?DOMKOP

Privacy Policy

Last updated: 5 April 2026

1. Responsible Party

Creative Crew Studio Ltd (Company No. NI696783) is the responsible party (as defined by POPIA) and data controller (as defined by GDPR) for personal information processed through Domkop AI.

  • Registered address: 55 Kensington Road, Belfast, United Kingdom, BT5 6NL
  • Directors: Marcell Liebenberg, Zaneta Thiede
  • Incorporated: 1 May 2023

2. Information Officer

Our appointed Information Officer, as required by POPIA section 55, is:

3. What Data We Collect

We collect the following categories of personal information:

Account information

  • Name, email address
  • Authentication credentials (managed by Supabase Auth)
  • Subscription tier and billing information

Usage data

  • Conversation history and AI interactions
  • Credit usage and transaction records
  • Feature usage patterns

Technical data

  • IP address, browser type, device information
  • Pages visited and referral sources (via Plausible, a privacy-friendly analytics tool that does not use cookies or track individuals)

Payment data

  • Payment details are processed directly by Stripe. We do not store your full card number.

4. Purposes of Processing

We process your personal information for the following purposes:

  • To provide and maintain the Service
  • To process subscriptions, payments, and credit allocations
  • To communicate with you about your account, billing, and service updates
  • To improve the Service and user experience
  • To detect, prevent, and address fraud, abuse, and technical issues
  • To comply with legal obligations
  • To manage our affiliate programme

5. Legal Basis for Processing

We process your data based on one or more of the following legal grounds:

  • Contract — processing necessary to perform our agreement with you (POPIA s11(1)(b); GDPR Art. 6(1)(b))
  • Consent — where you have given clear consent (POPIA s11(1)(a); GDPR Art. 6(1)(a))
  • Legitimate interest — for fraud prevention, security, and service improvement (POPIA s11(1)(f); GDPR Art. 6(1)(f))
  • Legal obligation — to comply with applicable law (POPIA s11(1)(c); GDPR Art. 6(1)(c))

6. Third-Party Recipients

We share personal information with the following categories of recipients, each for the specific purposes noted:

Supabase (hosted on AWS)

Database hosting, authentication, and data storage.

Stripe

Payment processing (ZAR and GBP transactions).

Google (Gemini AI, Cloud TTS)

AI model inference and text-to-speech processing.

Anthropic (Claude)

AI model inference.

Vercel

Application hosting and deployment.

Plausible Analytics

Privacy-friendly website analytics. No cookies, no personal data tracking.

7. Cross-Border Transfers

Your personal information may be transferred to and processed in countries outside of South Africa, including the United States (Supabase/AWS, Stripe, Vercel, Google, Anthropic), the European Union (Plausible), and the United Kingdom (our registered office).

In terms of POPIA section 72, we ensure that recipients of cross-border transfers are subject to laws or binding agreements that provide an adequate level of protection, or that the transfer is necessary for the performance of a contract between you and us.

For transfers from the UK/EEA, we rely on Standard Contractual Clauses or adequacy decisions as applicable under GDPR.

8. Data Retention

  • Account data — retained for the duration of your account, plus 12 months after deletion for legal and billing purposes.
  • Conversation history — retained while your account is active. You may delete conversations at any time in the app.
  • Payment records — retained for 5 years to comply with financial record-keeping requirements.
  • Analytics data — Plausible retains aggregated, non-personal analytics data only.
  • Support communications — retained for 24 months after resolution.

9. Your Rights

Under POPIA and GDPR, you have the following rights regarding your personal information:

  • Access — request a copy of your personal data
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your personal data
  • Objection — object to the processing of your data
  • Restriction — request restriction of processing
  • Portability — receive your data in a portable format (GDPR)
  • Withdraw consent — where processing is based on consent

To exercise any of these rights, email our Information Officer at info@creativecrewstudio.co.uk. We will respond within 30 days.

10. Automated Decision-Making

We use AI models to generate responses to your queries. This constitutes automated processing but does not involve automated decision-making that produces legal effects or similarly significant effects on you as defined by POPIA or GDPR.

Credit allocation and subscription management are handled automatically but are based on the tier you select and standard billing rules, not profiling.

11. Security Measures

We implement appropriate technical and organisational measures to protect your personal information, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Secure authentication via Supabase Auth
  • Role-based access controls
  • Regular security reviews
  • Secure payment processing through Stripe (PCI-DSS compliant)

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Regulator (South Africa) and/or the ICO (UK) as applicable within 72 hours of becoming aware of the breach, in accordance with POPIA section 22 and GDPR Article 33.

Where the breach is likely to result in a high risk to your rights, we will also notify you directly as soon as reasonably possible.

13. Children's Data

Domkop AI is designed for users aged 18 and older. We do not knowingly collect personal information from children under 18 without parental consent. Users aged 13 to 17 may use the Service only with verifiable consent from a parent or legal guardian, in compliance with POPIA section 35.

If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete that information promptly.

14. Cookies

We use only essential cookies required for the functioning of the Service (Supabase authentication tokens). We do not use advertising or tracking cookies. For more information, see our Cookie Policy.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top of this page indicates when it was last revised.

16. Complaints

If you believe your privacy rights have been infringed, you have the right to lodge a complaint with the relevant authority:

South Africa: Information Regulator

Email: inforeg@justice.gov.za

Website: inforegulator.org.za

United Kingdom: Information Commissioner's Office (ICO)

Website: ico.org.uk

17. Contact Us

For privacy-related enquiries, please contact our Information Officer: