Privacy Policy

Effective date: 25 June 2026

Last updated: 25 June 2026

This Privacy Policy explains how Lorito collects, uses, shares and protects personal information. We are committed to handling your information lawfully and transparently in accordance with the Protection of Personal Information Act, 2013 (POPIA) and other applicable South African law. It applies to our website, our dashboard, and the AI agents we host on behalf of our customers.

1. Who we are and how to contact us

Lorito is operated by Lorito AI (Pty) Ltd(registration number 2026/501205/07), a private company incorporated in the Republic of South Africa (“Lorito”, “we”, “us” or “our”). Our registered address is 100 Heleza Boulevard, Durban, KwaZulu-Natal, 4319.

For any privacy question, to exercise your rights, or to contact our Information Officer, email privacy@lorito.ai.

Our two roles

Lorito plays two different roles under POPIA depending on the information involved:

  • As Responsible Party (the party that determines why and how information is processed) for the personal information of our account holders — for example the people who sign up for and administer a Lorito account.
  • As Operator (a party that processes information on behalf of, and on the instructions of, a Responsible Party) for the content our customers ingest and the conversations their deployed agents handle. In that case our customer is the Responsible Party and is responsible for that information; we process it only to provide the service.

2. Who this policy applies to

  • Account holders — the businesses, agencies and individual team members who register for and use Lorito.
  • Website visitors — people who browse lorito.ai.
  • End-users of deployed agents— people who chat with an AI agent that one of our customers has deployed. For these conversations we generally act as Operator for that customer. The customer’s own privacy notice governs how they use those conversations; if you are an end-user wishing to exercise your rights, please contact the business whose agent you interacted with, and we will assist that business as needed.

3. What information we collect

Information you give us

Your name, email address and authentication details when you sign up or sign in; profile and organisation details; and the content of any support or other communications you send us.

Content you bring (“Customer Content”)

Website URLs and page text, PDFs, documents and other materials you submit so that we can build a knowledge base for your agent. You are responsible for ensuring you have the right to provide this content (see our Terms of Service). We process Customer Content as your Operator, on your instructions.

Conversation data

Messages exchanged between end-users and your deployed agents, together with related metadata such as timestamps, the channel used, and derived engagement analytics. We process this as Operator on behalf of the customer who deployed the agent.

Payment information

Subscriptions are billed through our payments provider and merchant of record, Polar. We do not receive or store your card or banking details — Polar handles those directly. We retain only your plan, credit balance and billing status.

Communications and technical data

Records of emails we send you (through our email provider, Loops), and technical and usage data such as IP address, browser and device type, pages and features used, server logs and signals used to apply rate limits and prevent abuse.

4. Why we process your information and our lawful basis

We process personal information only where POPIA permits it — namely where it is necessary to perform our contract with you, to comply with a legal obligation, to pursue our (or a third party’s) legitimate interests in a balanced way, to protect a legitimate interest of the data subject, or with your consent.

  • To create and administer your account and provide the service — performance of a contract.
  • To ingest your content and operate your agents — performance of a contractand our customers’ instructions.
  • To send transactional and service emails — performance of a contract; product and marketing emails — consent or legitimate interests, which you can withdraw at any time.
  • To bill subscriptions and keep accounting records — contract and legal obligation.
  • To secure the service, monitor for abuse and prevent fraud — legitimate interests.
  • To comply with law and respond to lawful requests — legal obligation.

5. How AI processing works

To generate answers, your Customer Content and the messages in a conversation are converted into embeddings and sent to large language model providers through the Vercel AI Gateway. These providers process the data only to return a response to us and operate under zero-data-retention terms — they do not retain your content after the request or use it to train their models.

AI-generated responses can be incomplete or inaccurate and should not be relied upon as professional, legal, medical or financial advice. Customers are responsible for how their agents are configured and for the responses those agents produce.

6. Who we share your information with

We do not sell your personal information. We share it only with the sub-operators below, who process it on our behalf under written agreements that require them to protect it and use it only for the purposes we specify:

Sub-operatorPurposeLocation
VercelHosting, content delivery and analyticsUnited States
SupabaseDatabase, authentication and file storageUnited States / EU
Model providers via the Vercel AI GatewayAI inference and embeddings (zero data retention)United States
ModalWebsite ingestion and processing computeUnited States
PolarSubscription billing (merchant of record)United States / EU
LoopsTransactional and product emailUnited States
UpstashRate limiting and ephemeral cacheUnited States
ComposioThird-party tool integrations you choose to enableUnited States

We may also disclose information where required to comply with the law or a lawful request, to enforce our agreements, or in connection with a merger, acquisition or sale of assets (in which case we will require the recipient to honour this policy).

7. Cross-border transfers of information

Most of our sub-operators are located outside South Africa, mainly in the United States. Where we transfer personal information across borders, we do so in accordance with section 72 of POPIA — namely under written agreements (such as data processing agreements and standard contractual clauses) that require the recipient to provide an adequate level of protection, where the transfer is necessary to perform our contract with you, or with your consent.

8. How long we keep your information

  • Account data — kept for as long as your account is open. You can ask us to delete your account and its data at any time by emailing privacy@lorito.ai, and we will action your request within 30 days, except for records we are required by law to keep for longer (for example, invoices and tax records, which South African law requires us to retain for at least five years).
  • Customer Content — deleted from our active systems when you delete the relevant source, agent or project, or when your account is deleted. Residual copies may remain in our encrypted backups for a limited period until those backups are rotated in the ordinary course, after which they are overwritten.
  • Conversation data — retained while the related agent or project exists so that we can provide the service and its analytics, and deleted when you delete the conversation, the agent or the project, or when your account is deleted.

9. Your rights

Subject to the conditions in POPIA, you have the right to:

  • request confirmation of, and access to, the personal information we hold about you;
  • request that we correct or update inaccurate information;
  • request that we delete information we are no longer entitled to keep;
  • object to processing on reasonable grounds;
  • withdraw any consent you have given, at any time; and
  • lodge a complaint with the Information Regulator (see section 14).

To exercise any of these rights, email privacy@lorito.ai. If you are an end-user of an agent deployed by one of our customers, please direct your request to that customer, who is the Responsible Party for those conversations.

10. How we protect your information

We take reasonable technical and organisational measures to safeguard personal information, including encryption in transit and at rest, access controls, secret management, and monitoring for unauthorised access. No method of transmission or storage is completely secure, but we work to protect your information and will notify you and the Information Regulator of a compromise where the law requires.

11. Children

Lorito is intended for use by businesses and is not directed at children. We do not knowingly collect the personal information of children. If you believe a child has provided us with information, contact us and we will delete it.

12. Cookies and tracking

We use strictly necessary cookies to keep you signed in and to operate the service, and analytics cookies (where you consent) to understand how the service is used. We do not use third-party advertising trackers. You can control non-essential cookies through your browser or our consent controls.

13. Changes to this policy

We may update this policy from time to time. If we make a material change, we will give account holders at least 14 days’ notice by email before it takes effect. Your continued use of Lorito after the effective date constitutes acceptance of the updated policy.

14. Complaints and the Information Regulator

If you are concerned about how we handle your personal information, please contact us first at privacy@lorito.ai so we can try to resolve it. You also have the right to complain to the Information Regulator (South Africa):

Information Regulator (South Africa)
Email: enquiries@inforeg.org.za (general) / POPIAComplaints@inforeg.org.za (complaints)
Website: inforegulator.org.za