Let's Talk

Privacy Policy

How we collect, use, and protect your personal data.

PRIVACY POLICY

At Predictive Data Science (Pty) Ltd t/a Predictive Insights we adhere to the highest standards of protecting your personal data when we process it by virtue of your use of our services and/or our application or any related platforms (collectively, “the Platform”), or by providing us with your personal data in any other way. As such, we have created this privacy policy for you to read and to understand how we safeguard your personal data and respect your privacy (“Privacy Policy”).

Not all terms are necessarily defined in order or may be defined in our Terms and Conditions of Use (“Terms”).

Please ensure that you read all the provisions below, and our policies and guidelines which may apply from time to time, to understand all of your, and our, rights and duties.

Important Information and Who We Are

Purpose of this Privacy Policy

This Privacy Policy aims to give you information on how we collect and process your personal data through any form of your engagement with us. This Privacy Policy complies with, and facilitates the obligations required from, the South African Protection of Personal Information Act, No. 4 of 2013 (“POPIA”) and the EU’s General Data Protection Regulation (“GDPR”), as amended.

It is important that you read this Privacy Policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your personal data. This Privacy Policy supplements the other notices and is not intended to override them.

We do not process the data of minors nor special categories of personal data. Do not provide us with any such personal data, as it will constitute an immediate and automatic material breach of this Privacy Policy and our Terms.

Controller and Processor

Predictive Insights is the “Controller” and is responsible for your personal data when we decide the processing operations of your personal data. In certain instances, we may operate as a “Processor” of personal data on behalf of a Controller who uses our services. In that case, that Controller’s privacy policy will apply to your use of their services.

We have appointed a Data Protection Officer at Predictive Insights who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact our information officer using the details set out below.

Our Contact Details

Data Protection Officer: Mr H. Broekhuizen

Email address: dataofficer@predictiveinsights.net

Postal address: 18 Techno Ave, Technopark, Stellenbosch, South Africa , 7600

You have the right to make a complaint at any time to the applicable national regulator in your country of residence including the UK Information Commissioner’s Office or the South African Information Regulator’s Office. We would, however, appreciate the chance to deal with your concerns before you approach any regulator, so please contact us in the first instance.

Changes to this Privacy Policy

This Privacy Policy was last updated on 22 May 2026 and previous versions are archived and can be provided on request.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

This Privacy Policy is subject to change without notice and is updated or amended from time to time and will be effective once we upload the amended version to the Platform. Your continued access or use of our Services constitutes your acceptance of this Privacy Policy, as amended. It is your responsibility to read this document periodically to ensure you are aware of any changes.

Third-Party Links on Platform

The Platform may include links to third-party platforms, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share information about you. We do not control these third-party platforms and are not responsible for their privacy statements or terms. When you leave our Platform, or engage with such third parties, we encourage you to read the distinct privacy policy of every third-party you engage with.

What We Collect About You

Personal data means any information relating to an identified or identifiable natural person. Personal data does not include information that has been irreversibly anonymised so that the individual is no longer identifiable (including by us or any other person reasonably likely to access the data), but it does include pseudonymised data where the individual could still be identified with additional information.

  • We may collect, use, store, and transfer (“process”) different kinds of personal data about you which we have grouped together as follows:

Identity Data including your name, surname, job title/role (e.g., restaurant manager/owner), manager persona type (for example experienced vs. newer), and (where applicable) the name of the restaurant or business you represent.

Contact Data including email address, telephone number, and WhatsApp-enabled mobile number (including your WhatsApp identifier/handle as made available to us), and the linking of such WhatsApp details to your user profile and/or restaurant location.

Restaurant Operations and Insights Data including information you provide to us (or which is provided to us on your behalf) through WhatsApp or the Platform about restaurant operations and performance, and the outputs generated by Predictive Insights from such data. This may include point of sale data, shift and service context (such as date/time of shift, venue/restaurant location identifier, and shift role), manager(s) identified and assigned to a location, manager shift patterns/schedules, floor actions and decisions recorded by managers, tasks and checklists, operational notes and incident logs, service observations, and operational performance indicators. It may also include the insights, recommendations, prompts, and feedback reports generated by Predictive Insights for use by restaurant managers on the floor and for analysis by restaurant owners.

Restaurant Configuration and Operational Reference Data including operational content and reference information provided to or captured by Predictive Insights for the purpose of generating on-floor decisions and feedback. This may include a full menu item catalogue; recipes and ingredient lists; product quality standards and holding windows defined per item; cook times per product; oven capacity per location type; oven cleaning schedules; and demand rate patterns by daypart. This information is generally restaurant/business operational data, however to the extent it includes or is linked to an identified or identifiable natural person (for example where a recipe, schedule, or operational document includes staff names, sign-offs, WhatsApp identifiers, notes attributable to a specific manager, or other identifiers), it will be treated as personal data and processed in accordance with this Privacy Policy.

Customer Implementation and Support Contact Data including the identity and contact details of individuals at a customer organisation involved in onboarding, implementation, and ongoing support for the Services. This may include the Operations Director (or equivalent paying customer persona), the executive sponsor, IT and/or data contacts, training coordinators, emergency escalation contacts, and the support channels shared between the customer and Predictive Insights (including WhatsApp numbers/identifiers, email addresses, telephone numbers, job titles/roles, and availability or escalation preferences).

Account Data including information associated with your Platform/WhatsApp access and profile, such as identity and contact data, authentication or access details, user role and permissions, preferences, support enquiries, and verification records confirming your access to the applicable YooDoo WhatsApp conversation(s) (including access status and audit/log information where available).

Financial Data including billing contact details and payment status/transaction references necessary to administer subscriptions and invoicing; where card details are used, they are processed by our payment service provider and are not stored by us.

Communications Data including messages and other content you send to us or receive from us via WhatsApp (and any attachments you choose to share), as well as the date/time of communications and delivery/read status where available through WhatsApp or our service providers.

Transaction Data including details about subscriptions, sign-ups, contracts, invoices, and payments (including amounts, dates, and payment references) relating to products and services you obtain from us.

Technical Data including device and connection information (such as IP address, device type, operating system, browser type/version where relevant), time zone and approximate location derived from IP, and technical identifiers/log data associated with your use of the Platform and WhatsApp integration (including API/webhook logs and message delivery metadata where available).

Usage Data including information about how you use the Platform through WhatsApp, such as the features you use, prompts you respond to, actions taken, frequency and duration of interactions, and performance/diagnostic data.

Marketing and Communications Data including your preferences in receiving service notices and marketing from us, opt-in/opt-out records, support queries and communications, and details of which communications were sent to you (including via WhatsApp, email, or SMS) and when.

  • We may also collect, use, and share Aggregated Data such as statistical data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

Where we need to collect personal data and you fail to provide that data when requested, we may not be able to provide our services. In this case, we may have to suspend your use of the services but we will notify you if this is the case at the time.

How Is Your Personal Data Collected?

We use different methods to collect personal data from and about you, including through:

Direct interactions: You may share your personal data directly with us when you use the Services via WhatsApp and/or the Platform, when you contact us, or when your organisation’s administrators provide your details to us for account creation and access management. Where you use YooDoo through WhatsApp, please note that WhatsApp/Meta may process certain information as an independent controller in accordance with its own privacy policy. This includes personal data you provide when you:

  • Use our services;
  • Use our Platform;
  • Contract with us;
  • Provide any services to us as a service provider or independent contractor;
  • Request information to be sent to you;

Give us some feedback.

Automated technologies or interactions: As you interact with our Platform and WhatsApp implementation, we may automatically collect Technical Data and Usage Data about your device and usage, including through server logs and similar technologies. Where cookies or similar technologies are used on the Platform, we will collect this personal data via those technologies as described in our Cookies section. We may also receive certain Technical Data from service providers supporting the WhatsApp integration (for example message delivery events and related logs where available).

Third parties: We may receive personal data about you from third parties such as:

  • Analytics and monitoring providers (to help us understand usage and improve the Services);

Communications and marketing platforms (where you have consented to, or we are otherwise permitted to send, such communications);

Identity and contact enrichment sources you direct us to use (if applicable); and

Payment service providers and billing platforms (to process payments and administer subscriptions, where applicable).

How We Use Your Personal data

We will only process personal data under one or more of the following legal bases:

  • where we have your express consent to do so;

where we need to consult with you or perform on the Services contract we are about to enter into or have entered into with you;

where it is necessary for our legitimate business interests (or those of a third party) and your interests and fundamental rights do not override those interests; and/or

where we need to comply with a legal or regulatory obligation.

Purposes For Which We Will Use Your Personal data

We have set out below the purpose for which we will process your personal data, which includes:

to provide, operate, and administer the Services and the Platform (including implementing and running YooDoo through WhatsApp), including setting up restaurants/locations, user roles and permissions, linking WhatsApp identifiers to the relevant user and location, and verifying access to applicable YooDoo WhatsApp conversation(s);

to receive, record, and respond to communications (including WhatsApp messages, prompts, responses and attachments) and to generate, deliver, and maintain the operational insights, recommendations, decisions, prompts, tasks, and feedback outputs for restaurant managers and owners;

to configure and maintain the operational reference content used by the Services (including menu catalogues, recipes and ingredient lists, product quality/holding windows, cook times, oven capacity information, cleaning schedules, and demand patterns) and to use that content to support the insights and recommendations produced by Predictive Insights;

to plan, manage, and evaluate pilots and roll-outs (including documenting pilot locations, timelines, success criteria, baseline performance information, meeting cadence/agendas, measurement frameworks, reporting formats, and comparison methodologies);

to manage our relationship with you and/or the customer organisation you represent (including verifying identity where appropriate, maintaining customer implementation and support contacts, training coordination, and escalation/support arrangements);

to provide customer support, troubleshooting, and service communications (including responding to queries, handling incidents, and sending service notices and operational updates);

  • to administer subscriptions, billing, payments, contracts and invoicing (where applicable);

to monitor, maintain, and improve the security, performance, and integrity of the Services (including fraud prevention, access control, logging, audit trails, and detection/investigation of misuse, unlawful activity, or breaches of our Terms);

to understand usage of the Services, to develop and improve features and functionality, and for internal analytics and reporting, including creating aggregated and/or anonymised statistics; and

to comply with our legal and regulatory obligations, and to establish, exercise, or defend legal claims.

For any other purpose that is compatible with the original purpose of collection, or where you have provided your consent.

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules and where required or permitted by law.

Marketing

We strive to provide you with choices regarding how we use your personal data, particularly around (i) customer marketing (marketing to our customer organisations about Predictive Insights’ products and services) and (ii) direct marketing (marketing messages sent to you as an individual). You can manage your marketing preferences and exercise your rights in relation to marketing by using the opt-out/unsubscribe mechanism in the relevant communication or by contacting us.

  • We may send customer marketing communications where your organisation is (or is considering becoming) a customer and we have a lawful basis to do so (for example, our legitimate interests, where permitted).

You can ask us to stop sending you customer marketing messages at any time by using the opt-out/unsubscribe mechanism provided or by contacting us. Opting out of marketing will not affect service communications that are necessary to provide the Services (for example administrative, security, or operational messages) or other processing carried out on a separate lawful basis.

Direct Marketing

Where permitted by applicable law, we may process your personal data to send you direct marketing communications about Predictive Insights’ products, services, features, events, promotions and related updates via channels such as email, SMS, WhatsApp or telephone. We will only send direct marketing where we have a valid lawful basis to do so under the GDPR and other applicable laws (including, where required, your prior consent). You may object to, or opt out of, direct marketing at any time by using the unsubscribe/opt-out mechanism included in the relevant message or by contacting us using the details set out in this Privacy Policy. If you opt out, we will stop sending you direct marketing communications; however, we may still send you non-marketing communications that are necessary to provide the Services (such as service notices, security alerts, and administrative messages).

Third-Party Marketing

Whilst we may use your personal data within our company, we will get your express opt-in consent before we share your personal data publicly with any entity outside of Predictive Insights for marketing.

Disclosures Of Your Personal data

  • We may have to share your personal data with the parties set out below for the purposes set out above.

Predictive Insights group companies and internal recipients. Other entities within the Predictive Insights group and their directors, officers, employees and authorised contractors who need access for the purposes described in this Privacy Policy. Depending on the context, these recipients may act as controllers, joint controllers or processors.

Service providers (processors). Third-party service providers who provide services to us and process personal data on our behalf and on our documented instructions, such as:

  • hosting and infrastructure providers;
  • customer support, ticketing and CRM providers;

communications providers and WhatsApp integration support providers (including providers that enable messaging delivery, routing, automation, monitoring and logging);

  • analytics, performance monitoring and error reporting providers;
  • security, fraud prevention and abuse detection providers;
  • identity verification and access management providers (where applicable);

billing, invoicing and payment service providers (noting that card payment details are processed by our payment service provider and are not stored by us); and

professional advisers and auditors where they act as our processors.

Independent controllers. Third parties that process personal data for their own purposes as independent controllers, such as:

  • professional advisers (including lawyers, bankers, auditors and insurers) where they act as independent controllers;

regulators, government bodies, courts and law enforcement agencies; and

platforms or providers you choose to interact with independently (for example WhatsApp/Meta) in accordance with their own privacy policies.

Customer organisations and other responsible parties. Where your use of the Services is through, sponsored by, or administered by a customer organisation (for example a restaurant group or business that subscribes to the Services), we may disclose relevant personal data to that customer organisation and its authorised administrators for account administration, support, reporting, governance and compliance purposes. In such cases, that customer organisation may act as controller (or joint controller) of the relevant personal data.

Corporate transactions. Prospective or actual buyers, sellers, investors, financiers and their professional advisers in connection with any actual or proposed merger, acquisition, sale of assets, reorganisation, financing, or similar transaction. We will disclose personal data in these circumstances only to the extent necessary for the transaction and subject to appropriate confidentiality and security protections. Where a transaction completes, personal data may be transferred to the new owner, subject to applicable law and any required notices.

  • We may disclose personal data where we reasonably believe it is necessary to comply with a legal obligation, enforce or apply our Terms, protect the rights, property or safety of Predictive Insights, our users or others, prevent fraud or abuse, or establish, exercise or defend legal claims.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data in accordance with our instructions and standards.

Where a recipient acts as our processor, we require it (as applicable) to:

  • process personal data only on our documented instructions and only for the permitted purposes;
  • ensure persons authorised to process the personal data are subject to confidentiality obligations;
  • implement appropriate technical and organisational measures to protect personal data;

not engage sub-processors without appropriate protections, including written authorisation where required and the flow-down of equivalent obligations;

  • assist us, where applicable, with data subject rights requests and regulatory enquiries;

notify us without undue delay after becoming aware of a personal data breach affecting the personal data it processes on our behalf;

delete or return personal data at the end of the services (unless retention is required by law); and

make available information reasonably necessary to demonstrate compliance and allow for audits or assessments, where appropriate.

Cookies

The Platform uses cookies and similar technologies (such as pixels, SDKs, local storage and server-side identifiers) to distinguish you from other users, to operate the Platform, and to understand and improve how the Platform is used. Cookies may be “session” cookies (which expire when you close your browser) or “persistent” cookies (which stay on your device for a longer period).

Cookie categories and lawful basis

We use the following categories of cookies and similar technologies:

Strictly necessary cookies. These are required for the operation and security of the Platform and for you to access core features (for example, authentication, load balancing, security, fraud prevention and consent preference storage). These cookies do not require your consent.

Functional cookies. These are used to recognise you when you return to the Platform and to remember your preferences (for example, language and settings). These cookies will be used only where you have provided your consent (unless they are strictly necessary for a feature you have requested).

Analytics/performance cookies. These help us understand how users interact with the Platform (for example, pages visited, features used, errors and performance metrics) so we can improve functionality. These cookies will be used only where you have provided your consent.

Advertising/targeting cookies. These may be set by us and/or third parties to build a profile of your interests and to show you relevant content and marketing on the Platform and/or on third-party platforms. These cookies will be used only where you have provided your consent.

Your choices and consent

Where required by law (including under the GDPR and applicable ePrivacy rules), we will obtain your prior consent before placing or accessing any cookies or similar technologies that are not strictly necessary. If we rely on consent, you may withdraw your consent at any time and with effect for the future. You can manage your cookie preferences via our cookie banner and/or cookie preference centre available on the Platform, and you can also control cookies through your browser settings. Please note that disabling cookies that are strictly necessary may affect the operation of the Platform and may limit access to certain features.

Third-party cookies and international transfers

Some cookies and similar technologies may be set by third parties (for example, analytics, marketing or security providers). These third parties may process information about your device and your use of the Platform as independent controllers or as our processors (as applicable) and may combine it with other information they hold. Where cookies involve third parties and/or result in transfers of personal data outside your country, we will implement appropriate safeguards where required and provide further information in our cookie banner/preference centre and/or this Privacy Policy.

More information

We will provide up-to-date information about the cookies and similar technologies in use on the Platform (including name/provider, purpose, category and retention/expiry periods) through our cookie banner/preference centre and/or a cookie list made available on the Platform.

International Transfers

  • We may share and process your personal data outside of South Africa (and, where the GDPR applies, outside the UK/EEA) to utilise cloud storage, software services used to operate our business, or to engage with third-party service providers.

If we transfer your personal data internationally, we will ensure a similar degree of protection is afforded to it by implementing appropriate safeguards as required by applicable data protection law (including, where the GDPR applies, Chapter V of the GDPR).

  • We may transfer your personal data to countries that have been deemed to provide an adequate level of protection under applicable law (including, where applicable, an adequacy decision under the GDPR); and/or

We will use appropriate contractual safeguards approved under applicable law (including, where the GDPR applies, the European Commission’s Standard Contractual Clauses and/or the UK International Data Transfer Agreement/addendum, as applicable), and we may implement supplementary technical and organisational measures and carry out transfer risk assessments where required. Where permitted, we may also rely on Binding Corporate Rules or a specific derogation under applicable law for limited circumstances.

Data Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. These measures are designed taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for individuals’ rights and freedoms.

Our security measures may include (as appropriate): data minimisation and privacy by design/default; encryption in transit and at rest; pseudonymisation where appropriate; access controls based on least privilege and role-based permissions; multi-factor authentication for administrative access; secure key/secret management; logging and monitoring; vulnerability management, patching and penetration testing; network and application security controls; backups and disaster recovery; resilience and availability measures; and secure development and change management practices.

Access to personal data is limited to employees, agents, contractors and other third parties who have a legitimate need to know for the purposes described in this Privacy Policy. All such persons are subject to confidentiality obligations and receive appropriate data protection and security guidance.

Where we engage third-party service providers to process personal data on our behalf, we require them to implement appropriate technical and organisational measures and to process personal data only on our documented instructions, in accordance with applicable data protection law and appropriate contractual safeguards.

Personal data breach management

We maintain procedures to detect, report, investigate and respond to suspected or actual personal data breaches. Where the GDPR applies, and a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it (unless the breach is unlikely to result in a risk). Where the GDPR applies and the breach is likely to result in a high risk to individuals, we will also notify affected individuals without undue delay, unless an exemption applies. We will also comply with any breach notification obligations under POPIA and other applicable laws.

Data Retention

We will only retain your personal data for as long as necessary to fulfil the purpose we collected it for including any legal, accounting, or reporting requirements.

Retention periods are determined taking into account the nature, scope, context and purposes of the processing; the amount, nature and sensitivity of the personal data; the risk of harm from unauthorised use or disclosure; whether the purposes of processing can be achieved through other means; the lawful basis relied upon; applicable limitation periods; contractual requirements; and applicable legal, accounting, tax and reporting requirements.

Personal data may be stored in backups for resilience and disaster recovery purposes. Where feasible, we will ensure that backups are subject to appropriate access controls and retention limits and are securely overwritten, deleted or rendered inaccessible in the ordinary course of backup rotation.

  • We may also anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Your Legal Rights

You have rights in relation to your personal data where we are the relevant “Controller” over such personal data. Please contact us to find out more about, or manifest, these rights:

  • request access to your personal data;
  • request correction of your personal data;
  • request erasure of your personal data;
  • object to the processing of your personal data;
  • request a restriction of processing your personal data;
  • request transfer of your personal data; and/or
  • right to withdraw consent.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

  • We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Questions? Contact us.