Privacy Policy
Last updated: 6 May 2026
1. Introduction
Aqerra™ ("we", "us", "our") is operated by Werner Rall. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the Protection of Personal Information Act, 2013 (POPIA) and the Electronic Communications and Transactions Act, 2002 (ECT Act) of the Republic of South Africa.
By using Aqerra, you consent to the practices described in this policy.
2. Information We Collect
We collect only the minimum information required to perform fraud risk checks:
- Check inputs: URLs, phone numbers, email addresses, or bank details (account number, account holder name, account type) you voluntarily submit for risk scanning
- SA ID number (optional): If you choose to run the optional live bank-rail checkon the Bank tab, the SA ID number you enter is transmitted in real time to VerifyNow (our accredited bank-rail verification partner) for matching against the account holder’s records at their bank. We do notstore SA ID numbers in our database, logs, or check history. The ID number is used only for the single verification request and is discarded as soon as the result is returned.
- Scam reports: Information you choose to submit when reporting a suspected scam
- Technical data: IP address, browser type, and device information collected automatically for security and rate-limiting purposes
We do not collect or store passwords, PINs, card numbers, CVVs, or login credentials for any third-party service. SA ID numbers are only processed transiently when you explicitly request a live bank-rail verification, and are never persisted by Aqerra.
3. How We Use Your Information
- To perform fraud risk assessments and return results to you
- To aggregate anonymised scam intelligence for community protection
- To prevent abuse of the platform (rate limiting, bot detection)
- To improve our risk scoring models using anonymised, aggregated data
We will never sell your personal information to third parties, use it for marketing without your consent, or share individually identifiable data without a lawful basis.
4. Third-Party Data Sources
To generate risk scores, we query external services on your behalf. Your check input (e.g. a URL or email address) may be transmitted to:
- RDAP/WHOIS registries (domain age verification)
- DNS resolvers (mail server and domain verification)
- Google Safe Browsing API (phishing and malware detection)
- VirusTotal (multi-engine URL/file reputation)
- NumVerify (international phone number validation)
- VerifyNow(South African real-time bank-rail account verification — only invoked when you explicitly opt in by providing an SA ID number and account type on the Bank tab; transmits account number, account holder name, SA ID number, and account type to the holder’s bank via VerifyNow’s accredited rails for an existence / identity / name match)
- Azure AI Foundry (optional AI-powered analysis when you opt in to the “Include AI analysis” toggle)
These services have their own privacy policies. We transmit only the specific data point being checked, no additional personal information is shared.
5. Data Retention
- Check results: Retained for up to 90 days, then automatically deleted
- Scam reports: Retained for the purpose of community protection until manually withdrawn or moderated
- Technical logs: Retained for up to 30 days for security purposes
6. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit (TLS 1.2+)
- Encryption at rest for stored data
- Rate limiting and abuse prevention
- Input validation and sanitisation on all submissions
- No personal information in application logs
7. Your Rights Under POPIA
As a data subject under POPIA, you have the right to:
- Request access to the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your personal information
- Object to the processing of your personal information
- Withdraw consent previously given
- Lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, contact us at admin@aqerra.co.za. We will respond within 30 days.
How to Submit a Request (DSAR)
- Email admin@aqerra.co.za with subject line "DSAR Request"
- Include your full name, the email or phone number used with Aqerra, and the specific right you wish to exercise
- We will verify your identity before processing the request
- Response time: within 30 days of receiving a verified request
- If we cannot fulfil your request, we will explain why in writing
7a. Security Incident & Breach Notification
We follow the breach-notification timelines required by POPIA section 22 and align with international good practice (NIST SP 800-61, ISO 27035). If we discover a security compromise that has (or reasonably could have) exposed your personal information, we will:
- Within 24 hours of confirming an incident: activate our internal incident response, contain the scope, and preserve forensic evidence
- Within 72 hours: notify the Information Regulator of South Africa (inforegulator.org.za) and any affected data subjects, by email and through a banner on aqerra.co.za
- Within 30 days: publish a public post-incident report describing what happened, what data was affected, what we did to contain it, and what we are doing to prevent recurrence
Reporting a Suspected Breach to Us
If you believe you have discovered a security vulnerability or data leak in any Aqerra service, please disclose it responsibly:
- Email admin@aqerra.co.za with subject line "SECURITY Disclosure"
- Describe the issue, steps to reproduce, and any evidence
- Do not publicly disclose the issue until we have had reasonable time to remediate (we aim to acknowledge within 24 hours and remediate within 30 days)
We do not currently operate a paid bug-bounty programme but will publicly credit researchers who follow responsible disclosure.
8. Cookies
Aqerra uses only essential cookies required for the site to function (e.g. session management). We do not use advertising or tracking cookies. No third-party analytics or tracking scripts are loaded.
9. Children
Aqerra is not directed at children under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has submitted data to us, please contact us immediately for deletion.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on the website. Continued use of Aqerra after changes constitutes acceptance of the updated policy.
11. Mobile App, Browser Extension & WhatsApp Bot
Aqerra is also distributed as a mobile application (Android and iOS), a browser extension (Chrome and Edge), and a WhatsApp bot. The same privacy principles described above apply across all surfaces. This section discloses the additional, surface-specific data handling required by Google Play, Apple App Store, Huawei AppGallery and Microsoft Edge Add-ons review processes.
11.1 Mobile app (iOS / Android / Huawei)
- Data collected: the check inputs you submit (URL, phone number, email, SMS text, bank details), and, if you sign in, your account email and the daily counter used to enforce free / Pro tier limits.
- Data NOT collected: we do not access your contacts, calendar, photos, location, microphone, camera, SMS messages on your device, call logs, files, or any other system data. The app reads no data automatically, only what you intentionally submit through a check or share-to-Aqerra action.
- Sharing: none. Submitted data is processed by Aqerra and the third-party sources listed in section 4 only for the purpose of returning a risk score.
- Encryption: all data is transmitted over HTTPS (TLS 1.2+). Sensitive credentials are stored only in the OS-managed secure store on the device.
- Children: the mobile app is not directed at users under 18.
- In-app purchases: the mobile app does not sell digital goods or subscriptions inside the app. Pro subscriptions and credits are purchased exclusively on aqerra.co.za and processed by Stitch (regulated South African payment service provider) over secure HTTPS.
- Push notifications: the app does not send push notifications in the current version. If push is added in future, it will be opt-in.
- Account deletion: you can permanently delete your account and associated data at any time, either in-app via your account page (Delete account), through our account deletion page, or by emailing admin@aqerra.co.za. Deletion requests are honoured within 30 days as required by POPIA.
11.2 Browser extension (Chrome / Edge / Brave)
- Permissions and why we need them:
contextMenus: to add the "Check with Aqerra" right-click menu items.activeTab: to read the URL of the current tab when you invoke the extension.storage: to cache your last result so the popup can display it without a second API call.notifications: to show a system notification with the risk verdict.tabs: to open the Aqerra connect-account page in a new tab.host_permissionsforaqerra.co.za: to communicate with the Aqerra fraud risk API.content_scriptsmatches<all_urls>, strictly so the hover-warning badge can appear on any link you intentionally hover over for at least 800 ms. The content script is passive: it never auto-scans pages, never reads page content, cookies, form data, or any other DOM, and never sends data to Aqerra except a single URL when you intentionally hover.
- Hover-warning cache:hover lookups are cached for 10 minutes in the extension's in-memory store (cleared when the service worker shuts down) to minimise API traffic. The cache holds at most 200 URLs and is never persisted to disk.
- No telemetry: the extension makes no telemetry calls other than user-initiated check requests to the Aqerra API.
11.3 WhatsApp bot
- Phone number: the WhatsApp bot identifies you by your verified WhatsApp E.164 phone number. We use this only to enforce daily check limits and, optionally, to bind your WhatsApp number to your Aqerra account when you type
link. - Messages: only messages you actively send to the Aqerra WhatsApp number are received. We process the message text only to perform the requested check.
- Meta WhatsApp Business API:message transport is via Meta's WhatsApp Business Cloud API. Meta's privacy policy applies to that transport layer independently of ours.
- Compliance:Aqerra respects WhatsApp's 24-hour customer-service window and does not send unsolicited promotional messages.
For Google Play's Data Safety form, Apple's App Privacy disclosures, Microsoft Edge Add-ons disclosures and Huawei AppGallery declarations: Aqerra collects user-submitted check inputs and account email (when signed in); does not share data with third parties for marketing or advertising; encrypts all data in transit; and supports user-initiated account and data deletion within 30 days.
12. Information Officer
Name: Werner Rall
Email: admin@aqerra.co.za
Information Regulator of South Africa: inforegulator.org.za