LTV Labs
POPIA-compliantEffective 27 May 2026

Operator Agreement

LTV Labs SA (Pty) Ltd · Registration 2026/383498/07

This Operator Agreement ("Agreement") is the written contract required by POPIA Sections 20 and 21, governing LTV Labs' processing of personal information on behalf of the Customer. It forms part of the Terms of Service and is incorporated by reference into your subscription contract. The Customer accepts this Agreement on signup; existing tenants accept it on next sign-in after a version bump.

1. Roles under POPIA

With respect to end-customer personal information processed through the LTV Labs service:

  • The Customer is the Responsible Party as defined in POPIA Section 1.
  • LTV Labs is the Operator as defined in POPIA Section 1.

The Customer determines the purpose and means of processing, subject to the constraints of the LTV Labs software. LTV Labsprocesses only on the Customer's documented instructions, expressed through the Customer's ordinary use of the service.

With respect to Customer-facing data (user accounts, billing, subscription records, support communications), LTV Labs is the Responsible Party. See the Privacy Policy for that treatment.

2. Subject matter and duration

  • Subject matter:WhatsApp messaging delivery, contact management, campaign delivery, unified inbox, rule-based chatbot flow engine, audit logging, and related SaaS functionality on the Customer's behalf.
  • Duration:the term of the Customer's subscription, plus the 90-day post-cancellation deletion window described in Section 11 below.

3. Nature and purpose of processing

Delivery of WhatsApp messages, receipt and storage of replies, logging of delivery and read status, storage of contact lists and opt-in / opt-out / repermission records, aggregation of analytics, enforcement of platform-level safeguards described in the Acceptable Use Policy, and automated rule-based chatbot flows for customer interaction.

4. Types of personal information

  • Phone numbers (E.164) of end-customers
  • Names and surnames of end-customers
  • Email addresses (optional, where supplied)
  • Physical or business addresses (where supplied by the Customer)
  • Other contact attributes and custom fields the Customer chooses to store (e.g. tags, segment labels, transactional metadata)
  • WhatsApp profile display names (Meta-supplied at message time)
  • Message content (inbound and outbound)
  • Message timestamps, delivery and read receipts, error codes
  • Opt-in, opt-out, and repermission event records (POPIA evidence trail)
  • Campaign interaction metadata
  • Lawful-basis attestation records — which user attested, when, and on which import

5. Categories of data subjects

  • End-customers and contacts of the Customer to whom the Customer has a lawful basis under POPIA to send WhatsApp messages
  • Other contacts the Customer has lawfully obtained for direct marketing, transactional, or service-delivery purposes

6. LTV Labs' obligations as Operator (POPIA s20–21)

LTV Labs will:

  • Process personal information onlywith the knowledge or authorisation of the Customer, and only on the Customer's documented instructions, except as required by law.
  • Implement and maintain appropriate, reasonable technical and organisational security measures as required by POPIA Section 19. Specific safeguards: AES-256-GCM encryption-at-rest for sensitive credentials (WABA access tokens, 2FA PINs, and other tenant API keys), HTTPS-only public surfaces, signed webhooks (HMAC-SHA256 with strict-mode rejection of unsigned or bad-signature payloads), per-tenant row-level security isolation of contact and message data, audit logging of administrative actions.
  • Treat personal information as confidential and ensure that any personnel authorised to process it are bound by confidentiality obligations.
  • Notify the Customer without undue delayon becoming aware of any security compromise affecting the Customer's data, so the Customer can fulfil its own obligations under POPIA Section 22.
  • Assist the Customer, on reasonable request and at the Customer's cost where non-trivial work is required, in responding to data subject requests, regulator investigations, and breach notifications.
  • Make available information reasonably necessary for the Customer to demonstrate compliance with its own POPIA obligations.
  • Not engage a subprocessorfor the processing of end-customer personal information without the Customer's general prior authorisation, which is hereby given for the subprocessors listed in Section 8 below. We will notify Customers at least 30 days before adding or replacing a material subprocessor; the Customer may object by cancelling its subscription before the change takes effect.
  • On termination, return or delete end-customer personal information per Section 11 below.

7. Customer's obligations as Responsible Party

The Customer is the sole Responsible Party under POPIA for all end-customer personal information processed through LTV Labs, and bears sole legal accountability to data subjects, the Information Regulator, and any other authority for compliance with POPIA in relation to that data. LTV Labs' role is limited to acting as Operator on the Customer's documented instructions, per Section 1 above.

The Customer warrants that:

  • It has a valid lawful basis under POPIA Section 11 for every piece of personal information it imports, generates, or processes through LTV Labs — typically consent under s11(1)(a), contract under s11(1)(b), or legitimate interest under s11(1)(f) read with s69(3) for direct marketing where there is a documented relationship.
  • It maintains verifiable records of that lawful basis for at least 3 (three) years, in a form sufficient to satisfy a request from the Information Regulator. This is the consent / lawful-basis record-of-decision that an audit will ask for.
  • It has informed its end-customers in a POPIA-compliant privacy notice of the processing carried out through LTV Labs, including the fact that LTV Labs acts as Operator.
  • It will respond to end-customer data subject requests under POPIA s23–s25 within the timeframes set by POPIA, in its capacity as Responsible Party. LTV Labs will assist as described in Section 6 but does not directly answer such requests.
  • It will not instruct LTV Labsto process personal information in a manner that would breach POPIA, the WhatsApp Business Messaging Policy, or any other applicable law. Instructions that would do so are deemed null and not part of the Customer's "documented instructions" under Section 1.
  • Lawful-basis attestations submitted at import time are true and complete to the best of the attesting user's knowledge.

8. Authorised subprocessors

The following subprocessors are authorised by the Customer under Section 6 above. LTV Labs engages each only to the extent necessary for the service:

SubprocessorPurposeLocation
Meta Platforms Ireland Ltd / Meta Platforms Inc.WhatsApp Business Platform message delivery and webhook ingressIreland (controller); United States (sub-processing for global delivery)
PayFast (Pty) LtdSubscription billing for Customer-facing payments only — no end-customer personal information passes to PayFastSouth Africa
VPS infrastructure providerHosting of the LTV Labs application and databaseSouth Africa

9. Cross-border transfers

The Customer acknowledges and authorises that end-customer personal information will be transferred to Meta Platforms Ireland Limitedand to its affiliates (including Meta Platforms, Inc. in the United States) as part of the WhatsApp Business Platform delivery infrastructure. The transfer is performed under Meta's Standard Contractual Clauses and is justified under POPIA Section 72(1)(a) (recipient is bound by binding corporate rules / binding agreements that provide adequate protection) and s72(1)(c) (consent of the data subject — captured by the Customer at its first-touch send via the in-message opt-out and embedded privacy notice, where relied on).

10. Assistance with data subject requests

If an end-customer contacts LTV Labs directly to exercise a right under POPIA s23–s25, we will:

  • Identify the Customer that processes the data;
  • Forward the request to the Customer without undue delay;
  • Confirm receipt to the data subject;
  • Where the Customer does not respond to the data subject within a reasonable period, follow up with the Customer.

LTV Labsdoes not itself answer the substantive request — that is the Customer's role as Responsible Party.

11. Return or deletion at end of service

On termination or expiry of the Customer's subscription, and subject to the Customer's election:

  • Export: the Customer may request a CSV export of its contact lists, message history, and audit trail within 30 days of cancellation. Export is provided at no charge for the first request.
  • Deletion: LTV Labs will delete all end-customer personal information processed as Operator within 90 days of cancellation, except where we are required by law to retain it (notably tax records under SARS retention rules — see Privacy Policy Section 7).

On deletion, the Do Not Contact list is retained indefinitely at the phone-number level (no PII beyond the number) so that opt-outs are honoured across future subscriptions by any Customer using LTV Labs. This is treated as a privacy-preserving measure: the cost is keeping a list of numbers; the benefit is that an opt-out is permanent.

12. Audit rights

The Customer may, on at least 30 days' written notice and no more than once per calendar year, request a written summary of LTV Labs' technical and organisational measures. For Customers under regulator investigation, additional audit access may be agreed in writing on a per-case basis. The Customer bears its own costs.

13. Notice of changes

LTV Labsmay update this Agreement from time to time. Material changes will be notified by email at least 30 days before taking effect, with a banner on the Customer's LTV Labs dashboard, and a re-acceptance gate at next sign-in. If you do not agree with a change, you may cancel your subscription before it takes effect; the existing terms govern the cancellation.

14. Effective date

This Agreement is effective as of 27 May 2026, version 2026-05-27.

15. Contact

Operator-side contact (LTV Labs)

Information Officer: Willem Reynders
Email: info@ltvlabs.co.za
Postal: LTV Labs SA (Pty) Ltd, 394 Walter Sisulu Lane, Miederpark, Potchefstroom, North West, 2531, South Africa

LTV Labs SA (Pty) Ltd
Registration: 2026/383498/07
Jurisdiction: North West High Court, Mahikeng, South Africa | Last updated: 27 May 2026