- any other personal information embedded in documents uploaded to the Service.
The Client remains solely responsible for the lawfulness of processing this information through the Service, including ensuring that appropriate data subject notifications and consents are in place.
3.5 Feedback
When Clients or Authorised Users provide Feedback (bug reports, feature requests, or other product input), we collect the content of that Feedback and associated contact information. Feedback may be used to improve the Service without restriction or compensation, as described in the Terms of Service.
4. How We Use Personal Information
4.1 Purposes for Which the Service Provider Acts as Controller
| Purpose | Lawful Basis |
|---|---|
| Account creation, management, and support | Performance of contract |
| Billing and invoicing | Performance of contract |
| Service operation and technical maintenance | Legitimate interests |
| Security monitoring and fraud prevention | Legitimate interests |
| Legal and regulatory compliance | Legal obligation |
| Communications about Service changes or legal notices | Legitimate interests / Contract |
| Product improvement (using de-identified aggregate data only) | Legitimate interests |
| Case study and marketing references (with Client consent) | Consent |
4.2 Purposes for Which the Service Provider Acts as Processor
The Service Provider processes Client CIK solely to:
- make the Service available to Authorised Users according to the Client's configuration and permissions settings;
- enable the Model Context Protocol integration where activated by the Client;
- permit the Service Provider LLM to respond to queries within the Service within the parameters set by the Client; and
- generate error logs and diagnostics to support the Service's reliability.
The Service Provider does not process Client CIK for any other purpose, including AI model training, analytics, or profiling.
4.3 No AI Training on Client Data
The Service Provider will not, under any circumstances, use any personal information or CIK submitted to the Service to train, fine-tune, prompt-tune, or otherwise improve any AI or machine learning model. This is an absolute commitment and applies to the Service Provider LLM, any future models operated by the Service Provider or any Successor Entity, and any third-party models.
5. Data Storage and Transfers
5.1 Hosting
The Service is hosted on infrastructure located within the European Economic Area (EEA). All CIK and personal data are processed and stored within the EEA.
5.2 Cross-Border Transfers
The Service Provider will not transfer personal information outside the EEA or the Republic of South Africa without:
(a) the Client's prior written consent; and
(b) ensuring appropriate safeguards are in place, such as the Standard Contractual Clauses approved by the European Commission (for GDPR purposes) or the conditions set out in section 72 of POPIA (for South African cross-border transfers).
5.3 Subprocessors
The Service Provider uses a limited number of subprocessors to provide the Service. Any subprocessor that may process personal information on the Service Provider's behalf is bound by contractual obligations no less stringent than those in this Policy and the applicable DPA. The Service Provider maintains an up-to-date list of subprocessors, available on request from privacy@contextplus.ai. The Service Provider will notify Clients of any proposed changes to its subprocessor list and allow Clients a reasonable period to object.
Current subprocessors include cloud hosting infrastructure within the EEA. If a payment processor is engaged in a future commercial phase, this Policy will be updated and Clients will be notified in advance.
6. Retention and Deletion
6.1 General Retention Periods
| Data Category | Retention Period |
|---|---|
| CIK and Client-submitted Personal Data | Deleted within 30 days of account termination or on Client request, subject to clause 6.2 |
| Account and registration data | Duration of the contractual relationship + 7 years (for legal and tax purposes) |
| Billing and financial records | As required by applicable tax and commercial law (minimum 5 years in most jurisdictions) |
| Usage logs and diagnostics | Maximum 12 months from creation |
| Contact information (post-termination, minimal set) | As required by applicable law |
6.2 Legal Retention Obligations
The Service Provider is required by law to retain certain categories of information even after account termination, including:
(a) financial and billing records — to comply with tax legislation and commercial law in applicable jurisdictions;
(b) usage logs — for security incident investigation and compliance purposes; and
(c) contact information — where required for ongoing legal obligations, dispute resolution, or regulatory compliance.
The Service Provider will notify the Client of any data it is required to retain following account termination and the legal basis for that retention.
6.3 Data Download and Deletion
Clients have the right to download and delete their data at any time. The Service currently supports:
- download of individual files from the Client's knowledge space; and
- account deletion, which triggers deletion of all CIK and personal data subject to clause 6.2.
The Service Provider is actively developing a bulk data export and account deletion feature. Its absence does not affect the Client's right to request full data export or deletion by contacting privacy@contextplus.ai.
7. Data Subject Rights
7.1 Rights Under POPIA
Data subjects whose personal information is processed by the Service Provider have the following rights under POPIA:
- Right of access: the right to request confirmation of whether the Service Provider holds personal information about them, and to request a copy of that information.
- Right to correction or deletion: the right to request correction of inaccurate personal information and, in certain circumstances, deletion of personal information.
- Right to object: the right to object to processing of personal information on reasonable grounds.
- Right to complain: the right to submit a complaint to the South African Information Regulator at www.inforegulator.org.za.
7.2 Rights Under GDPR (EU Data Subjects)
Where the Service Provider processes personal information of individuals located in the European Union, those individuals have additional rights under the GDPR, including:
- Right of access (Article 15);
- Right to rectification (Article 16);
- Right to erasure (Article 17);
- Right to restriction of processing (Article 18);
- Right to data portability (Article 20);
- Right to object (Article 21); and
- Right not to be subject to automated individual decision-making (Article 22).
7.3 How to Exercise Rights
Some of these rights can be exercised directly through the Service — for example, deleting your account or downloading your data through the platform settings. Where a right can be exercised through the platform, that is the simplest way to do it. If anything is unclear, or if a right cannot be exercised through the platform, submit a request to: privacy@contextplus.ai
The Service Provider will respond to all valid requests within 30 days of receipt. In complex cases, this period may be extended by a further 30 days, with notice to the data subject. Where a request relates to CIK submitted by a Client (where the Service Provider acts as processor), the Service Provider will direct the request to the relevant Client as the data controller.
7.4 Verification
The Service Provider may request reasonable verification of the identity of a data subject before processing a rights request.
8. Security
The Service Provider implements technical and organisational measures appropriate to the nature and sensitivity of the personal information processed through the Service, including:
- encryption of data in transit (TLS) and at rest;
- role-based access controls;
- audit logging of access to personal data;
- regular security assessments and vulnerability management; and
- incident response procedures, including notification to affected Clients in the event of a personal data breach.
In the event of a personal data breach, the Service Provider will notify affected Clients without undue delay and, in any event, within a timeframe consistent with the GDPR's 72-hour notification standard where the breach is likely to result in a risk to the rights and freedoms of natural persons.
9. EU AI Act Transparency
The Service incorporates AI functionality, including the Service Provider LLM. In accordance with Article 50 of the EU AI Act and applicable transparency obligations:
(a) where Authorised Users interact with AI-generated outputs through the Service, the Service Provider will ensure that such interactions are clearly identified as AI-generated;
(b) the Service Provider will not use personal data processed through the Service for AI model training — see clause 4.3;
(c) the Service Provider maintains documentation of the Service Provider LLM's capabilities, limitations, and intended use cases, available to Clients on request to support Client compliance with applicable EU AI Act obligations; and
(d) where the Client's use of the Service may constitute deployment of a high-risk AI system under the EU AI Act, the Service Provider will cooperate with the Client to provide such information and assistance as is reasonably required for the Client to fulfil its obligations under Article 26 of the EU AI Act.
10. Cookies and Tracking
The ContextPlus web application may use cookies and similar tracking technologies to:
- maintain Authorised User sessions;
- remember user preferences and settings; and
- collect aggregate usage analytics to improve the Service.
The Service Provider does not use third-party advertising cookies or cross-site tracking technologies. A cookie notice will be presented to Authorised Users when they first access the web application. Authorised Users may manage cookie preferences through their browser settings, noting that disabling certain cookies may affect Service functionality.
11. Novation and Entity Migration
As described in the Terms of Service, the Service Provider may transfer its rights and obligations under its contracts — including its data protection obligations — to a Successor Entity on the occurrence of a Restructuring Event. In those circumstances:
(a) the Successor Entity will assume all of the Service Provider's data protection obligations, including those under this Privacy Policy;
(b) personal data will be transferred to the Successor Entity only where a lawful basis for transfer exists under applicable law (including, where required, the implementation of Standard Contractual Clauses or equivalent transfer safeguards);
(c) Clients and affected data subjects will be notified of the transfer as set out in clause 15 of the Terms of Service; and
(d) this Privacy Policy will be updated to reflect the Successor Entity's details and any changes to applicable law following the transfer.
12. Changes to This Privacy Policy
The Service Provider may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or data processing practices. During the Testing Period, the Service Provider will notify Clients of any material changes by email, with at least 30 days' notice before the changes take effect.
The current version of this Privacy Policy is always available on request from privacy@contextplus.ai.
13. Contact and Complaints
For all privacy-related enquiries, access requests, or complaints:
Email: privacy@contextplus.ai
If you are not satisfied with the Service Provider's response to a complaint, you may escalate to the relevant supervisory authority:
- South Africa: South African Information Regulator — www.inforegulator.org.za
- Netherlands / EU: Autoriteit Persoonsgegevens — www.autoriteitpersoonsgegevens.nl
Privacy Policy — Version 2.0
ContextPlus — Last updated: 5 May 2026