Privacy & Data Policy

Last updated: April 2026

AI Safety South Africa (AISSA) is a South African non-profit organisation focused on building AI safety capacity. We run fellowships, courses, reading groups, hackathons, and events to help people contribute to making AI systems safer.

This policy explains what personal information we collect across our activities — events, community programs, the Track Record platform, and our public website — why we collect it, and the rights you have over it.

Our Approach

We are legally subject to the Protection of Personal Information Act (POPIA) as a South African organisation. Operationally, we hold ourselves to the stricter standard set by the EU General Data Protection Regulation (GDPR): minimal collection, specific and unbundled consent for anything beyond the basics, clear retention limits, and real control for the people in our community.

Where POPIA and GDPR differ, we follow whichever is stricter.

Who We Are

AISSA is the responsible party (data controller) for the personal information described in this policy. We decide how and why your information is processed, and we are accountable for protecting it.

Information Officer: Charl Botha, Systems & Partnerships, contactable at infrastructure@aisafetysa.com.

Scope

This policy covers:

  • In-person and online events run by AISSA (registration, attendance, feedback, photography)

  • Community programs (fellowships, courses, reading groups, hackathons)

  • The Track Record platform: our internal system for recording participation and displaying impact to funders

  • The AISSA public website: our landing page and community section

  • Our newsletter, insofar as we manage subscriber data outside Substack

It does not cover third-party platforms we link to, which operate under their own privacy policies. Where we rely on a third party to process data on our behalf, we name them below.

What We Collect

Baseline: Event Attendance

When you register for an AISSA event, Luma collects your name, email, and any event-specific details (dietary requirements, organisation, etc.). This data lives in Luma under their privacy policy.

AISSA retains basic attendance records of the form [name] attended [event] on [date] for long-term community and impact tracking. This is the default baseline — attending an event does not opt you into anything else.

Higher-Consent Data

Beyond the baseline, some community members choose to share more with us — typically via post-event feedback forms (currently Tally) or direct conversations. This includes:

  • Testimonials and quotes about your experience

  • Bio, headshot, and professional information (organisation, role, website)

  • Featured stories — longer narratives about your work or journey in AI safety

This data is only collected when you provide it intentionally, and is only shared beyond AISSA under the three consent tiers described below.

Feedback

Survey and form responses (via Tally) are used to improve our programs. Anonymised and aggregated feedback may be shared with funders or published.

Website

Our public website is a landing page. It does not set cookies, does not use analytics, and does not collect personal information from visitors. The community section displays profiles only of members who have explicitly consented to public display.

Newsletter

Our newsletter is managed by Substack and is governed by Substack's privacy policy. We do not export or separately process subscriber data.

The Three Consent Tiers

For community members whose stories and profiles we'd like to share beyond AISSA, we ask for consent at three distinct levels. Each level is asked separately — consenting to one does not imply the others.

Tier 1: Sharing with Funders

A small, named set of funder organisations receives:

  • Aggregate participation statistics

  • Your historic participation across AISSA events

  • Testimonials you have provided

  • Your bio, headshot, and featured story (where applicable)

This supports our accountability to the organisations that enable our work. %% { The current list of funders will be maintained separately and made available on request, and linked here. } %%

Tier 2: Sharing with Partners for Opportunities

When partner organisations are looking for people for specific opportunities (jobs, fellowships, research collaborations, speaking invitations), we may share your profile with them.

If we share your information with a partner, we will notify you by email afterwards with:

  • What was shared

  • Who it was shared with

  • When it was shared

  • Why

You can withdraw this consent at any time, which stops future sharing immediately. Past shares cannot be recalled, but you can contact the partner directly if you wish.

Tier 3: Public Display

With your explicit consent, your profile (name, role, organisation, bio, headshot, featured story) may appear on the public-facing AISSA website.

We never display contact information publicly, regardless of consent tier.

Managing Your Consent

Consent at each tier is:

  • Unbundled: you can opt into any combination, or none

  • Revocable: you can withdraw at any time by emailing infrastructure@aisafetysa.com

  • Specific: each tier covers a defined scope; we will not silently expand it

Withdrawing consent does not affect the lawfulness of processing that happened before the withdrawal, but we will stop the relevant sharing and remove public displays as soon as practicable.

Photography at Events

AISSA staff take photos at events for use in recap posts, social media, reports to funders, and the website. Photographs are an important way we document our community.

Default and Opt-Out

Photography is opt-in by default; by registering for an event, you consent to being photographed by AISSA staff. This is disclosed at registration.

You can opt out in several ways:

  • At the event, by requesting a visible marker (sticker or similar) at larger events where staff cannot reasonably track individual preferences otherwise

  • By telling our photographer or any AISSA organiser directly

  • After the fact, by emailing infrastructure@aisafetysa.com

Attendee Photography

We do not prohibit other attendees from taking photos at events. This policy governs photos taken by AISSA staff and photos that AISSA shares. We cannot control what other attendees do with their own photographs.

Group Photos

For group photos, we ask for consent at the time the photo is taken, separately from the registration-level opt-in.

Retroactive Removal

If you later ask us to remove a photo of you, we will:

  • Remove it from all AISSA-controlled platforms (website, Track Record, social media accounts we manage, funder reports we can still revise)

  • Cease any further use of it

  • Acknowledge that we cannot retrieve copies already shared externally (e.g., reposted by attendees, embedded in published funder reports)

Retention

Photos are retained in our archive. Identifiable photos of individuals who have opted out, or who have requested removal, are deleted.

Legal Basis for Processing

Under POPIA, and mirroring GDPR's Article 6 framing:

Purpose

Legal basis

Running events and programs (registration, logistics, communication)

Contractual necessity / legitimate interest

Baseline attendance records

Legitimate interest

Photography at events

Consent (opt-in by default, with clear opt-out)

Sharing with funders, partners, or publicly (tiers 1–3)

Consent (explicit, per tier)

Newsletter

Consent (managed by Substack)

Responding to your requests or complaints

Legal obligation under POPIA

Long-term impact tracking (anonymised after 5 years)

Legitimate interest

Who Processes Your Data

We use the following third-party providers, who process data on our behalf under data processing agreements or equivalent terms:

  • Luma: event registration and attendance

  • Tally: feedback forms

  • Substack: newsletter

  • Neon (database hosting): Track Record database

  • Vercel: Track Record web hosting

  • Cloudflare R2: file storage (headshots, event images)

These providers process data only to deliver their services to us. We do not sell your data to any third party.

International Data Transfers

Several of our service providers store data on servers outside South Africa. We only transfer data internationally where:

  • The receiving country has adequate data protection laws, or

  • We have appropriate safeguards in place (standard contractual clauses or equivalent binding agreements)

We select providers with strong data protection standards. Details of specific safeguards are available on request.

How Long We Keep Data

  • Baseline attendance records ([name] attended [event]): retained long-term for community and impact tracking.

  • Identifiable featured content (testimonials, bios, headshots, featured stories): anonymised or generalised after 5 years, unless you ask us to keep your name attached for longer. For example, after 5 years a record may read "a community member attended our 2026 fellowship, which began their work in AI safety" rather than naming the individual.

  • Aggregate statistics: retained indefinitely in anonymised form.

  • Photos: retained in archive; removed on opt-out or on request.

  • Feedback responses: anonymised after use, unless you consented to attribution.

We conduct annual reviews of retained data and anonymise records where individual identification is no longer necessary.

If you request full deletion, we will remove your personal details while retaining anonymised aggregate statistics.

Your Rights

Under POPIA, and aligned with GDPR:

  • Access: Request a copy of the personal data we hold about you

  • Correction: Ask us to correct inaccurate or incomplete information

  • Deletion: Request that we delete your personal data

  • Object: Object to processing that does not comply with POPIA

  • Withdraw consent: Withdraw any consent you've previously given, without affecting prior processing

  • Portability: Request your data in a structured, machine-readable format

  • Opt out of public display: Have your participation recorded without your name appearing publicly

  • Opt out of partner sharing: Stop future sharing with partners

  • Opt out of photography: As described above

  • Unsubscribe: Stop receiving any non-essential emails

To exercise any of these rights, email infrastructure@aisafetysa.com or contact any AISSA organiser directly. We will respond within a reasonable timeframe, and no later than required by POPIA (30 days).

Complaints: If you believe your personal information has been mishandled, you have the right to lodge a complaint with the Information Regulator of South Africa.

What Happens if You Don't Provide Information

Providing personal information is voluntary. However:

  • If you don't provide registration details, we may be unable to register you for events.

  • If you don't consent to any of the three sharing tiers, that's fine — you remain a community member and your baseline attendance is recorded. We only share beyond AISSA with consent.

  • Optional fields (bio, headshot, website) can always be left blank.

Data Security

Our measures include:

  • All data transmitted via HTTPS (encrypted in transit)

  • Database access restricted via role-based authentication

  • Admin panel access limited to authorised users with multi-factor authentication

  • Regular access reviews

  • Encrypted backups of critical data

  • Staff awareness of data protection responsibilities

No system is perfectly secure. If you believe there has been a data breach affecting your information, please contact us immediately at infrastructure@aisafetysa.com.

Data Breaches

If a breach occurs involving personal information, we will:

  • Notify the Information Regulator as soon as reasonably possible after becoming aware of the breach

  • Notify affected individuals where the breach is likely to result in risk to your rights, including what happened, what data was involved, and what we are doing about it

  • Take immediate steps to contain the breach and prevent further unauthorised access

Cookies

Our public website does not set cookies and does not use analytics.

The Track Record platform uses only essential cookies required for the functionality of the site (session cookies for login state, security cookies to protect against fraud). These cannot be disabled without breaking core functionality.

Children's Data

Our programs are intended for adults (18+). We do not knowingly collect data from children. If we discover we have collected data from someone under 18, we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email to registered community members. The "last updated" date at the top indicates when the current version took effect.

Contact

For privacy questions, data subject requests, or to exercise any of your rights:

You can also contact any AISSA organiser directly.

This policy applies to all AISSA data handling, including events, community programs, the Track Record platform, and our public website.