Privacy

Privacy Policy

Last updated: 10 June 2026 · Effective date: 10 June 2026

LetterUp is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR). This policy explains what we collect, why, and what rights you have.

1. Who We Are

LetterUp is an AI-powered document drafting platform operated from South Africa. We are the Responsible Party under POPIA for all personal information processed through this platform.

Our designated Information Officer is responsible for ensuring LetterUp's compliance with POPIA and can be contacted using the details in Section 13.

2. What Personal Information We Collect

2.1 B2C Users (Individual letter generation)

Information you provide: The details of your complaint — including the name and address of the recipient company, a description of your situation, and your desired outcome. We do not collect your name or email address for B2C letter generation.
Technical information: IP address (for rate limiting and abuse prevention), browser type, and the date and time of your request.

2.2 B2B Users (Business Portal accounts)

Account information: Business name, your name (optional), email address, password (stored as a one-way hash — we cannot read it), and the date and time you consented to these terms.
Business profile: Company address, signatory details, logo, brand colours, and banking details (if you choose to provide them for letterhead purposes).
SMTP credentials: If you configure email sending, your SMTP host, username, and password. Passwords are encrypted at rest using AES-256-GCM.
Generated documents: The letters and agreements you generate, including the form inputs used to create them.
Contact records: Names, email addresses, and physical addresses of your customers that you add to the Customers directory.
Payment information: Billing is handled entirely by PayFast. We do not store card numbers or bank account details. We retain PayFast transaction IDs and subscription status.
Usage data: Which features you use, when, and approximate API token consumption per generation.

2.3 Cookie and tracking information

Session cookies: A secure, HTTP-only cookie used to keep you logged in to the Business Portal. This cookie contains no personal information — only a random token that references your server-side session.
Consent cookie: A local storage item that records whether you have acknowledged this cookie notice.
Email open tracking: If you send a letter via the Business Portal, a single 1×1 pixel image is embedded in the email. If the recipient opens the email, we record the date and time of first open. We do not track location or device details beyond what an email client naturally sends when loading an image.

We do not use advertising cookies, behavioural tracking, or third-party analytics on this website.

3. Why We Collect This Information

Purpose	Lawful basis (POPIA)
Provide the document drafting service	Performance of contract / legitimate interest
Create and manage your account	Performance of contract
Process subscription payments	Performance of contract / legal obligation
Send transactional emails (letters, receipts, notifications)	Performance of contract / consent
Prevent abuse and fraud (rate limiting, security)	Legitimate interest
Improve the AI pipeline and document quality	Legitimate interest (aggregated, non-identifiable)
Comply with legal obligations	Legal obligation

4. How We Use AI to Process Your Information

When you generate a letter or agreement, the details you enter (names, addresses, incident descriptions) are sent to Anthropic's Claude API to produce your document. Anthropic processes this data as our sub-processor under a data processing agreement. Anthropic does not use your inputs to train their models. For more information, see Anthropic's Privacy Policy.

We do not store the raw inputs after the document is generated — only the final document and the structured field values used to produce it.

5. Who We Share Your Information With

We do not sell, rent, or trade your personal information. We share data only with:

Anthropic — AI model provider (sub-processor). Used solely for document generation.
PayFast — Payment processor. Handles all card and EFT transactions. PayFast Privacy Policy.
Microsoft Azure — Cloud infrastructure provider (servers and database hosted in South Africa North, Johannesburg). Microsoft Privacy Statement.
Your configured SMTP provider — When you use the "Send via Email" feature, emails are dispatched through the SMTP credentials you have provided. We do not access or store email content after sending.
Law enforcement or regulators — If required by law, court order, or to protect our legal rights.

6. Data Retention

Account and business data — Retained for the duration of your subscription and for 3 years after account closure, unless you exercise your right to erasure.
Generated letters and agreements — Retained for the duration of your account. When you delete your account, your documents are anonymised (your user association is removed) and retained for 12 months for business record purposes, then permanently deleted.
Payment records — Retained for 5 years to comply with tax and financial reporting obligations.
B2C generation data — IP address logs are retained for 30 days for abuse prevention. Generated document content is not stored after download unless the user is also a B2B subscriber.
Authentication tokens — Refresh tokens expire after 30 days and are automatically purged.

7. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

Right of Access

Request a copy of all personal information we hold about you.

Right to Correction

Request correction of inaccurate or incomplete information.

Right to Erasure

Request deletion of your account and personal data ("right to be forgotten").

Right to Data Portability

Export all your data in a machine-readable format (JSON).

Right to Object

Object to processing based on our legitimate interests.

Right to Withdraw Consent

Withdraw consent at any time — this does not affect prior lawful processing.

How to exercise your rights

Business Portal users: You can export your data and delete your account directly from within the portal (Settings → Account). Data export produces a JSON file containing your profile, generated documents, and customer contacts.

All users: Email privacy@letterup.co.za with the subject line "POPIA Rights Request". We will respond within 30 days. We may ask you to verify your identity before processing the request.

Complaints: If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:

Website: justice.gov.za/inforeg
Email: inforeg@justice.gov.za
Tel: 010 023 5207

8. Security

We implement appropriate technical and organisational measures to protect your personal information:

All data in transit is encrypted using TLS 1.2 or higher.
Passwords are hashed using bcrypt (cost factor 12) — we cannot read your password.
SMTP passwords are encrypted at rest using AES-256-GCM.
The database is hosted in Azure South Africa North with SSL enforced.
Access tokens expire after 15 minutes; refresh tokens expire after 30 days.
Administrative access to production systems is restricted to authorised personnel only.

No method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at security@letterup.co.za.

9. Cookies

We use only essential cookies and local storage on this website:

lu_refresh — Secure, HTTP-only session cookie. Used to keep you logged in to the Business Portal. Expires after 30 days or on logout.
lu_cookie_consent — Local storage item. Records that you have acknowledged this notice. No expiry — persists until you clear browser storage.

We do not use advertising cookies, social media tracking pixels, or third-party analytics. You can control cookies through your browser settings. Disabling the session cookie will prevent you from staying logged in to the Business Portal.

10. Cross-Border Data Transfers

Your data is stored on servers in South Africa (Azure South Africa North). When we send your document content to Anthropic for AI generation, this data is processed in the United States. Anthropic acts as our sub-processor under a data processing agreement that includes appropriate safeguards. By using LetterUp, you acknowledge this cross-border transfer.

11. Children

LetterUp is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has registered, please contact us at privacy@letterup.co.za and we will delete the account promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify active B2B subscribers by email at least 14 days before the changes take effect and update the "Last updated" date above. Your continued use of LetterUp after the effective date constitutes acceptance of the updated policy.

13. Information Officer & Contact

Information Officer — LetterUp

Email: privacy@letterup.co.za

Support: support@letterup.co.za

Security disclosures: security@letterup.co.za

Website: letterup.co.za

All privacy-related requests are acknowledged within 5 business days and resolved within 30 days in line with POPIA requirements.