Privacy Policy

1. Introduction

OpenComments ("we", "us", "our") is an independent civic-engagement platform based in the Republic of South Africa. We are committed to protecting and respecting your privacy in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the General Data Protection Regulation (EU) 2016/679 (GDPR).

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have in relation to your personal information. Please read this policy carefully before using OpenComments.

2. Responsible Party & Information Officer

For the purposes of POPIA (and as "data controller" under the GDPR where applicable), the responsible party is:

3. Personal Information We Collect

We collect and process the following categories of personal information:

3.1 Information You Provide Directly

• Account & Registration Data: Full name, email address, password (stored in hashed form only), phone number (optional), province, organisation, and preferred language.
• Profile Preferences: Notification frequency, sector interests (e.g. Health, Education, Finance), submission language preference, profile photo/avatar, and two-factor authentication settings.
• Submission Content: Comments, stances, and feedback you craft and submit on government policy consultations, including any reference numbers generated for your submissions.
• AI Drafting Inputs: Notes or instructions you enter when you ask the AI drafting tool to help prepare a comment.
• Contact & Correspondence: Any messages, enquiries, or feedback you send us via email or the contact form.

3.2 Information Collected Automatically

• Session & Authentication Data: Session tokens, IP address, and user-agent strings, collected at login for security and fraud prevention.
• Usage & Analytics Data: Pages viewed, policies browsed, features used, and interaction patterns. Collected via Vercel Analytics and Vercel Speed Insights — privacy-friendly tools that do not use tracking cookies and do not collect personally identifiable information.
• Device Data: Browser type, operating system, screen resolution, and referring URL.

3.3 Information Generated Through Our Services

• AI-Generated Content: Summaries, analyses, key terms, and translations of government policy documents, generated by Google Gemini AI. These are derived from public government documents, not from your personal data.
• Email Delivery Metadata: Delivery status of emails sent on your behalf (e.g. "sent", "delivered"), response notes you add, and related metadata tracked via Resend for transparency and accountability.
• Audit Logs: Records of administrative actions taken on the platform, which may reference user account identifiers in anonymised form.

4. Legal Basis & Purpose of Processing

Under POPIA, we process your personal information in accordance with the conditions for lawful processing set out in Chapter 3. Under GDPR (where applicable), we rely on the following legal bases:

5. Who We Share Your Information With

We never sell your personal information. We share data only in the following limited circumstances:

5.1 Government Departments

When you submit a comment on a policy consultation, your submission content (and any identifying details you choose to include in your comment) is forwarded to the relevant government department via email. You provide explicit consent for this at the time of submission. We record this consent with a timestamp for audit purposes.

5.2 Service Providers (Operators / Processors)

We use the following third-party service providers who process data on our behalf under appropriate data processing agreements:

5.3 Legal Disclosure

We may disclose your information if required to do so by law, court order, subpoena, or government regulation, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of OpenComments, our users, or the public.

6. Cross-Border Data Transfers

Some of our service providers are located outside of South Africa (see section 5.2 above). In accordance with POPIA section 72, we only transfer personal information to a foreign country if that country has adequate data protection legislation, or if the transfer is subject to binding contractual safeguards (such as Standard Contractual Clauses or the provider's data processing agreement).

We have assessed each provider's data protection commitments and ensured appropriate safeguards are in place. Where possible, we select data regions closest to South Africa.

7. How We Protect Your Information

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction, including:

• Encryption in Transit: All data is transmitted over HTTPS/TLS. Database connections use SSL.
• Password Security: Passwords are hashed using industry-standard algorithms (bcrypt/scrypt). We never store plaintext passwords.
• Session Security: HTTP-only, secure, SameSite cookies with environment-appropriate prefixes. Sessions expire after 7 days.
• Two-Factor Authentication: Optional TOTP-based 2FA available for all accounts.
• Step-Up Verification: Account deletion requires a one-time code sent to your account email. Password accounts also require password confirmation.
• Input Validation: All user inputs are validated, sanitised, and bounded to prevent injection attacks and abuse.
• Rate Limiting: Redis-backed sliding window rate limiting on sensitive endpoints (AI, email, auth).
• Access Control: Role-based access control with session-derived user identity — client-supplied IDs are never trusted.
• Audit Logging: Administrative actions are logged for accountability.
• Timing-Safe Secret Comparison: Webhook signatures and API keys are compared using constant-time algorithms.

8. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account Data: Retained for as long as your account remains active, plus 30 days after deletion to allow recovery.
• Submissions to Government: Retained indefinitely as a civic record, unless you request deletion. Note that copies forwarded to government departments are outside our control.
• Session Data: Automatically expires after 7 days. IP addresses associated with sessions are not retained beyond the session lifetime.
• Email Delivery Logs: Retained for 12 months for troubleshooting, then deleted.
• Audit Logs: Retained for 24 months.
• Analytics Data: Vercel Analytics data is aggregated and non-identifying; see Vercel's privacy policy for retention details.

9. Cookies & Similar Technologies

We use the following cookies:

We do not use advertising or tracking cookies. Vercel Analytics and Speed Insights are privacy-friendly and do not use cookies or collect personally identifiable information.

You can manage cookie preferences through your browser settings. Disabling the session cookie will prevent you from using authenticated features (dashboard, submissions, alerts).

10. AI & Automated Decision-Making

OpenComments uses Google Gemini AI to generate policy summaries, key-term explanations, pros-and-cons analysis, translations of government documents, and AI-assisted draft comments when you request them. This AI processing:

• For policy summaries and analysis, is applied to public government documents.
• For AI-assisted comment drafting, processes the notes you provide, but your email address and phone number are not sent to the AI.
• Does not make decisions about you or affect your legal rights.
• May assist in drafting submission comments at your request; you always review and control the final content before submission.
• Is clearly labelled as AI-generated throughout the platform.

We do not use automated profiling to make decisions that produce legal effects concerning you.

11. Children's Privacy

OpenComments is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at privacy@opencomments.co.za, and we will take steps to delete such information.

12. Your Rights Under POPIA (and GDPR)

Under the Protection of Personal Information Act, you have the following rights as a data subject:

• Right to be Informed (s18): You have the right to know what personal information we hold about you and how it is processed. This privacy policy serves that purpose.
• Right of Access (s23): Request a copy of all personal information we hold about you. We will respond within 30 days.
• Right to Correction (s24): Request that we correct or complete inaccurate or incomplete personal information. You can also update most information directly via your Profile page.
• Right to Deletion (s24): Request that we delete your personal information, subject to any legal obligation to retain certain records.
• Right to Object (s11(3)): Object to the processing of your personal information on grounds of legitimate interest, and object to receiving direct marketing communications at any time.
• Right to Data Portability: Request your personal information in a structured, machine-readable format (JSON or CSV).
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.
• Right to Lodge a Complaint: If you believe your privacy rights have been infringed, you have the right to lodge a complaint with the Information Regulator.

You can download an account data export or request account deletion from your Profile page. Account deletion requires a one-time verification code sent to your account email. To exercise any other rights, email us at privacy@opencomments.co.za. We will verify your identity before processing your request and respond within 30 days.

13. Direct Marketing & Communications

In compliance with POPIA section 69, we will only send you direct marketing communications (such as policy alerts and digest emails) where:

• You have opted in to receive such communications (e.g. by configuring alert preferences); or
• You are an existing user and the communication relates directly to services similar to those you have used.

Every marketing or alert email includes an unsubscribe mechanism. You can also manage your notification preferences at any time from your Profile page or Alerts settings.

14. Data Breach Notification

In the event of a personal information security compromise, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with POPIA section 22. Such notification will include a description of the breach, the categories of information affected, and the measures we are taking or recommend you take to mitigate any potential harm.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you a notification via email or through the platform. We encourage you to review this policy periodically.

16. PAIA Manual

Our PAIA manual explains how to request access to records under the Promotion of Access to Information Act. It is available at /paia.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: