Privacy Policy

1. Who We Are

HOPEKESEGOTRUSTFIRM (PTY) LTD (“PulaIndex”, “we”, “us”) operates an online research marketplace connecting researchers with study participants across Southern Africa. We are registered in South Africa and act as a Responsible Party under the Protection of Personal Information Act, 2013 (“POPIA”) for the personal information we collect to operate the platform. Where you are based in the EU/UK, we also align with the GDPR/UK GDPR principles.

Our Information Officer can be reached at legal@pulaindex.com.

2. Scope

This policy covers personal information we process about account holders (researchers, participants and admins). It does not cover personal information collected directly by researchers inside their own external study tools (e.g. Google Forms, Typeform, Qualtrics). For that data the researcher is the independent Responsible Party / Controller and you should review their privacy notice.

3. Information We Collect

• Account information: Name, email address, password and authentication tokens managed via Clerk.
• Participant profile: Country, city, age, gender, education, employment, language, English proficiency, device type, internet reliability, task interests and any optional demographic fields you choose to provide.
• Researcher profile: Project metadata.
• Financial information. Wallet balances, transaction history, and bank or payout details for participant payouts. We do not store full card numbers. Card payments are tokenised by our payment processor.
• Study participation data: Studies viewed, started, completed, completion codes, submission status, and review outcomes.
• Device, log & technical data: IP address, browser, device fingerprint signals, pages visited, actions taken and timestamps. Used for security, fraud prevention, performance and analytics.
• Communications: Support tickets, emails and any other messages you send us.
• Cookies & similar technologies: Strictly necessary cookies for authentication and CSRF protection; analytics cookies (PostHog) for product usage; no advertising cookies.

What we do NOT collect

• We do not record your webcam, microphone, screen, keystrokes or biometric data. Studies on PulaIndex are link-out studies; any audio/video capture happens (if at all) inside the researcher’s own external tool, governed by their privacy notice.
• We do not store full payment card numbers. Cards are tokenised by our payment processor.
• We do not collect special-category data (health, religion, political opinions, sexual orientation) unless you voluntarily provide it for a specific study and consent to its use.

4. Why We Use It (Lawful Basis)

• Performance of contract. To operate the platform, match participants to studies, process wallet funding and payouts, and provide support.
• Consent. For sensitive demographics, research participation invitations, and optional marketing emails. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legitimate interest. For fraud prevention, abuse detection, account security, anti-money-laundering checks, and product improvement using de-identified data. We balance these interests against your rights and you may object (Section 7).
• Legal obligation. To keep financial records, respond to lawful requests by regulators, courts and tax authorities, and meet POPIA accountability duties.

5. Who We Share Data With

We do not sell your personal information. We share data only with:

• Researchers: Only your anonymised participant ID, demographic match signals and submission status. Researchers do not see your name, email address or bank details through PulaIndex.
• Service providers (Operators / Processors): see the sub-processor list below. All are contractually bound to protect your data and process it only on our instructions.
• Professional advisors: Lawyers, accountants and auditors under duty of confidentiality.
• Authorities & courts: Where required by law, court order, or to protect the rights, property or safety of PulaIndex, our users or the public, including in connection with fraud investigations.
• Successors in interest: A buyer or successor in the event of a merger, acquisition, restructuring or sale of all or part of our business, subject to equivalent privacy protections.

We update this list as our infrastructure changes. Continued use of the platform after an update constitutes acknowledgement.

6. International Transfers

Some of our service providers operate outside South Africa. Where we transfer personal information across borders, we rely on POPIA-compliant safeguards (including binding corporate rules, standard contractual clauses, or your explicit consent) and on receiving countries that provide a comparable standard of protection.

7. Your Rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you;
• Request correction of inaccurate or incomplete information;
• Request deletion of your account and personal data, subject to retention duties below;
• Object to processing based on legitimate interest, including for fraud analytics;
• Withdraw consent for marketing emails (one click in any marketing email) and for optional profile fields;
• Request data portability of information you provided to us;
• Lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za) or, if applicable, your local data protection authority.

To exercise these rights, email legal@pulaindex.com from your account email. We respond within 30 days. We may need to verify your identity before acting on a request.

8. Data Retention

• Account & profile data: while your account is active and for up to 12 months thereafter to allow recovery and dispute resolution.
• Financial records (wallet, transactions, payouts, fees): retained for at least 5 years as required by South African tax and financial-record-keeping laws.
• Audit logs and fraud signals: up to 7 years for accountability, dispute resolution and abuse prevention.
• De-identified analytics data: indefinitely, as it can no longer be linked to you.

You may request earlier deletion at any time; we will honour it unless retention is required by law or to defend a legal claim.

9. Security

We use industry-standard security measures including TLS encryption in transit, encryption at rest for sensitive fields, role-based access controls, multi-factor authentication for staff, audit logging, automated anomaly detection, and regular backups. No system is completely secure; you are responsible for keeping your account credentials confidential and notifying us immediately of suspected compromise.

10. Breach Notification

If we become aware of a security compromise that involves the unauthorised acquisition or disclosure of your personal information, we will notify the Information Regulator of South Africa as soon as reasonably possible (and within 72 hours where required by applicable law). We will also notify affected users without undue delay where the compromise is likely to result in a real risk to their rights, providing the nature of the breach, likely consequences, and the measures we have taken or propose to take.

11. Cookies & Tracking Technologies

We use a small number of cookies and similar technologies, grouped as follows:

• Strictly necessary. Authentication session, CSRF protection, load balancing. These cannot be turned off without breaking the platform.
• Functional. Remembering UI preferences such as theme.
• Analytics. PostHog cookies and tokens for aggregated, pseudonymised product-usage analytics. Used under our legitimate interest in improving the product. You can opt out at any time from your settings.

We do not run advertising cookies, third-party retargeting tags, or sell behavioural data to third parties.

12. Children

PulaIndex is not directed to children. We do not knowingly collect personal information from anyone under 18 (or the local age of majority, whichever is greater). If you believe we have collected information from a child, contact us and we will delete it.

13. Automated Decisioning

We use automated rules to detect fraud (duplicate accounts, suspicious patterns, VPN/proxy signals) and to match participants to studies. These do not produce legal effects on you, but you may request human review of any account suspension by emailing support@pulaindex.com.

14. AI & Machine Learning

PulaIndex does not use your personal information, study submissions, audio, video or any content you generate to train third-party generative AI models, and we do not sell or licence your data to model providers. We use a small number of internally-tuned, deterministic rules and de-identified aggregate metrics to power fraud detection and participant matching; you may request human review of any decision that affects your account. Any AI processing performed by researchers inside their own external study tools is governed by the researcher’s own privacy notice, not this one.

PulaIndex-published studies (PulaIndex acting as Researcher). PulaIndex may from time to time publish its own studies in the marketplace, including studies whose purpose is to collect data to train or evaluate our own machine-learning models (for example, fraud-detection or matching models). When this happens we are bound by the same rules as any third-party researcher: the study is separately listed, the AI/ML purpose is disclosed in the study description and in a study-specific consent, participation is voluntary and separately compensated, and only data collected inside that specific study is used. We do not reach into unrelated studies, your profile activity, your messages, or your wallet to harvest training data. You can decline any such study with no effect on your standing on the platform.

15. Changes to this Policy

We may update this policy from time to time. Material changes will be notified by email and via an in-product re-acceptance prompt. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

16. Contact Us

For privacy questions or to exercise your rights, contact our Information Officer at legal@pulaindex.com.

17. Third-Party Data Attribution

City and province data used in our location pickers is sourced from GeoNames and is licensed under Creative Commons Attribution 4.0 (CC BY 4.0).