Legal
Privacy Policy
Effective 20 June 2026
This policy describes how Splice Computers (Pty) Ltd, trading as Yielde, handles personal information in line with the Protection of Personal Information Act 4 of 2013 (POPIA).
1. Who we are and how to read this policy
Splice Computers (Pty) Ltd, trading as Yielde ("Yielde", "we", "us"), registration number 2019/272712/07, registered at 55 York Street, George, Western Cape, 6529, South Africa, is the entity behind this website and the Yielde platform.
This policy explains how we handle personal information in line with POPIA, which governs all processing of personal information in South Africa.
2. The two roles Yielde plays: responsible party vs operator
POPIA assigns roles by function, not by label (POPIA section 1). The responsible party determines the purpose of and means for processing personal information; the operator processes personal information for a responsible party without coming under that party's direct authority. One entity can be both, for different sets of data, which is Yielde's position.
- Responsible party, for personal information we collect and control: website visitors, enquiries, account holders, billing data, and our own marketing data. We choose the purpose and means, and the obligations in this policy apply to us directly under POPIA section 8 (continuous accountability).
- Operator, for the personal information of our customers' end-users and leads that we process on our customers' instruction through the Yielde platform. Here the customer is the responsible party; Yielde is the operator processing on their behalf under the mandatory written operator contract (the Data Processing Agreement, "DPA") required by POPIA section 21(1).
What this means for you.If you are a Yielde customer, your end-users' and leads' personal information remains under your control as the responsible party; we process it only on your instructions and only under the section 21 DPA. If you are a visitor, enquirer, or account holder dealing with Yielde directly, we are the responsible party and this policy governs that relationship.
3. The eight conditions for lawful processing
POPIA structures all lawful processing around eight conditions. We commit to all eight:
- Accountability (section 8): we take responsibility for complying with these conditions, both when we decide why and how we process and throughout the processing.
- Processing limitation (sections 9 to 12): we process personal information lawfully, minimally, and on a recognised legal basis. Consent is only one of six justification grounds in section 11(1); we rely on the appropriate ground for each purpose, not on consent by default.
- Purpose specification (sections 13 to 14): we collect personal information for specific, explicitly defined, lawful purposes and keep records no longer than necessary (see section 8 below).
- Further processing limitation (section 15): we do not use personal information for a new purpose incompatible with the one it was collected for.
- Information quality (section 16): we take reasonably practicable steps to keep personal information accurate, complete, and up to date.
- Openness (sections 17 to 18): we maintain documentation of our processing and notify data subjects of the matters POPIA requires at collection, including, where applicable, the fact of any cross-border transfer and the level of protection in the destination country (section 18(1)(g)).
- Security safeguards (sections 19 to 22): we secure personal information with appropriate, reasonable technical and organisational measures (see section 9).
- Data subject participation (sections 23 to 25): we give data subjects the rights set out in section 10.
4. Personal information we collect (Yielde as responsible party)
When you deal with Yielde directly, we collect:
- Contact details you submit: name, email address, phone number, business name, and the content of any enquiry.
- Account and authentication data: your login identifier and session/auth records needed to operate your Yielde portal account.
- Billing details needed to issue invoices and process payments in ZAR. Card details are handled by Paystack and are not stored by Yielde.
- Project / onboarding information you share so we can deliver the services (assets, copy, configuration, and, where applicable, your signed Data Processing Agreement).
- Standard server logs generated automatically when you visit the site (IP address, user agent, request path, timestamp), used for security and debugging.
We do not sell personal information, and this site does not use third-party analytics or advertising trackers (see section 11).
5. Customer lead / end-user data (Yielde as operator)
Where you are a Yielde customer, the platform processes the personal information of your end-users and leads (for example, contact details captured by an automation, voice-receptionist call data, or message content) on your behalf and on your instructions. For that data:
- You are the responsible party; we are the operator.
- We process it only with your knowledge or authorisation and keep it confidential, as POPIA section 20 requires of every operator.
- Our processing is governed by the written operator contract (DPA) mandated by POPIA section 21(1), which carries down the security obligations of section 19 and the breach-notification duty of section 21(2).
- Your own privacy notice to your end-users and leads (not this Yielde policy) is the notice that must disclose your purposes, legal basis, and (where applicable) the cross-border processing described in section 7. We will assist you to do so.
6. How we use personal information
- To respond to enquiries and deliver the services you have asked us to deliver.
- To create and operate your account and authenticate your access to the portal.
- To issue invoices and process payments through Paystack (ZAR).
- To operate, secure, and improve our website and services.
- To comply with our legal, tax, and regulatory obligations.
- AI-assisted features. Some Yielde features route content (which can contain personal information) to third-party large-language-model and voice providers to generate responses. This includes AI Chat, our in-dashboard assistant that lets you converse with your choice of leading AI models. Every model call is routed through our self-hosted LiteLLM gateway to OpenRouter and on to the chosen provider, and the response is streamed straight back to you. For customer lead data, this is further processing that must stay compatible with the purpose for which you originally collected it, is scoped in the DPA, and is minimised so far as practicable before it leaves South Africa. The providers involved, and the cross-border basis, are set out in section 7.
7. Sub-processors, third parties, and cross-border transfers
We share personal information only with the service providers ("sub-processors") we use to deliver our services. Our sub-processor register is the authoritative list of who they are, what they process, and where.
7.1 The cross-border rule (POPIA section 72)
A responsible party in South Africa may not transfer personal information to a third party in a foreign country unless one of the five gateways in section 72(1) is met. The principal gateway, section 72(1)(a), is conjunctive: the recipient must be subject to a law, binding corporate rules, or binding agreement that upholds processing principles substantially similar to POPIA's conditions and includes substantially similar onward-transfer controls. South Africa has no published adequacy list and no Regulator standard contractual clauses, so the responsible party must self-assess and evidence adequacy. Our most significant cross-border flow is AI prompts (which can contain personal information) routed to US-hosted LLM APIs; the lawful basis for each transfer is set out and carried down through the DPA.
7.2 Sub-processors
| Sub-processor | Purpose | Location | Cross-border? |
|---|---|---|---|
| AWS (af-south-1, Cape Town) | Per-tenant automation, database, and cache (tenant automation data) | South Africa | No, in-region |
| Paystack | Payment processing (ZAR) | South Africa | No |
| Documenso (self-hosted) | E-signature for the DPA, hosted on Yielde infrastructure | South Africa | No, signing data stays on Yielde infrastructure |
| Supabase | Application database (auth, lifecycle, subscriptions, credit ledger) | AWS eu-west-1 (Dublin, Ireland, EU) | Yes, EU (GDPR; substantially similar to POPIA) |
| LLM gateway → OpenRouter → OpenAI / Anthropic | AI text generation; prompts may contain personal information | United States | Yes, highest risk |
| Retell | Voice-AI receptionist | United States | Yes |
| Twilio | Telephony for voice | United States | Yes |
| Resend | Transactional email | United States | Yes |
| Vercel | Marketing site and client portal hosting | Global / US edge | Yes |
| Cloudflare | DNS and access SSO | Global | Yes |
We require each sub-processor to be named and authorised in the relevant DPA and to provide back-to-back security and breach-notification commitments (see sections 9 and 12). We do not sell personal information.
8. Retention
We keep personal information only as long as needed for the purpose it was collected, plus any retention period required by law (for example, the period applicable to tax and accounting records, five years). Customer project and lead data is handled per the DPA and is deleted in line with our Cancellation Policy on cancellation.
9. Security safeguards (POPIA sections 19 to 21)
We secure personal information by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction, and unlawful access or processing, as required by POPIA section 19(1). We follow the four-step risk methodology in section 19(2): identify reasonably foreseeable internal and external risks; establish and maintain safeguards; regularly verify they are effective; and continually update them. We apply generally accepted information-security practices.
As an operator, we process customer data only with the responsible party's authorisation and keep it confidential under section 20, and our DPA carries the section 19 security standard down to us and onward to our sub-processors. No system is perfectly secure. See section 12 for what happens if a security compromise occurs, and our Security page for more detail.
10. Your rights under POPIA (data subject participation, sections 23 to 25)
You have the right to:
- Access: request confirmation of, and access to, the personal information we hold about you (section 23).
- Correction or deletion: request that we correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained (section 24).
- Objection: object, on reasonable grounds, to processing in the circumstances POPIA permits (section 11(3)).
- Withdraw consent: where our processing relies on your consent, withdraw it (this does not affect processing already carried out).
- Complain to the Regulator: lodge a complaint with the Information Regulator of South Africa (details below).
How to exercise your rights. Email our Information Officer at support@yielde.dev(see section 13). If you are a Yielde customer's end-user or lead, the customer is the responsible party for your data, so direct your request to that customer; where we hold the data as operator, we will assist the customer to fulfil your access, correction, or deletion request across our systems, as the DPA requires.
Complaints to the Information Regulator of South Africa:
- Website: inforegulator.org.za
- Complaints email: POPIAComplaints@inforegulator.org.za
- Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
11. Cookies
This site uses only the cookies necessary for it to function (for example, session and security cookies). It does not set marketing or analytics cookies. For full detail on what we set and why, see our Cookie Policy.
12. Security compromises (breach notification, POPIA sections 21(2), 22)
If a security compromise occurs:
- Where Yielde is the responsible party, we will notify the Information Regulator and the affected data subjects as soon as reasonably possible after discovering the compromise (unless the data subject's identity cannot be established), as required by POPIA section 22.
- Where Yielde is the operator, our statutory duty is to notify the responsible party (our customer) immediately on reasonable grounds to believe their data subjects' personal information has been accessed or acquired by an unauthorised person, under POPIA section 21(2). In that case the customer notifies the Regulator and data subjects; we will assist them to do so.
13. Information Officer and contact
Our Information Officer is the head of the organisation by operation of law (POPIA section 1 read with PAIA section 1).
- Information Officer: Splice Computers (Pty) Ltd, trading as Yielde
- Address: 55 York Street, George, Western Cape, 6529, South Africa
- Email: support@yielde.dev
- Phone: 063 611 2952
14. Changes to this policy
We may update this policy from time to time. The effective date at the top of the page reflects the latest version. Material changes will be communicated by updating this page and, where appropriate, by notice to account holders.
15. Governing law
This policy and our processing of personal information are governed by the laws of the Republic of South Africa, in particular POPIA. Disputes are subject to South African jurisdiction. See our Terms of Service, Refund Policy, and Cancellation Policy for related terms.