# Privacy Policy
This policy explains how we collect, use, store, and share your personal information when you use the FixMyMarketing Scanner. It's written in plain English. We've tried to keep it shorter than most.
This policy works alongside our Terms of Service. The Terms govern what the service is and what you agree to; this policy governs what we do with your data.
1. Who we are
The FixMyMarketing Scanner is operated by Story Advantage (Pty) Ltd, a company registered in South Africa, trading as Story Advantage Marketing Agency. In this policy, "we", "us" and "our" refer to Story Advantage.
We are the responsible party (POPIA) and the data controller (GDPR / UK GDPR) for your personal information.
Information Officer (POPIA section 55): *[To be designated — typically the Managing Director. Reachable at the email below.]*
EU / UK representative: Not currently appointed. We do not actively target users in the EU or UK. If our user base in those regions develops, we will appoint a representative under GDPR Article 27 (and the UK equivalent) and update this policy.
Contact for all privacy matters: hello@storyadvantage.agency
2. What we collect
We collect different categories of information depending on how you use the Scanner.
### When you run a free scan (web or WhatsApp)
### When you create an account or upgrade to a paid review
### When you use the WhatsApp service
### Operational data we generate
### What we don't collect
We don't collect special categories of personal information (health, race, religion, sexual orientation, biometrics, etc.). If you accidentally include any of this in a URL or scan, please contact us and we'll delete it.
We don't fingerprint your device or attempt to identify you across other sites.
3. Why we process your information (legal bases)
We need a lawful basis under POPIA and GDPR for every kind of processing. Here's ours:
| What we do | Why | Legal basis |
|---|---|---|
| Run scans and deliver reports | To provide the service you requested | Contract |
| Send transactional emails (sign-in codes, receipts, scan reports) | Required to operate the service | Contract |
| Marketing email sequences (free-scan follow-ups, product updates) | Promotion of related services | Legitimate interest (POPIA s69) / Soft opt-in (GDPR) — with unsubscribe in every message |
| WhatsApp follow-ups (24h discount nudge) | Promotion of related services to recent users | Legitimate interest, with STOP opt-out always available |
| Hashed IP and rate limiting | Prevent abuse and bot traffic | Legitimate interest |
| Crash reporting and error logs | Fix problems and improve reliability | Legitimate interest |
| Aggregated, anonymised benchmarks and AI model improvement | Improve the Scanner; produce industry research | Legitimate interest, with no individual identification possible |
| Comply with tax, legal, and regulatory obligations | We're required to | Legal obligation |
You can object to processing based on legitimate interest at any time. Email us or, for marketing channels, use the unsubscribe link or STOP command.
4. How we use AI on your data
The Scanner uses artificial intelligence — including Anthropic's Claude model — to analyse the websites you submit and generate findings.
When you submit a URL for scanning, we send the extracted content from that website to Anthropic for analysis. We do not send personal information about you (email, phone, name) to Anthropic — only the website content, plus context about which dimension is being analysed.
AI training disclosure. As covered in our Terms of Service section 9, we may use scan inputs, scan outputs, and aggregated usage data to:
We don't publish your specific scan results or your website URL without your prior written consent. "Anonymised and aggregated" means no individual person, business, or website can be reasonably identified from anything we publish.
Automated decision-making. The Scanner produces algorithmic scores and recommendations. These are advisory only — they do not have legal or similarly significant effects on you. We rely on human judgment (yours) before any action is taken based on a Scanner recommendation. Accordingly, GDPR Article 22 protections against automated individual decisions don't apply here, but the safeguards described in this policy do.
5. Who we share your data with
We use the following third-party processors to deliver the Scanner. Each has a data processing agreement in place. Where data leaves South Africa or the EEA, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards.
| Processor | Location | What it receives | Why |
|---|---|---|---|
| Anthropic | USA | Extracted website content (no personal info about you) | AI analysis of scanned sites |
| Firecrawl | USA / multi-region | URLs you submit for paid Brand Resonance Reviews | JS-rendered crawling that catches what basic scrapers miss |
| Google PageSpeed Insights | USA | URLs you submit | Performance scoring |
| Meta WhatsApp (via Evolution API) | Multi-region | Phone number, message content | Run the WhatsApp service |
| Microlink | EU | URLs you submit | Generate website screenshots |
| MongoDB Atlas | Region per plan (currently *[confirm region]*) | Account data, scan results, admin settings, billing records | Primary database |
| Payfast | South Africa | Payment information for paid reviews | Process payments in ZAR (with FX handled at card level) |
| Resend | USA | Email address, name, scan metadata | Send sign-in codes, payment receipts, scan reports, and marketing email sequences |
| Vercel | USA / global edge | Web requests, logs | Application hosting |
We may add a CRM (GoHighLevel) as a future processor for marketing automation. If we do, we'll update this policy and notify users whose data flows through it.
We do not sell your personal information.
6. International transfers
Several of our processors are based in the USA. When your personal information is transferred outside South Africa or the EEA, we rely on one or more of:
Copies of the relevant safeguards are available on request to the email above.
7. How long we keep your data
| Data | Retention |
|---|---|
| Scans tied to an authenticated account | For the life of your account |
| Free scans from anonymous web visitors (no email captured) | 180 days |
| WhatsApp session data (active phone-keyed lite users) | 14 days after last interaction, then session state resets |
| Scan reports themselves (PDF, dashboard view) | For the life of your account, plus 90 days |
| Email send logs (Resend) | 90 days |
| Payment records | 7 years (South African tax law) |
| Hashed IP addresses for rate limiting | 24 hours |
| Error logs and crash reports | 30 days |
| Audit logs (admin actions) | 2 years |
| Aggregated, anonymised benchmark data | Indefinitely (no individual identification possible) |
If you delete your account, we delete or anonymise your identifying data within a reasonable period (typically 30 days), except where we're required by law to keep it longer (e.g. payment records).
8. Your rights
Under POPIA and GDPR, you have the following rights regarding your personal information. To exercise any of them, email hello@storyadvantage.agency. We'll respond within 30 days; if we need longer (because the request is complex), we'll tell you why.
We will not retaliate against you for exercising any of these rights.
9. Cookies and similar technologies
We use cookies and similar technologies for three things:
On your first visit you'll see a consent banner with these three categories. You can change your choices at any time via the "Manage consent" link in the site footer.
We don't load third-party tracking pixels before you give consent.
10. Security
We use industry-standard safeguards to protect your data:
Despite all of this, no system is perfectly secure. If we suffer a data breach that creates a real risk to your rights, we will:
11. Children
The Scanner is not intended for users under 18. If we learn we've collected personal information from someone under 18, we'll delete it.
12. Changes to this policy
We may update this policy. For changes that materially affect users (new processors, new data categories, changes to retention or sharing), we'll give at least 14 days' notice by email to registered users and via a banner on the Scanner.
Minor changes (typo fixes, clarifications, adding a processor that already had a DPA in place) may take effect when posted. The "last updated" date below tells you when we last revised this policy.
13. Contact us
For privacy questions, data requests, or anything in this policy:
hello@storyadvantage.agency
---
Last updated: 18 May 2026
Operated by: Story Advantage (Pty) Ltd, South Africa