Privacy Notice
Effective date: 13 May 2026 Version: 2026-05-13-v1
This Privacy Notice describes how Raythinks (Pty) Ltd ("Raythinks", "we", "us", "our") collects, uses, stores, and protects your personal information when you use the Raythinks platform ("Service").
This Privacy Notice is issued in compliance with the Protection of Personal Information Act, 4 of 2013 ("POPIA") of the Republic of South Africa.
We take your privacy seriously. We have built the Service with privacy as a foundational principle, not an afterthought.
1. Who We Are and How to Contact Us
1.1 Responsible party
The responsible party for the processing of your personal information is:
Raythinks (Pty) Ltd Registration number 2026/379277/07 112 Camp Ground Road, Rondebosch, Cape Town, 7700 Republic of South Africa
1.2 Information Officer
In terms of section 56 of POPIA, our designated Information Officer is:
Ridwaan Banderker Email: privacy@raythinks.ai
You may contact the Information Officer about:
- any question relating to this Privacy Notice;
- any request to access, correct, or delete your personal information;
- any complaint about how we process your personal information;
- any other privacy-related matter.
We respond to privacy queries within 30 calendar days.
2. What This Notice Covers
This Privacy Notice covers personal information we process when you:
- create or maintain a Raythinks account;
- use the Service to ask Ray to help you think through a decision;
- submit feedback or correspond with us;
- pay for a subscription or PAYG analysis;
- visit our websites at raythinks.ai or app.raythinks.ai.
It does not cover the privacy practices of third-party websites or services that you may access through links from our Service. We are not responsible for their practices and recommend you read their privacy notices.
3. Personal Information We Collect
3.1 Information you provide
When you create an account and use the Service, we collect:
| Category | Examples | Purpose |
|---|---|---|
| Identity | Display name | Personalising the Service |
| Contact | Email address | Authentication, account communication, support |
| Authentication | Hashed password | Securing your account |
| Location | Home country (you select at signup) | Personalising crisis resources, geographic compliance |
| Account preferences | Settings choices | Operating the Service as you configure it |
| Decision content | The text, documents, and questions you submit to Ray | Generating Ray's response, conversation continuity |
| Feedback | Anything you send to us | Improving the Service |
3.2 Information generated by your use
When you use the Service we generate and store:
| Category | Examples | Purpose |
|---|---|---|
| Conversation history | Your conversations with Ray, including Ray's responses | Letting you revisit past decisions, conversation continuity |
| Usage metrics | Number of analyses run, billing-period consumption | Enforcing plan limits, billing |
| Crisis events | Records of when crisis detection logic was triggered, the triggering conversation ID | Safety review, user welfare |
| Subscription state | Plan, billing dates, payment status (via Lemon Squeezy) | Operating your subscription |
3.3 Information collected automatically
When you visit our websites we collect:
| Category | Examples | Purpose |
|---|---|---|
| Device and connection | IP address, browser type, operating system, country derived from IP | Security, geographic compliance, troubleshooting |
| Cookies and similar | Session cookies, authentication tokens | Keeping you signed in, security |
| Application logs | Time of access, pages visited, errors | Operating and improving the Service |
We do not use third-party advertising, analytics, or tracking cookies. We do not sell your data to anyone.
3.4 Special personal information
POPIA defines certain categories as "special personal information" (race, ethnicity, religion, health, sexual orientation, political views, criminal behaviour, biometric data).
We do not deliberately collect special personal information. However, decision content you voluntarily submit to Ray may contain such information. For example, you may ask Ray for help thinking through a health-related decision, a religious question, or a life event that touches on sensitive matters.
Where you voluntarily provide such information, you provide it on the basis of section 27(1)(a) of POPIA: you have consented to its processing for the purpose of obtaining a response from Ray. We do not use this information for any other purpose, do not share it with anyone other than the processors strictly necessary to operate the Service, and apply the security measures described in section 9 below.
3.5 Information of children
The Service is for users aged 18 and over. We do not knowingly collect personal information from anyone under 18. If we become aware that an account holder is under 18, we will close the account and delete the personal information.
4. Lawful Basis for Processing
Under POPIA, we may only process personal information when we have a lawful basis. We rely on the following bases:
| Basis (POPIA section) | When we rely on it |
|---|---|
| Consent (s11(1)(a)) | When you create an account and accept this Privacy Notice; when you voluntarily submit decision content; when you contact us |
| Performance of contract (s11(1)(b)) | When we process your information to provide the Service you signed up for |
| Compliance with law (s11(1)(c)) | When law requires us to retain certain records (for example, tax records) |
| Legitimate interest (s11(1)(f)) | For security, fraud prevention, and operating the Service |
You may withdraw your consent at any time by closing your account or by contacting privacy@raythinks.ai. Withdrawal of consent does not affect processing that occurred before the withdrawal.
5. How We Use Your Personal Information
We use your personal information for the following specific purposes:
| Purpose | Information used |
|---|---|
| Creating and operating your account | Email, password, display name, country |
| Authenticating you on each visit | Email, password (hashed), session tokens |
| Generating Ray's responses to your decisions | Decision content you submit, conversation history |
| Showing you past decisions and conversations | Conversation history, account ID |
| Enforcing plan limits and billing | Usage metrics, subscription state |
| Detecting and responding to crisis indicators | Conversation content, real-time analysis output |
| Communicating with you about your account | Email, account state |
| Sending you email confirmations and password reset links | |
| Customer support | Account info, any correspondence you send |
| Security, fraud prevention, abuse detection | IP, login patterns, usage patterns |
| Improving the Service | Aggregated, de-identified usage metrics; explicit feedback |
| Meeting legal obligations | Records of payments, account activity (for tax and audit purposes) |
We do not use your personal information or your decision content to train AI models.
6. Who We Share Your Personal Information With
We share your personal information with the following categories of recipient, and only as necessary for the purposes listed above.
6.1 Operators (POPIA section 19/21)
We use the following third-party operators to provide the Service. Each operator processes your personal information on our behalf under contractual data processing terms that meet POPIA requirements.
| Operator | What they do | What information they receive | Location |
|---|---|---|---|
| Supabase, Inc. | Database and authentication infrastructure | All personal information stored in our database | Servers in Ireland (EU, eu-west-1 region) |
| OpenRouter | Routes requests to AI providers | Conversation content (text only) for the purpose of generating responses | United States |
| Anthropic, PBC | Operates the Claude AI models that generate Ray's responses | Conversation content (text only) for the purpose of generating responses | United States; certain regions |
| Lemon Squeezy LLC (a Stripe company) | Merchant of Record; payment processing | Name, email, billing address, payment card details (which we never see) | United States |
| Resend | Sends transactional emails (signup confirmation, password reset, notifications) | Email address, name, the email content | United States |
| Vercel | Hosts the application | Connection metadata (IP, browser); content of requests passes through | United States and globally distributed edge network |
| Cloudflare | DNS and edge network | Connection metadata | Global edge network |
We have written agreements with each operator obliging them to:
- (a) process personal information only on our instructions;
- (b) maintain appropriate security safeguards;
- (c) notify us of any breach affecting your personal information.
6.2 Cross-border transfer (POPIA section 72)
Some of our operators are located outside South Africa. POPIA section 72 permits cross-border transfer of personal information where the recipient is subject to a law, binding code, or contract that provides adequate protection.
| Recipient | Country | Basis for transfer |
|---|---|---|
| Supabase / Cloudflare / Resend / Lemon Squeezy / Anthropic / OpenRouter / Vercel | Various (primarily United States and Ireland) | Standard contractual clauses providing adequate protection; we obtain your consent to this transfer when you accept this Privacy Notice |
We have selected operators whose practices and contractual commitments meet POPIA's "adequate level of protection" standard. We have reviewed each operator's published data processing terms before engaging them.
6.3 Other recipients
We may share personal information with:
- Professional advisors (lawyers, accountants, auditors) where strictly necessary, under confidentiality obligations;
- Authorities where required by law, valid court order, or to protect the rights, property, or safety of any person;
- Successors in business in the event of a merger, acquisition, or sale of assets — in which case the acquiring entity is bound to honour this Privacy Notice until you are notified otherwise.
We do not sell, rent, trade, or otherwise commercialise your personal information.
7. How Long We Retain Your Personal Information
We retain personal information only for as long as necessary to achieve the purposes set out above, or as required by law.
| Category | Retention period |
|---|---|
| Active account data | For as long as your account is open |
| Account data after closure | Deleted within 30 days of closure, except as required by law |
| Conversation and decision content | Retained while account is open; deleted with account closure |
| Crisis events | Retained for 24 months after the event, then deleted, unless we have a legitimate safety reason to retain longer |
| Subscription and payment records | Retained for 5 years after the last transaction, in compliance with South African tax law |
| Email correspondence | Retained for 24 months after the last message |
| Server logs and connection metadata | Retained for 90 days |
| Aggregated, de-identified analytics | Retained indefinitely (this information cannot be linked back to you) |
You can request earlier deletion of your information — see section 8.
8. Your Rights
Under POPIA you have the following rights in relation to your personal information:
8.1 Right to access
You may request a copy of the personal information we hold about you, including the categories of information, the sources, the recipients, and the period of retention.
8.2 Right to correction
You may request that we correct any inaccurate or incomplete personal information about you.
8.3 Right to deletion
You may request that we delete your personal information, subject to our legal obligation to retain certain information (for example, tax records).
You can also delete most of your personal information yourself by closing your account in the Settings page.
8.4 Right to object to processing
You may object to our processing of your personal information on certain grounds, including direct marketing (although we do not currently engage in direct marketing).
8.5 Right to withdraw consent
Where we rely on your consent to process your personal information, you may withdraw consent at any time. Withdrawal does not affect lawful processing that occurred before withdrawal.
8.6 Right to data portability
You may request a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format.
8.7 Right to lodge a complaint
You have the right to complain to the Information Regulator (South Africa):
The Information Regulator JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 PO Box 31533, Braamfontein, Johannesburg, 2017 Complaint email: complaints.IR@justice.gov.za General email: inforeg@justice.gov.za Web: https://inforegulator.org.za
We would prefer that you contact us first so we can attempt to resolve any concern directly.
8.8 How to exercise your rights
To exercise any of these rights, contact our Information Officer at privacy@raythinks.ai. We will respond within 30 calendar days of receiving a verifiable request. We may need to verify your identity before fulfilling a request.
We do not charge a fee for handling reasonable requests. We may decline manifestly unfounded or excessive requests, with reasons.
9. Security
We protect your personal information with administrative, technical, and physical safeguards appropriate to the sensitivity of the information.
9.1 Technical measures
- Encryption in transit of all communication between your device and the Service using TLS 1.3.
- Encryption at rest of database storage at Supabase.
- Row-level security in our database, restricting access to personal information to the account that owns it.
- Hashed passwords stored using industry-standard hashing algorithms.
- Access controls restricting database and infrastructure access to authorised personnel only.
9.2 Organisational measures
- Solo-founder operating model with no employees who have access to your data.
- Written agreements with all third-party operators.
- Regular review of operator security practices.
- Incident response plan for security breaches.
9.3 Breach notification
In the event of a security breach affecting your personal information, we will notify you and the Information Regulator as required by section 22 of POPIA. Notification will describe the breach, what information was affected, what we have done in response, and what you can do to protect yourself.
9.4 Limits of security
No system is perfectly secure. While we take reasonable steps to protect your personal information, we cannot guarantee absolute security. By using the Service, you acknowledge this risk.
10. Cookies
We use a limited set of cookies necessary to operate the Service:
| Cookie type | Purpose | Duration |
|---|---|---|
| Session cookies | Keep you signed in during a browser session | Until you sign out or close the browser |
| Authentication tokens | Verify your identity on requests | Up to 7 days |
| Security cookies | Protect against cross-site request forgery | Session |
We do not use third-party advertising cookies, analytics cookies, or social media tracking pixels.
You can block cookies in your browser settings, but doing so will prevent you from using the Service (you will not be able to stay signed in).
11. Marketing
We do not currently send marketing emails or use your personal information for direct marketing without your specific opt-in.
If we begin marketing activities in future, we will obtain your explicit opt-in consent, will offer a clear unsubscribe mechanism in every marketing email, and will not share your contact details with third parties for their marketing purposes.
12. Crisis Detection and Safety
Because the Service involves users discussing decisions in their lives, we have implemented safety logic that detects indicators of acute distress in conversation content.
When the safety logic detects such indicators:
- (a) Ray's advisory response is halted for that conversation;
- (b) the conversation is shown emergency resources (SADAG, Lifeline, SAPS);
- (c) the event is recorded in our database as a crisis event;
- (d) you can continue to use the Service for other conversations.
We retain crisis event records for 24 months for safety review and to refine the safety logic. Crisis event records are accessible only to the Information Officer.
We do not share crisis event records with third parties, except where:
- (a) you provide explicit consent;
- (b) we are required by law (for example, a court order);
- (c) we reasonably believe there is an imminent risk to your life or to another person's life — in which case we may share with emergency services.
If you would like the Service not to monitor your conversations for crisis indicators, the Service is not suitable for you and you should close your account. The safety logic cannot be disabled.
13. Children
The Service is not intended for, and we do not knowingly collect personal information from, anyone under the age of 18.
If you are a parent or guardian and believe that your child has provided personal information to us, please contact privacy@raythinks.ai and we will delete the information and close the account.
14. Changes to This Privacy Notice
We may update this Privacy Notice from time to time. The version date and version number appear at the top of this document.
We will notify active account holders of material changes by email or in-app notice at least 30 days before the changes take effect. Where the change relates to a fundamentally new use of your personal information, we will seek your renewed consent.
Continued use of the Service after a change indicates acceptance of the updated Privacy Notice.
15. Questions and Complaints
For any privacy question, request, or complaint:
Information Officer: Ridwaan Banderker Email: privacy@raythinks.ai Postal: 112 Camp Ground Road, Rondebosch, Cape Town, 7700
We respond within 30 calendar days.
For complaints you wish to escalate, the Information Regulator's details are in section 8.7.
Version 2026-05-13-v1. Effective 13 May 2026.