Privacy Policy

How we collect, use, and protect your personal information under POPIA and GDPR.

# Privacy Policy

This policy explains how we collect, use, store, and share your personal information when you use the FixMyMarketing Scanner. It's written in plain English. We've tried to keep it shorter than most.

This policy works alongside our Terms of Service. The Terms govern what the service is and what you agree to; this policy governs what we do with your data.

1. Who we are

The FixMyMarketing Scanner is operated by Story Advantage (Pty) Ltd, a company registered in South Africa, trading as Story Advantage Marketing Agency. In this policy, "we", "us" and "our" refer to Story Advantage.

We are the responsible party (POPIA) and the data controller (GDPR / UK GDPR) for your personal information.

Information Officer (POPIA section 55): *[To be designated — typically the Managing Director. Reachable at the email below.]*

EU / UK representative: Not currently appointed. We do not actively target users in the EU or UK. If our user base in those regions develops, we will appoint a representative under GDPR Article 27 (and the UK equivalent) and update this policy.

Contact for all privacy matters: hello@storyadvantage.agency

2. What we collect

We collect different categories of information depending on how you use the Scanner.

### When you run a free scan (web or WhatsApp)

  • The URL you submit and the content of that website that we extract.
  • Your email address (web flow) or phone number (WhatsApp flow), if you give it.
  • Your name or WhatsApp push name, if available.
  • Your POPIA consent record — the exact prompt we showed you, the timestamp, and your "YES" reply (WhatsApp) or your checkbox confirmation (web).
  • Your IP address, hashed within 24 hours so it can't be linked back to you afterwards.
  • Basic usage data — which pages you viewed, when you ran scans, browser type, device type.
  • ### When you create an account or upgrade to a paid review

  • Email address (verified via one-time sign-in code).
  • Scan history linked to your account.
  • Payment status for paid reviews (we don't see your card details — Payfast handles that; we only receive the transaction status).
  • Any profile information you choose to add (business name, industry, etc.).
  • ### When you use the WhatsApp service

  • Phone number (in E.164 format, e.g. +27821234567).
  • The content of messages you send us, retained as part of your session state.
  • Conversation memory for the AI agent (only when you ask follow-up questions after a scan completes — limited to your most recent 8 messages).
  • Suppression flag if you reply STOP.
  • ### Operational data we generate

  • Error logs when something breaks.
  • Audit logs when admin actions happen on your account.
  • Aggregated, anonymised benchmark data built from many users' scans — see section 7.
  • ### What we don't collect

    We don't collect special categories of personal information (health, race, religion, sexual orientation, biometrics, etc.). If you accidentally include any of this in a URL or scan, please contact us and we'll delete it.

    We don't fingerprint your device or attempt to identify you across other sites.

    3. Why we process your information (legal bases)

    We need a lawful basis under POPIA and GDPR for every kind of processing. Here's ours:

    What we doWhyLegal basis
    Run scans and deliver reportsTo provide the service you requestedContract
    Send transactional emails (sign-in codes, receipts, scan reports)Required to operate the serviceContract
    Marketing email sequences (free-scan follow-ups, product updates)Promotion of related servicesLegitimate interest (POPIA s69) / Soft opt-in (GDPR) — with unsubscribe in every message
    WhatsApp follow-ups (24h discount nudge)Promotion of related services to recent usersLegitimate interest, with STOP opt-out always available
    Hashed IP and rate limitingPrevent abuse and bot trafficLegitimate interest
    Crash reporting and error logsFix problems and improve reliabilityLegitimate interest
    Aggregated, anonymised benchmarks and AI model improvementImprove the Scanner; produce industry researchLegitimate interest, with no individual identification possible
    Comply with tax, legal, and regulatory obligationsWe're required toLegal obligation

    You can object to processing based on legitimate interest at any time. Email us or, for marketing channels, use the unsubscribe link or STOP command.

    4. How we use AI on your data

    The Scanner uses artificial intelligence — including Anthropic's Claude model — to analyse the websites you submit and generate findings.

    When you submit a URL for scanning, we send the extracted content from that website to Anthropic for analysis. We do not send personal information about you (email, phone, name) to Anthropic — only the website content, plus context about which dimension is being analysed.

    AI training disclosure. As covered in our Terms of Service section 9, we may use scan inputs, scan outputs, and aggregated usage data to:

  • Improve our scoring models and methodology.
  • Train, fine-tune, or evaluate AI systems we use to power the Scanner.
  • Produce anonymised, aggregated benchmarks and research.
  • We don't publish your specific scan results or your website URL without your prior written consent. "Anonymised and aggregated" means no individual person, business, or website can be reasonably identified from anything we publish.

    Automated decision-making. The Scanner produces algorithmic scores and recommendations. These are advisory only — they do not have legal or similarly significant effects on you. We rely on human judgment (yours) before any action is taken based on a Scanner recommendation. Accordingly, GDPR Article 22 protections against automated individual decisions don't apply here, but the safeguards described in this policy do.

    5. Who we share your data with

    We use the following third-party processors to deliver the Scanner. Each has a data processing agreement in place. Where data leaves South Africa or the EEA, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards.

    ProcessorLocationWhat it receivesWhy
    AnthropicUSAExtracted website content (no personal info about you)AI analysis of scanned sites
    FirecrawlUSA / multi-regionURLs you submit for paid Brand Resonance ReviewsJS-rendered crawling that catches what basic scrapers miss
    Google PageSpeed InsightsUSAURLs you submitPerformance scoring
    Meta WhatsApp (via Evolution API)Multi-regionPhone number, message contentRun the WhatsApp service
    MicrolinkEUURLs you submitGenerate website screenshots
    MongoDB AtlasRegion per plan (currently *[confirm region]*)Account data, scan results, admin settings, billing recordsPrimary database
    PayfastSouth AfricaPayment information for paid reviewsProcess payments in ZAR (with FX handled at card level)
    ResendUSAEmail address, name, scan metadataSend sign-in codes, payment receipts, scan reports, and marketing email sequences
    VercelUSA / global edgeWeb requests, logsApplication hosting

    We may add a CRM (GoHighLevel) as a future processor for marketing automation. If we do, we'll update this policy and notify users whose data flows through it.

    We do not sell your personal information.

    6. International transfers

    Several of our processors are based in the USA. When your personal information is transferred outside South Africa or the EEA, we rely on one or more of:

  • Standard Contractual Clauses (SCCs) signed with the processor.
  • Adequacy decisions by the relevant data protection authority, where they exist.
  • The EU–US Data Privacy Framework for processors who are certified under it.
  • Copies of the relevant safeguards are available on request to the email above.

    7. How long we keep your data

    DataRetention
    Scans tied to an authenticated accountFor the life of your account
    Free scans from anonymous web visitors (no email captured)180 days
    WhatsApp session data (active phone-keyed lite users)14 days after last interaction, then session state resets
    Scan reports themselves (PDF, dashboard view)For the life of your account, plus 90 days
    Email send logs (Resend)90 days
    Payment records7 years (South African tax law)
    Hashed IP addresses for rate limiting24 hours
    Error logs and crash reports30 days
    Audit logs (admin actions)2 years
    Aggregated, anonymised benchmark dataIndefinitely (no individual identification possible)

    If you delete your account, we delete or anonymise your identifying data within a reasonable period (typically 30 days), except where we're required by law to keep it longer (e.g. payment records).

    8. Your rights

    Under POPIA and GDPR, you have the following rights regarding your personal information. To exercise any of them, email hello@storyadvantage.agency. We'll respond within 30 days; if we need longer (because the request is complex), we'll tell you why.

  • Access. Get a copy of what we hold about you. Account holders can download a JSON export from the dashboard.
  • Correction. Fix anything inaccurate. Most fields are editable in your dashboard; email us for anything else.
  • Deletion. Request that we delete your account and identifying data. Some legal-retention data (payment records) we have to keep.
  • Restriction. Ask us to pause processing in specific circumstances.
  • Objection. Object to processing based on legitimate interest. We'll stop unless we can show overriding reasons. Direct-marketing objection is always honoured.
  • Portability. Receive your data in a structured, machine-readable format. Our JSON dashboard export covers this.
  • Withdraw consent. Where we rely on consent (marketing emails, cookies, optional features), withdraw it at any time. Withdrawal doesn't affect processing that already happened.
  • Complain to a regulator. South Africa: the Information Regulator at [inforegulator.org.za](https://inforegulator.org.za). EU residents: your local supervisory authority. UK residents: the ICO at [ico.org.uk](https://ico.org.uk).
  • We will not retaliate against you for exercising any of these rights.

    9. Cookies and similar technologies

    We use cookies and similar technologies for three things:

  • Essential — needed for the Scanner to work (sign-in session, security tokens). Cannot be disabled.
  • Analytics — help us understand how the Scanner is used so we can improve it. Loaded only after you give consent.
  • Marketing & CRM — help us measure the effectiveness of our marketing and (in future) sync scan data to our CRM for nurture sequences. Loaded only after you give consent.
  • On your first visit you'll see a consent banner with these three categories. You can change your choices at any time via the "Manage consent" link in the site footer.

    We don't load third-party tracking pixels before you give consent.

    10. Security

    We use industry-standard safeguards to protect your data:

  • TLS encryption for all data in transit.
  • Encryption at rest in MongoDB Atlas.
  • Email-based OTP sign-in (no password storage on our side).
  • Session cookies with HttpOnly, Secure, and SameSite flags.
  • Administrative audit logging.
  • Regular dependency updates and vulnerability reviews.
  • Rate limiting to prevent abuse.
  • Despite all of this, no system is perfectly secure. If we suffer a data breach that creates a real risk to your rights, we will:

  • Notify the Information Regulator (South Africa) and any other competent authority within 72 hours.
  • Notify affected users where required by law and as soon as is reasonable.
  • 11. Children

    The Scanner is not intended for users under 18. If we learn we've collected personal information from someone under 18, we'll delete it.

    12. Changes to this policy

    We may update this policy. For changes that materially affect users (new processors, new data categories, changes to retention or sharing), we'll give at least 14 days' notice by email to registered users and via a banner on the Scanner.

    Minor changes (typo fixes, clarifications, adding a processor that already had a DPA in place) may take effect when posted. The "last updated" date below tells you when we last revised this policy.

    13. Contact us

    For privacy questions, data requests, or anything in this policy:

    hello@storyadvantage.agency

    ---

    Last updated: 18 May 2026

    Operated by: Story Advantage (Pty) Ltd, South Africa