WEEVA.
Legal · Privacy

Privacy Policy

How we collect, use, and protect personal information.

Effective date 17 April 2026
Version 1.0
Entity Choccy AI (Pty) Ltd t/a Weeva AI

01Introduction

Choccy AI (Pty) Ltd, trading as Weeva AI ("Weeva", "we", "us", or "our") is committed to protecting the privacy and security of personal information in our care. This Privacy Policy explains how we collect, use, disclose, store, and otherwise process personal information when you visit our website at https://www.weeva.ai, engage with us as a customer, prospect, partner, supplier, or employee, or otherwise interact with our products and services.

This Policy should be read together with our Cookie Policy, our Terms of Use, and any product-specific terms or data processing agreements entered into between you (or your organisation) and Weeva.

Weeva provides artificial intelligence ("AI") and automation solutions to organisations operating in the insurance and financial services sectors, as well as related professional services and consulting. Depending on the context of the engagement, Weeva may act as a Responsible Party (Controller) or as an Operator (Processor). This Policy primarily explains our processing activities where we act as the Responsible Party.

By using our website or our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please do not use our website or services, and do not provide us with your personal information.

02Who We Are And How To Contact Us

Responsible Party / Data Controller: Choccy AI (Pty) Ltd (trading as Weeva AI)

Company registration number: 2025/148892/07

Registered, physical, and postal address: 4th Floor, 20 The Piazza, Whiteley Road, Melrose, Johannesburg, Gauteng, 2076, South Africa

General enquiries: hello@weeva.ai

Information Officer: Jordan Haskel (hello@weeva.ai)

We have appointed an Information Officer in accordance with the Protection of Personal Information Act, 4 of 2013 ("POPIA"). The Information Officer is responsible for overseeing our compliance with POPIA and for responding to data subject requests and enquiries regarding this Policy.

03Scope Of This Policy

This Policy applies to personal information processed by Weeva in the following contexts:

Where Weeva provides AI or automation services to a customer (typically an insurer, broker, financial services provider or related organisation) and processes personal information relating to that customer's clients, staff or other data subjects on the customer's behalf, Weeva acts as an Operator (Processor). In those circumstances, the customer is the Responsible Party, and its own privacy policy and our data processing agreement with that customer will govern the relevant processing. Section 12 of this Policy sets out further information about our role as an Operator.

04Key Definitions

Certain capitalised terms used in this Policy have the meanings given to them below. Where POPIA or the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), ascribes a specific meaning to a term, that meaning applies.

05Personal Information We Collect

The categories of Personal Information we collect will depend on the nature of your interaction with us. We typically collect the following categories:

5.1 Identity and contact information

Name, job title, employer, business address, business email address, business telephone number, and similar details. Where necessary for contracting or regulatory purposes, we may also collect identity numbers or copies of identification documents of authorised representatives.

5.2 Account and authentication information

If you register for a customer portal or similar account, we collect login credentials (usernames and hashed passwords), multi-factor authentication details, role-based access information, and audit log data (such as login times and IP addresses).

5.3 Transaction and commercial information

Information relating to contracts, orders, invoices, payments, and the performance of services, including billing contact details.

5.4 Technical and usage information

Information collected automatically when you visit our website or use our services, including IP address, device identifiers, browser type and version, operating system, referring URL, pages viewed, time spent, and similar diagnostic data. Further information on cookies and similar technologies is set out in our Cookie Policy.

5.5 Marketing and communications information

Your preferences for receiving marketing communications from us and your engagement with those communications (for example, whether an email is opened or a link is clicked).

5.6 Information you provide directly

Information submitted through contact forms, newsletter sign-ups, demo requests, customer support channels, events, surveys, or other interactions. This may include the content of your enquiry or correspondence and any attachments you choose to share.

5.7 Human resources information

If you apply for a role with us or work for us, we collect information contained in your CV or application, references, background check results (where permitted by law and with appropriate notice), payroll and banking details, and related employment information.

5.8 Special Personal Information

We do not intentionally solicit Special Personal Information through our website. Where Special Personal Information is processed (for example, as part of employment or a regulatory requirement), we will only do so where we have a lawful basis under POPIA or the GDPR.

5.9 Children's information

Our website and services are not directed at children under the age of 18. We do not knowingly collect Personal Information relating to children. If you believe a child has provided us with Personal Information, please contact our Information Officer and we will take steps to delete it.

06How We Collect Personal Information

We collect Personal Information in the following ways:

Where Personal Information is required to conclude or perform a contract with you or your organisation and you do not provide it, we may be unable to engage with you or deliver the requested product or service.

07Purposes And Lawful Bases For Processing

We process Personal Information only for specific, explicitly defined, and lawful purposes related to our business. The principal purposes and corresponding lawful bases are:

7.1 Operating our website and providing information about Weeva

We process technical and usage information to operate, secure, and improve our website. Lawful basis: our legitimate interest in presenting, maintaining, and safeguarding our digital presence, and (where applicable) your consent.

7.2 Responding to enquiries and requests

We use your contact details and the content of your enquiry to respond to you, evaluate potential engagements, and provide information about our products and services. Lawful basis: steps taken at your request prior to entering into a contract, and our legitimate interest in responding to enquiries.

7.3 Performance of contracts and delivery of services

We process identity, contact, account, and transaction information to onboard customers, provide and support our products, administer accounts, issue invoices, and receive payments. Lawful basis: performance of a contract, or steps taken prior to concluding one, and compliance with our legal obligations.

7.4 Customer support and service improvement

We process correspondence, support tickets, and usage information to diagnose issues, respond to support requests, and improve our services. Lawful basis: performance of contract and our legitimate interest in improving our offerings.

7.5 Marketing and communications

Where we have a lawful basis to do so, we may send you marketing communications about our products and services that we believe may be of interest to you. You may opt out of marketing communications at any time by following the unsubscribe link in any marketing email or by contacting us at hello@weeva.ai. Lawful basis: consent, or our legitimate interest in marketing to existing customers and business contacts, subject to applicable electronic marketing rules.

7.6 Security, fraud prevention, and network integrity

We process Personal Information to protect our systems, investigate suspected fraud or abuse, and maintain information security. Lawful basis: our legitimate interest in maintaining secure and reliable services and compliance with legal obligations.

7.7 Legal, regulatory, and accounting obligations

We process Personal Information to comply with applicable laws, including tax, accounting, anti-money laundering, and consumer protection legislation, and to establish, exercise, or defend legal claims. Lawful basis: compliance with legal obligations and legitimate interests in protecting our legal rights.

7.8 Recruitment and human resources

We process applicant and employee information to manage recruitment, employment relationships, payroll, benefits, and related obligations. Lawful basis: steps taken prior to entering into a contract of employment, performance of such a contract, and compliance with legal obligations.

7.9 Product development, analytics, and quality assurance

We use aggregated and, where appropriate, de-identified information to understand how our website and services are used and to develop new features. Lawful basis: our legitimate interest in developing and improving our products, subject to appropriate safeguards.

08Ai And Automated Processing

Weeva's products and services make use of artificial intelligence and automation technologies, including machine learning models and large language models supplied by third parties. Where AI or automation is used in the provision of services to a customer, the relevant processing is governed by our contract with that customer and, where applicable, the customer's own privacy notice.

In relation to personal information for which Weeva is the Responsible Party (for example, website visitor data or prospect data), we do not use that information to train third-party AI models, and we do not make decisions producing legal or similarly significant effects about you based solely on automated processing without meaningful human involvement. If you would like further information about any automated processing relevant to you, please contact our Information Officer.

09Cookies And Similar Technologies

Our website uses cookies and similar technologies to function correctly, to remember your preferences, and to analyse how our website is used. Full details are set out in our Cookie Policy, which explains the categories of cookies we use and how you can manage your preferences.

10Disclosure And Sharing Of Personal Information

We do not sell Personal Information. We may share Personal Information with the following categories of recipients, in each case subject to appropriate safeguards:

10.1 Service providers and sub-processors

We engage third-party service providers to assist us in operating our business and providing our services. These include:

We require our service providers to process Personal Information in accordance with our instructions, to maintain appropriate security measures, and to only use Personal Information for the purposes we have authorised.

10.2 Group entities and affiliates

We may share Personal Information with our group companies and affiliates (if and when established) on a need-to-know basis, for the purposes described in this Policy.

10.3 Legal and regulatory disclosures

We may disclose Personal Information where required to do so by law, regulation, court order, or a request from a competent authority, or where disclosure is necessary to establish, exercise, or defend legal claims.

10.4 Corporate transactions

In the event of a merger, acquisition, reorganisation, sale, or similar transaction involving all or part of our business, Personal Information may be transferred to the relevant counterparty, subject to appropriate confidentiality and data protection commitments.

10.5 With your consent

We may share Personal Information with other parties where you have consented to such sharing.

11Cross-Border Transfers Of Personal Information

Some of our service providers are located outside the Republic of South Africa, including in the United States, the European Union, the United Kingdom, and other jurisdictions. As a result, Personal Information may be transferred to, stored in, or otherwise processed in countries that may have data protection laws different from those in your country of residence.

Where we transfer Personal Information across borders, we do so in compliance with section 72 of POPIA and, where applicable, Chapter V of the GDPR. This means we will only transfer Personal Information outside South Africa where:

Where relevant, we use contractual safeguards such as the Standard Contractual Clauses approved by the European Commission or equivalent mechanisms.

12Weeva As An Operator

Where we provide products or services to a customer (for example, an insurer, broker, or financial services provider), we typically act as an Operator or Processor in respect of Personal Information that the customer makes available to our systems. In those circumstances:

If you believe that your Personal Information is being processed by Weeva as an Operator and you are unsure who the Responsible Party is, please contact our Information Officer and we will endeavour to assist.

13Information Security

We take the security of Personal Information seriously. We maintain appropriate technical and organisational measures designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, without limitation:

No method of transmission or storage is completely secure. While we strive to protect Personal Information, we cannot guarantee its absolute security. In the event of a security compromise involving Personal Information, we will notify affected data subjects and the relevant authorities as required by applicable law.

14Retention Of Personal Information

We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. In determining an appropriate retention period, we take into account the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the Personal Information, and whether we can achieve those purposes through other means.

After the retention period lapses, we will securely delete, destroy, or de-identify the Personal Information, unless we are required to continue to retain it by law. Specific retention periods are set out in our internal retention schedule, a summary of which can be provided on request to our Information Officer.

15Your Rights

Subject to applicable law, you have the following rights in respect of your Personal Information:

To exercise any of these rights, please contact our Information Officer using the details in section 17. We may need to verify your identity before acting on your request. We will respond to your request within the timeframes required by applicable law. In some circumstances, we may be unable to give effect to your request (for example, if we are required by law to retain the information), in which case we will explain the reasons.

You may request access to Personal Information held by Weeva using Form 2 (PAIA Form) which is available from our Information Officer or the Information Regulator's website, and in accordance with our PAIA Manual.

16Changes To This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or best practice. The "Effective date" at the top of this Policy indicates when it was last updated. We encourage you to review this Policy periodically. Where a change is material, we will take reasonable steps to notify you, for example by posting a notice on our website or sending you an email.

17How To Contact Us And How To Complain

If you have any questions about this Policy, wish to exercise any of your rights, or have any complaints regarding our processing of your Personal Information, please contact:

Information Officer: Jordan Haskel

Email: hello@weeva.ai

Postal address: 4th Floor, 20 The Piazza, Whiteley Road, Melrose, Johannesburg, Gauteng, 2076, South Africa

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:

Information Regulator (South Africa)

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

P.O. Box 31533, Braamfontein, Johannesburg, 2017

General enquiries: enquiries@inforegulator.org.za

Complaints (POPIA): POPIAComplaints@inforegulator.org.za

PAIA complaints: PAIAComplaints@inforegulator.org.za

Website: https://inforegulator.org.za

If the GDPR applies to you, you also have the right to lodge a complaint with the data protection authority in your place of habitual residence, place of work, or place of the alleged infringement.

This Privacy Policy was adopted by Choccy AI (Pty) Ltd on 17 April 2026.

Other legal documents

PrivacyPrivacy Policy TermsTerms of Use CookiesCookie Policy PAIAPAIA Manual