Effective date: 25 June 2026
Last updated: 25 June 2026
This Privacy Policy explains how Lorito collects, uses, shares and protects personal information. We are committed to handling your information lawfully and transparently in accordance with the Protection of Personal Information Act, 2013 (POPIA) and other applicable South African law. It applies to our website, our dashboard, and the AI agents we host on behalf of our customers.
Lorito is operated by Lorito AI (Pty) Ltd(registration number 2026/501205/07), a private company incorporated in the Republic of South Africa (“Lorito”, “we”, “us” or “our”). Our registered address is 100 Heleza Boulevard, Durban, KwaZulu-Natal, 4319.
For any privacy question, to exercise your rights, or to contact our Information Officer, email privacy@lorito.ai.
Lorito plays two different roles under POPIA depending on the information involved:
Your name, email address and authentication details when you sign up or sign in; profile and organisation details; and the content of any support or other communications you send us.
Website URLs and page text, PDFs, documents and other materials you submit so that we can build a knowledge base for your agent. You are responsible for ensuring you have the right to provide this content (see our Terms of Service). We process Customer Content as your Operator, on your instructions.
Messages exchanged between end-users and your deployed agents, together with related metadata such as timestamps, the channel used, and derived engagement analytics. We process this as Operator on behalf of the customer who deployed the agent.
Subscriptions are billed through our payments provider and merchant of record, Polar. We do not receive or store your card or banking details — Polar handles those directly. We retain only your plan, credit balance and billing status.
Records of emails we send you (through our email provider, Loops), and technical and usage data such as IP address, browser and device type, pages and features used, server logs and signals used to apply rate limits and prevent abuse.
We process personal information only where POPIA permits it — namely where it is necessary to perform our contract with you, to comply with a legal obligation, to pursue our (or a third party’s) legitimate interests in a balanced way, to protect a legitimate interest of the data subject, or with your consent.
To generate answers, your Customer Content and the messages in a conversation are converted into embeddings and sent to large language model providers through the Vercel AI Gateway. These providers process the data only to return a response to us and operate under zero-data-retention terms — they do not retain your content after the request or use it to train their models.
AI-generated responses can be incomplete or inaccurate and should not be relied upon as professional, legal, medical or financial advice. Customers are responsible for how their agents are configured and for the responses those agents produce.
We do not sell your personal information. We share it only with the sub-operators below, who process it on our behalf under written agreements that require them to protect it and use it only for the purposes we specify:
| Sub-operator | Purpose | Location |
|---|---|---|
| Vercel | Hosting, content delivery and analytics | United States |
| Supabase | Database, authentication and file storage | United States / EU |
| Model providers via the Vercel AI Gateway | AI inference and embeddings (zero data retention) | United States |
| Modal | Website ingestion and processing compute | United States |
| Polar | Subscription billing (merchant of record) | United States / EU |
| Loops | Transactional and product email | United States |
| Upstash | Rate limiting and ephemeral cache | United States |
| Composio | Third-party tool integrations you choose to enable | United States |
We may also disclose information where required to comply with the law or a lawful request, to enforce our agreements, or in connection with a merger, acquisition or sale of assets (in which case we will require the recipient to honour this policy).
Most of our sub-operators are located outside South Africa, mainly in the United States. Where we transfer personal information across borders, we do so in accordance with section 72 of POPIA — namely under written agreements (such as data processing agreements and standard contractual clauses) that require the recipient to provide an adequate level of protection, where the transfer is necessary to perform our contract with you, or with your consent.
Subject to the conditions in POPIA, you have the right to:
To exercise any of these rights, email privacy@lorito.ai. If you are an end-user of an agent deployed by one of our customers, please direct your request to that customer, who is the Responsible Party for those conversations.
We take reasonable technical and organisational measures to safeguard personal information, including encryption in transit and at rest, access controls, secret management, and monitoring for unauthorised access. No method of transmission or storage is completely secure, but we work to protect your information and will notify you and the Information Regulator of a compromise where the law requires.
Lorito is intended for use by businesses and is not directed at children. We do not knowingly collect the personal information of children. If you believe a child has provided us with information, contact us and we will delete it.
We use strictly necessary cookies to keep you signed in and to operate the service, and analytics cookies (where you consent) to understand how the service is used. We do not use third-party advertising trackers. You can control non-essential cookies through your browser or our consent controls.
We may update this policy from time to time. If we make a material change, we will give account holders at least 14 days’ notice by email before it takes effect. Your continued use of Lorito after the effective date constitutes acceptance of the updated policy.
If you are concerned about how we handle your personal information, please contact us first at privacy@lorito.ai so we can try to resolve it. You also have the right to complain to the Information Regulator (South Africa):
Information Regulator (South Africa)
Email: enquiries@inforeg.org.za (general) / POPIAComplaints@inforeg.org.za (complaints)
Website: inforegulator.org.za