Expanding Insights

Privacy Policy

Effective date: 28 March 2026 · Last updated: 28 March 2026

1. Introduction

This Privacy Policy explains how KJ Hoare, trading as Expanding Insights ("we", "us", or "our"), collects, uses, stores, and shares your personal information when you visit our website at expandinginsights.com ("Website"), use our client portal at portal.expandinginsights.com ("Portal"), or engage with any of our products and services (collectively, the "Services").

We are committed to protecting your privacy in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Electronic Communications and Transactions Act 25 of 2002 ("ECT Act"), and, where applicable, the General Data Protection Regulation ("GDPR") for users located in the European Economic Area or the United Kingdom.

2. Responsible Party

The responsible party (as defined in POPIA) for the processing of your personal information is:

3. Information We Collect

3.1 Information you provide directly

  • Contact form submissions: name, email address, company name, service interest, and message content.
  • Account registration: email address and authentication credentials when you sign up for the Portal.
  • Billing and payment data: payment method details, billing address, and transaction history processed by our third-party payment processor, Paddle. We do not store full credit/debit card numbers on our servers.
  • Communications: any information you provide when you email us, use the chatbot widget, or otherwise correspond with us.

3.2 Information collected automatically

  • Usage data: pages visited, time on page, referral source, browser type, device type, operating system, and screen resolution.
  • Log data: IP address, access times, and server logs collected by our hosting providers (Vercel, Google Cloud Platform, Firebase).
  • Cookies and similar technologies: see Section 7 below.

3.3 Information from third parties

  • Paddle: payment confirmation, subscription status, and invoice data.
  • Analytics providers: aggregated usage data.

4. How We Use Your Information

We process your personal information for the following purposes:

  1. Service delivery: to provide, maintain, and improve our AI, automation, and business intelligence services.
  2. Account management: to create and manage your Portal account, authenticate your identity, and manage subscriptions.
  3. Communication: to respond to enquiries, send service-related notices, and provide customer support.
  4. Billing: to process payments, issue invoices, and manage refunds.
  5. Analytics and improvement: to understand how users interact with our Services and to improve functionality and user experience.
  6. Legal compliance: to comply with applicable laws, regulations, and legal processes.
  7. Security: to detect, prevent, and respond to fraud, abuse, or security incidents.

5. Legal Basis for Processing

Under POPIA and, where applicable, the GDPR, we rely on the following legal grounds:

  • Consent: where you have given explicit consent (e.g., submitting a contact form, accepting cookies).
  • Contractual necessity: where processing is required to perform a contract with you or to take pre-contractual steps at your request.
  • Legitimate interest: where processing is necessary for our legitimate business interests (e.g., analytics, fraud prevention), provided those interests are not overridden by your rights.
  • Legal obligation: where we are required by law to process your information.

6. Sharing and Disclosure

We do not sell your personal information. We may share your data with:

  • Service providers: trusted third parties who assist in operating our Services (hosting, payment processing, analytics, email delivery). These providers are contractually obligated to protect your data and may only process it on our behalf.
  • Legal requirements: law enforcement, regulators, or other parties when required by law, court order, or to protect our legal rights.
  • Business transfers: in connection with a merger, acquisition, or sale of all or part of our business, with reasonable notice to affected users.

Key sub-processors

  • Google Cloud Platform / Firebase (hosting, auth, database)
  • Vercel (website hosting and CDN)
  • Paddle (payment processing)

7. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyse usage patterns, and deliver relevant content. The types of cookies we use include:

  • Strictly necessary cookies: required for the Website and Portal to function (e.g., authentication tokens). These cannot be disabled.
  • Analytics cookies: help us understand how visitors interact with our Website (e.g., page views, session duration).
  • Functional cookies: remember your preferences (e.g., theme settings).

You may manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

8. Data Retention

We retain your personal information only for as long as is necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specifically:

  • Contact form data: retained for up to 24 months after the last interaction, then deleted.
  • Account data: retained for the duration of your account and for 12 months after account closure.
  • Billing records: retained for the period required by applicable tax and accounting laws (typically 5 years).
  • Analytics data: retained in aggregated, anonymised form indefinitely.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal information, including:

  • Encryption in transit (TLS/HTTPS) and at rest.
  • API key encryption using Google Cloud Key Management Service (KMS).
  • Firestore security rules restricting all direct client access; data is only accessible via authenticated backend APIs.
  • Role-based access controls and principle of least privilege for service accounts.
  • Regular security reviews and dependency updates.

While we take reasonable steps to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. International Transfers

Our Services are hosted on infrastructure provided by Google Cloud Platform (europe-west2, London) and Vercel (global CDN). Your data may be transferred to and processed in countries outside South Africa or your country of residence. Where such transfers occur, we ensure appropriate safeguards are in place, including:

  • Contractual clauses with sub-processors that meet POPIA and GDPR requirements.
  • Transfers to jurisdictions with adequate data protection legislation as recognised by the relevant authorities.

11. Your Rights

Depending on your location, you may have the following rights under POPIA and/or the GDPR:

  • Access: request a copy of the personal information we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal information, subject to legal retention requirements.
  • Restriction: request that we limit the processing of your data in certain circumstances.
  • Portability: receive your personal data in a structured, commonly used, and machine-readable format.
  • Objection: object to processing based on legitimate interest or for direct marketing purposes.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at info@insightsxp.com. We will respond within 30 days (or sooner if required by law).

12. Complaints

If you believe your personal information has been processed in violation of POPIA, you have the right to lodge a complaint with the Information Regulator (South Africa):

For users in the EEA/UK, you may also lodge a complaint with your local supervisory authority.

13. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete that information promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on this page with a revised "Last updated" date. We encourage you to review this Policy periodically. Your continued use of our Services after changes are posted constitutes acceptance of the revised Policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at: