Expanding Insights

Legal

Privacy Policy

Effective date: 11 April 2026 · Last updated: 27 April 2026

1. Introduction

This Privacy Policy explains how KJ Hoare, trading as Expanding Insights ("we", "us", or "Expanding Insights"), collects, uses, stores, shares, and protects your personal information when you visit our website at expandinginsights.com (the "Website"), use our client portal at portal.expandinginsights.com (the "Portal"), or otherwise interact with our products and services (together, the "Services").

We take your privacy seriously and handle your personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Electronic Communications and Transactions Act 25 of 2002 ("ECT Act"), and, where applicable, the EU General Data Protection Regulation and the UK GDPR (together, "GDPR").

In this Policy, "personal information" has the meaning given to it in POPIA and corresponds to "personal data" under the GDPR.

2. Who We Are

The responsible party (as defined in POPIA) and data controller (as defined in the GDPR) for the processing of your personal information is:

  • Entity: KJ Hoare t/a Expanding Insights
  • Information Officer: Kingsley Hoare
  • Email: info@insightsxp.com
  • Location: South Africa

You can contact our Information Officer at the email above for any question about how we handle your personal information or to exercise any of the rights described in section 12.

3. Information We Collect

3.1 Information you provide directly

  • Contact and enquiry details: name, email address, company name, service interest, and the content of any message you send us through a contact form or by email.
  • Account details: email address and authentication credentials when you register for the Portal.
  • Billing and payment information: billing email and transaction metadata such as amount, currency, plan, and purchase date. Full card numbers are collected and stored by our payment gateway, Stitch Money (Pty) Ltd, and are never seen or stored by us.
  • Client Data: any content, files, credentials, API keys, or other information you upload or connect to the Services so that we can deliver them to you. Where credentials and API keys are stored, they are encrypted at rest using AES-256 encryption.
  • Chatbot interactions: if you use our AI chatbot on a customer's website, we collect the messages you send, any contact details you provide (name, email, phone number), your device type, the page URL where you started the chat, and a random visitor identifier stored in your browser. Conversation data is processed by AI to generate responses and may be forwarded to the website owner's CRM if they have configured one.
  • Correspondence: information you share when you email us or otherwise communicate with us.

3.2 Information collected automatically

  • Usage data: pages visited, time on page, click events, referral source, browser type, device type, operating system, language, and screen size.
  • Device and log data: IP address, access times, user-agent strings, and diagnostic logs collected by our hosting providers (Google Cloud Platform, Firebase, and Vercel).
  • Cookies and similar technologies: see section 7 below.
  • Session identifiers: a random session ID stored in your browser's local storage to link together the events of a single visit for analytics purposes.

3.3 Information from third parties

  • Stitch Money: payment confirmation, subscription status, card brand, last-four card digits, and related transaction metadata.
  • Meta (Facebook): advertising attribution parameters (such as fbclid, _fbp, and _fbc) that let us measure the effectiveness of our campaigns.
  • Analytics providers: aggregated or session-level usage data about how visitors interact with the Website.

4. How We Use Your Information

We process personal information for the following purposes:

  1. Providing the Services: to operate, maintain, and improve our AI, automation, and business-intelligence services.
  2. Account management: to create and authenticate Portal Accounts, manage Subscriptions, and provide customer support.
  3. Billing: to process payments, issue invoices, handle refunds, and detect and prevent payment fraud.
  4. Communication: to respond to enquiries, send service-related notifications (for example, about billing, security, or changes to these terms), and handle support requests.
  5. Marketing: where you have given consent or we rely on a legitimate interest, to send you occasional updates about our products and measure the effectiveness of our marketing. You can opt out at any time (see section 8).
  6. Analytics and improvement: to understand how visitors use the Website and Portal and to improve the user experience.
  7. Legal compliance: to comply with applicable laws, regulations, tax obligations, and legal processes.
  8. Security: to detect, prevent, and respond to fraud, abuse, security incidents, and threats to the integrity of our Services.

6. Sharing and Sub-processors

We do not sell your personal information. We share it only:

  • With trusted service providers who help us operate the Services and who are contractually required to protect your data and process it only on our instructions.
  • When required by law, regulation, court order, or to protect our legal rights, the rights of our users, or the integrity of the Services.
  • In connection with a merger, acquisition, restructuring, or sale of all or part of our business, subject to reasonable notice to affected users.

Key sub-processors

The main third parties we share personal information with are:

  • Google Cloud Platform / Firebase— hosting, authentication, database, and cloud functions (europe-west2 region). This includes Google Gemini AI, which processes chatbot conversations to generate responses.
  • OpenAI— AI content generation for our SEO Elevate AI and Website Crawler services. Website content and service configuration data are sent to OpenAI for processing.
  • Vercel— marketing website hosting and content delivery network.
  • Stitch Money (Pty) Ltd— payment gateway and card processing.
  • Meta Platforms Ireland Ltd— Meta Pixel and Conversions API for advertising measurement.
  • Microsoft— Clarity for session recording and heatmap analytics, and Office 365 for transactional and support email delivery.
  • CRM platforms (where configured by you) — if you connect a CRM integration (such as Monday.com or HubSpot), lead data captured by the chatbot (name, email, phone, and conversation history) is sent to your chosen CRM.
  • Calendly— embedded scheduling widget for booking consultations.

7. Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit a website. We also use similar technologies such as local storage and pixels. The categories we use are:

  • Strictly necessary: required for the Website and Portal to function, including authentication tokens and session identifiers. These cannot be disabled.
  • Analytics: help us understand how visitors interact with the Website (for example, Microsoft Clarity session recordings and our own first-party visit tracking).
  • Advertising: used by Meta Pixel to measure the effectiveness of our campaigns on Facebook and Instagram and to show relevant content.
  • Functional: remember your preferences (such as theme or layout settings).

You can manage cookies through your browser settings, and you can opt out of Meta advertising cookies by adjusting your ad preferences at facebook.com/adpreferences. Disabling strictly necessary cookies may prevent parts of the Services from working properly.

8. Marketing Communications

We may send you marketing communications where you have given consent or where we have an existing customer relationship and are relying on a legitimate interest permitted by law. Every marketing email includes a one-click unsubscribe link, and you can also opt out at any time by emailing info@insightsxp.com. Opting out of marketing does not stop essential service-related messages such as billing notices or security alerts.

9. Data Retention

We keep personal information only for as long as is necessary to fulfil the purposes set out in this Policy, unless a longer retention period is required or permitted by law. In particular:

  • Account data: retained for the duration of your Account and for a reasonable period after closure, to handle support queries and disputes.
  • Billing and tax records: retained for the period required by South African tax and accounting law (currently a minimum of 5 years).
  • Website analytics data: visit data (including IP addresses, device identifiers, and page URLs) retained for up to 26 months, after which it may be aggregated or anonymised.
  • Chatbot conversations: retained for the duration of the website owner's subscription to provide conversation history and analytics.
  • Contact form submissions: retained for up to 24 months after the last interaction.

10. Data Security

We take appropriate technical and organisational measures to protect your personal information, including:

  • Encryption of data in transit using TLS (HTTPS) and of sensitive data at rest.
  • Encryption of API keys and other secrets at rest using AES-256 encryption.
  • Database security rules that block all direct client access, so that personal information can only be read or written through authenticated backend APIs.
  • Role-based access controls and the principle of least privilege for all service accounts and human operators.
  • Regular dependency updates, security reviews, and logging of administrative actions.

Despite these measures, no method of transmission or storage is completely secure. If we become aware of a security compromise that is likely to cause a real risk of harm to affected individuals, we will notify the Information Regulator and affected users as required by POPIA.

11. International Transfers

Our Services are hosted on Google Cloud Platform (europe-west2 region, London, United Kingdom), Firebase (Google's global managed services), and Vercel (global content delivery network). Some of our sub-processors (such as Meta and Microsoft) also process data in jurisdictions outside South Africa.

Where we transfer personal information outside the Republic of South Africa, we rely on one or more of the safeguards recognised under section 72 of POPIA, including:

  • Transfers to countries and organisations with binding rules offering an adequate level of protection.
  • Contractual clauses with sub-processors that impose POPIA-equivalent obligations.
  • Your explicit consent, where the transfer is necessary for you.

Where the GDPR applies, we rely on standard contractual clauses or other approved transfer mechanisms.

12. Your Rights

Depending on your location, you have the following rights in respect of your personal information:

  • Access: to request confirmation of whether we hold personal information about you and, if so, a copy of it.
  • Correction: to ask us to correct inaccurate or incomplete information.
  • Deletion: to ask us to delete personal information we no longer have a lawful basis to keep, subject to statutory retention requirements.
  • Restriction: to ask us to limit how we process your personal information in certain circumstances.
  • Objection: to object to processing based on a legitimate interest, including direct marketing, at any time.
  • Portability: to receive your personal information in a structured, commonly used, and machine-readable format, where processing is based on consent or contract and is carried out by automated means.
  • Withdraw consent: to withdraw any consent you have previously given, at any time, without affecting the lawfulness of prior processing.
  • Not be subject to automated decisions: to ask that any significant decision about you is not based solely on automated processing, where the law requires human review.

To exercise any of these rights, email our Information Officer at info@insightsxp.com. We will respond within 30 days, or sooner if required by law. There is normally no fee, but we may charge a reasonable fee or refuse manifestly unfounded or excessive requests, as permitted by law.

13. Children's Privacy

The Services are not directed at children under the age of 18 and we do not knowingly collect personal information from them. If you believe we have collected personal information about a child without appropriate consent, please contact us and we will delete it.

14. Complaints

If you believe your personal information has been processed in breach of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa:

If you are in the EU, EEA, or the United Kingdom, you may also lodge a complaint with your local data-protection authority. We would appreciate the chance to address your concern directly before you approach a regulator, so please contact us first if you are able to.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on this page with a revised "Last updated" date, and, where appropriate, by notifying you directly. We encourage you to review this Policy periodically. Your continued use of the Services after an update constitutes acceptance of the revised Policy.

16. Contact

For any question about this Privacy Policy or our data practices: