Legal & Trust Centre

Website and Platform Privacy Notice

How MK Assist collects, uses, stores and protects personal information when you use our website and platform.

Plain-language summary

Explains how MK Assist handles visitor, prospect, client-user, billing, support and platform personal information.

1. Who this notice applies to

This notice applies to website visitors, people who request information or a demonstration, prospective and existing clients, business administrators, invited agents, support contacts and other authorised users of the MK Assist website and platform. A separate WhatsApp Customer Privacy Notice applies primarily to customers who contact an MK Assist client through WhatsApp.

MK Assist is a product of Stonda (Pty) Ltd., registration number 2020/843851/07, which is the legal contracting entity. Its registered address is 116 Summerset Road, Noordwyk, Johannesburg, Gauteng, 1685. Its operating address is 99 Stoneridge Drive, Greenstone Hill, Lethabong, 1609. Its VAT number is 4480296898. Formal notices, support, billing, privacy requests and complaints must be sent by email to hello@mkassist.co.za, with legal and Information Officer escalations to tondani@mkassist.co.za. Support hours are Monday to Friday, 08:00 to 17:00 South African time, excluding public holidays.

2. POPIA roles

Processing context Primary POPIA role of MK Assist Primary POPIA role of client

Website visitors, prospects, client account contacts, billing and support administration Responsible party Independent responsible party for its own records

Customer conversations, customer details and client knowledge processed to provide the service Operator acting under documented client instructions, except where law requires independent action Responsible party

Platform security, fraud prevention, service integrity and legally required records Responsible party for the limited processing it independently determines Responsible party for its own corresponding obligations

Meta/WhatsApp processing under their own terms Separate recipient and, depending on the processing, operator/processor or independent responsible party/controller under its terms Responsible party for its customer communications and opt-in

MK Assist does not rely on a single legal justification for every processing activity. Depending on the context, processing is necessary to conclude or perform a contract, comply with law, pursue a legitimate interest that does not unjustifiably interfere with a data subject's rights, protect a legitimate interest of the data subject, or occurs with consent where consent is the appropriate basis. Optional direct marketing consent is separate from service acceptance.

3. Information we collect

We may process:

  • Identity and contact information: name, work email address, business telephone number, job title and organisation.
  • Business and authority information: legal or trading name, registration details, sector, address, tax information, authority to bind or administer the business and WhatsApp asset details.
  • Account information: credentials, verification status, role, permissions, invitations, multifactor-authentication status and authentication events.
  • Contract and billing information: plan, order form, acceptance record, billing address, invoices, payment status, transaction references and limited payment-provider tokens or status data. MK Assist must not store complete payment-card details.
  • Platform and device information: IP address, browser, device, operating system, session, cookie preferences, log events, usage and diagnostic information.
  • Workspace information: business profile, assistant settings, knowledge sources, team details, usage, service configuration and support metadata.
  • Support and complaint information: correspondence, screenshots, troubleshooting information, incident reports and resolution records.
  • Security and compliance information: access logs, audit events, risk checks, sector-review evidence, suspected abuse and break-glass records.
  • Content voluntarily provided: information in forms, emails, uploaded material or other communications. Do not send passwords, one-time passwords, complete payment-card details or unnecessary identity documents.

4. How information is collected

Information is collected directly from you, from an authorised administrator, through the website and platform, from approved payment and authentication providers, from Meta or WhatsApp where needed to connect a client account, from service logs, and from lawful public or verification sources. An administrator who invites an agent must have authority to provide that agent's business contact information.

5. Purposes

We process information to:

  • provide, secure and administer accounts and workspaces;
  • verify email addresses, roles, authority and business identity;
  • configure, activate, support, bill, suspend and terminate the service;
  • connect and manage authorised WhatsApp assets;
  • meter customer conversations, display usage and apply approved additional usage quotes;
  • provide support, investigate incidents, prevent fraud and enforce acceptable use;
  • maintain records of contractual acceptance, consent and legal notices;
  • respond to privacy, PAIA, complaints, legal and regulatory requests;
  • improve reliability, accessibility and product design using service metadata and appropriately de-identified information, but not by training a shared AI model on client or WhatsApp data;
  • send service communications and, only where permitted, optional marketing communications.

6. AI and client content

Client knowledge and WhatsApp content are processed only to provide the workspace-specific service, apply safety and handover controls, support authorised troubleshooting and comply with law. One client's knowledge or conversations must not influence another client's responses. Client and WhatsApp data is not used to train a shared MK Assist or third-party general model. Human quality review may occur only through approved, time-limited and logged access.

MK Assist uses approved AI service providers under contractual and technical controls that prohibit general model training on MK Assist data and limit provider retention to the minimum required for the service. Current provider categories and transfer information are described in the Subprocessor List and International Data Transfer Overview.

7. Recipients and subprocessors

Information may be disclosed to authorised MK Assist personnel, authorised service-provider personnel where approved for maintenance or support, Meta and WhatsApp, an approved AI provider, hosting, database, storage, authentication, email, monitoring, analytics and payment providers, professional advisers, auditors, regulators, law-enforcement authorities and parties involved in a lawful corporate transaction. Access is limited to the purpose and role. Current production providers and locations will be listed at /legal/subprocessors.

8. International processing

Some providers may process information outside South Africa. MK Assist will use a permitted POPIA section 72 mechanism, such as an adequate legal framework, a binding agreement that provides substantially similar protection, consent where appropriate, or another lawful basis. The International Data Transfer Overview and Subprocessor List explain the applicable arrangements.

9. Retention

Account and service information is retained only for as long as needed for the stated purpose and legal obligations. Client-visible WhatsApp conversation history is limited by plan: Basic three months, Growth six months and Premium twelve months, unless a shorter period is selected or lawfully required. Billing, tax and core contract records may be retained for at least five to seven years as applicable. Security and dispute records may be retained for a period reasonably necessary to protect rights and meet legal obligations. After cancellation, a 30-day export and reactivation window applies before production deletion begins. Backups are isolated from ordinary product use and expire under the applicable backup cycle, which does not exceed 90 days unless a longer period is legally required.

10. Security

MK Assist requires tenant separation, role-based access, encryption in transit and at rest, protected credentials, privileged-user MFA, audit logging, restricted production access, verified webhooks, duplicate-event controls, backups, restoration tests, incident procedures and controlled break-glass access. These controls are part of the service security model. No system can be guaranteed to be completely secure.

11. Your rights

Subject to POPIA and other applicable law, you may ask whether MK Assist holds your personal information, request access, correction or deletion, object to certain processing, withdraw consent where processing depends on consent, and complain. We may verify identity and authority, protect other people's rights, retain legally required records or refer a customer request to the responsible client.

Requests may be sent to tondani@mkassist.co.za. Prescribed Information Regulator forms remain available through the regulator. Details appear at /legal/data-rights and in the PAIA Manual.

12. Direct marketing

Service notices are not marketing. Optional MK Assist marketing is sent only where permitted by law and can be stopped using the unsubscribe method or by emailing hello@mkassist.co.za. A client remains responsible for the lawfulness of its own WhatsApp marketing, customer opt-in, message templates and opt-out handling.

13. Children and special personal information

MK Assist is not designed for children to create accounts. A client that operates in education involving children, healthcare or another high-risk context requires manual review before activation. Users must avoid uploading special personal information unless it is necessary, lawful, disclosed and approved for the use case. MK Assist may reject or remove information that creates unacceptable risk.

14. Security compromises

Where MK Assist is an operator for client-controlled information, it will notify the client without undue delay after becoming aware of a security compromise and will provide reasonable cooperation. The client, as responsible party, generally remains responsible for notifying the Information Regulator and affected data subjects. Where MK Assist is the responsible party, its Information Officer manages the required notifications. Current regulator procedure requires security compromise reports through the Information Regulator eServices portal.

15. Changes

Material changes will be versioned and dated. Where a change affects an existing contract or materially changes processing, MK Assist will provide reasonable notice and obtain acceptance where law or the contract requires it. Earlier versions will be available at /legal/archive.