Afrimintel — Privacy Policy

DRAFT FOR COUNSEL REVIEW. NOT YET LIVE. NOT LEGAL ADVICE.

This draft is structured to reflect Afrimintel's actual data flows as of April 2026, with multi-jurisdiction awareness (Mauritius Data Protection Act 2017, EU/UK GDPR, South Africa POPIA). It is a starting point for your counsel — it is not a substitute for legal review. Specific clauses around lawful basis, international data transfer mechanisms, retention periods, and dispute resolution must be calibrated by qualified counsel for each jurisdiction Afrimintel operates in.

Action required from Nikesh before this can go live:

1. Counsel review (Mauritius lead, EU/UK GDPR sub-review)

2. Confirm legal entity name and registration details (placeholders below marked [ENTITY])

3. Confirm DPO designation if applicable under GDPR Art. 37

4. Confirm retention periods per data category

5. Confirm international transfer mechanism (Standard Contractual Clauses / adequacy / etc.)

Privacy Policy

Effective date: [DATE]

Last updated: [DATE]

Version: 1.1

Changelog: v1.0 → v1.1 (26 April 2026) — Analytics & behavioural-data section merged in. Plausible.io confirmed as analytics vendor (replaces tentative "Plausible / Posthog" language in earlier draft). New Section 3.5 added covering what behavioural data is and is not collected. Section 5.2 strengthened with no-cross-portfolio-routing commitment. Sections 7 and 10 updated to reflect Plausible confirmation.

1. Who we are

Afrimintel ("Afrimintel", "we", "us") is an Africa-focused mineral intelligence platform operated by [ENTITY], a company registered in Mauritius (registration number: [REG]).

Editorial responsibility: Nikesh Patel, Honorary Consul of Rwanda in Mauritius.

For all privacy-related correspondence: nikesh@afrimintel.com

For data protection enquiries from EU, UK, or South African users: same address, marked "Privacy enquiry."

2. Scope of this policy

This policy explains:

What personal data we collect when you use afrimintel.com or interact with us
Why we collect it
How we use it
Who we share it with (and who we don't)
How long we keep it
What rights you have

It applies to all users of afrimintel.com and all subscribers to any Afrimintel tier (Free, Pro, Institutional, Team where applicable, and Government / Project engagements).

3. What we collect

3.1 Information you give us directly

Account information: name, email address, organisation, role, country of residence. Required for all paid tiers; optional fields for the Free tier (email only required).
Billing information: company name, billing address, VAT number where applicable. For Institutional and Team tiers: contact name, purchase order details. We do not store full credit card numbers. Card payments are processed by Stripe; we receive only a transaction reference and the last four digits of the card.
Communications: any email, support ticket, or message you send us.
Optional profile details: professional background, areas of interest. Used to personalise your dashboard and Daily Brief.

3.2 Information we collect automatically when you use the platform

Usage data: pages viewed, features used, queries run, time spent on each section. Used to improve the product and to understand which intelligence outputs are most valuable to which user roles.
Watchlist and saved-query data: the deposits, provinces, and commodities you have starred or queried. This is private to your account and is never shared with other subscribers or third parties.
Deal Tracker entries: if you use the Deal Tracker feature, the deals you log. Stored locally in your browser by default; never leaves your device unless you explicitly export.
Technical data: IP address, browser type, device type, operating system, referring URL, session timestamps. Used for security, fraud prevention, and analytics.

3.3 Information from third parties

Stripe provides us with billing and payment confirmation data for paid subscriptions.
OAuth providers (if you use Google / LinkedIn sign-in, where offered) provide us with your name and email address only — we do not access any other profile data.
Email service providers (e.g. SendGrid, Postmark, or equivalent) handle transactional email delivery and report delivery / open / click metrics back to us.

3.4 What we do NOT collect

We do not collect biometric data.
We do not collect special-category data (health, ethnicity, political views, religious belief, sexual orientation, trade union membership) under GDPR Article 9.
We do not collect your physical location beyond country of residence (no GPS tracking).
We do not collect any data from minors. The platform is for professional B2B use only and is not directed at anyone under 18.

3.5 Analytics — what we measure about how you use Afrimintel

Afrimintel uses a privacy-first, first-party analytics service (Plausible, an EU-based, GDPR-compliant provider operated by Plausible Insights OÜ in Estonia) to understand how the platform is being used so we can improve it. The data collected is limited and narrowly scoped.

What we collect via analytics:

Page-level events — which pages on afrimintel.com you visit, how long you spend on each, the referrer URL that brought you to the platform, your browser type, screen size, and country (derived from IP address; the IP address itself is not stored).
Dossier-level events — which deposit dossiers and which province pages are viewed. Counted in aggregate; individual dossier views are not linked to individual users.
Tool-level events — which tools (Deal Evaluator, DCF/NPV, Country Pitch Builder, Capital Raise Prep) are started and whether they are completed. Tool inputs and tool outputs are NOT captured.
Document-level events — which downloadable PDFs (Methodology, Category Paper, Acquirer Brief, API Reference, Competitor Gap) are downloaded, and from which page on the platform.
Conversion events — whether a Pro subscription signup is started or completed; whether a Calendly booking for an Institutional discovery call is initiated or completed.

What we deliberately do NOT collect via analytics:

Your IP address (used at session level for country derivation, then discarded — not stored)
User-level identification beyond standard session cookies
The specific search queries you run on the platform
The inputs you provide to any tool (DCF assumptions, deal terms, jurisdiction selections, etc.)
The outputs any tool produces for you
The specific deposits or provinces you search for
Cross-site browsing activity beyond afrimintel.com
Any data that, if disclosed, could compromise your competitive position or the confidentiality of a deal you are evaluating

Why this matters. Afrimintel users include DFI investment officers evaluating live deals, exploration geologists assessing competitive ground positions, and government ministries preparing investor pitches. The privacy of what you are evaluating on Afrimintel is part of the product. We do not capture data that, if breached, would tell a competitor what you are working on.

This is a deliberate design choice. We will not change it without first publishing the change in our Audit Log and updating this Privacy Policy with a versioned amendment.

Plausible does not use cookies and does not collect personal data. Our analytics configuration is described in Section 10 (Cookies and similar technologies).

4. Why we collect it (lawful basis under GDPR / DPA Mauritius)

Purpose	Lawful basis
Account creation and login	Contract performance (Art. 6(1)(b) GDPR)
Subscription billing	Contract performance
Personalising your dashboard and Daily Brief	Legitimate interest (Art. 6(1)(f))
Sending operational emails (password reset, billing alerts)	Contract performance
Sending product update emails (newsletter, feature releases)	Consent (opt-in only); you can withdraw at any time
Security, fraud prevention, abuse mitigation	Legitimate interest
Compliance with VAT and tax obligations (Mauritius)	Legal obligation (Art. 6(1)(c))
Compliance with anti-money-laundering checks for Institutional subscribers	Legal obligation
Improving the product and methodology	Legitimate interest; aggregated and anonymised wherever possible

5. Who we share it with

5.1 Service providers (data processors)

We share specific data with the following service providers, each operating under data processing agreements with Afrimintel:

Stripe — payment processing
Netlify — website hosting
Email service provider [SendGrid / Postmark / etc — confirm and name]
Analytics provider — Plausible Insights OÜ (Estonia, EU). Plausible does not use cookies and does not collect personal data. See Section 3.5 for what is and is not collected via analytics.
Customer support tooling [if applicable — name]
AI service providers for the platform's AI deep-dive feature [Anthropic, OpenAI, or others as configured — confirm and name]. Queries you submit to AI deep-dive may be processed by these providers under their own privacy policies. We do not send your account information with these queries; only the query text and a session token.

Each of these providers operates under their own privacy policies; we have data processing agreements with each. We do not authorise them to use your data for their own purposes beyond providing the service.

5.2 Who we do NOT share with

We do not sell your data. Not to data brokers, not to mining operators, not to acquirers, not to anyone.
We do not share your watchlist, saved queries, or Deal Tracker entries with any third party, including other subscribers, mining companies whose assets you may have queried, or DFIs.
We do not share your usage data with operators or governments whose data appears on the platform.
We do not provide individual subscriber lists to acquirer prospects. Aggregated subscriber metrics (total count by tier, geographic distribution, sector distribution) may be disclosed under NDA in M&A processes — never named subscriber lists.
We do not export, share, sell, or otherwise transmit Afrimintel analytics or behavioural data to any related entity, partner, commercial affiliate, or portfolio venture of Afrimintel or its editorial responsibility holder. Analytics data exists for one purpose only: improving Afrimintel itself. This is a permanent commitment. Material change to it requires a versioned amendment to this Privacy Policy with at least 30 days' user notification, and an Audit Log entry documenting the change and the reason.

5.3 Legal disclosure

We may disclose personal data if compelled by valid legal process (court order, regulatory request, AML obligation in a member jurisdiction). Where legally permitted, we will notify the affected user before disclosure.

5.4 Business transfer

If Afrimintel is acquired or undergoes a change of control, your personal data may be transferred to the acquirer as part of that transaction. The acquirer will be required to honour the terms of this Privacy Policy or provide equivalent or stronger protections. We will notify you of any such transfer.

6. International data transfers

Afrimintel is operated from Mauritius. Some of our service providers operate in the EU, UK, USA, and other jurisdictions.

For EU/UK users: international transfers rely on [Standard Contractual Clauses / UK IDTA — confirm with counsel]. Mauritius is not currently the subject of an EU adequacy decision.
For South African users: transfers comply with POPIA Section 72 conditions.
For Mauritius users: transfers comply with the Data Protection Act 2017.

We will provide further documentation of our transfer mechanisms on request (write to nikesh@afrimintel.com).

7. How long we keep it

Data category	Retention
Active account data	For the lifetime of the account, plus 90 days after account deletion
Billing records	7 years after the end of the relevant tax year (Mauritius VAT requirement)
Transactional email logs	12 months
Usage analytics (Plausible)	24 months at event level on rolling basis; beyond 24 months, aggregate counts only
Support correspondence	36 months
AI deep-dive query logs	90 days, after which logs are retained in aggregated, anonymised form only
Marketing email subscription preferences	Until you unsubscribe, plus 12 months

When data reaches the end of its retention period, it is deleted from active systems within 30 days. Backups are overwritten on rolling cycles; data may persist in backups for up to 90 days beyond the active-system deletion date.

8. Your rights

Under the Mauritius DPA 2017, EU/UK GDPR, South Africa POPIA, and equivalent laws in other jurisdictions, you have the following rights:

Right of access: request a copy of the personal data we hold about you
Right to rectification: correct inaccurate or incomplete data
Right to erasure ("right to be forgotten"): request deletion of your account and associated data, subject to retention obligations under tax law
Right to restriction of processing: request that we limit how we process your data
Right to data portability: receive your data in a machine-readable format (JSON) for transfer to another service
Right to object: object to processing based on legitimate interest
Right to withdraw consent: for processing based on consent (e.g. marketing emails)
Right to lodge a complaint with your local data protection authority

To exercise any of these rights, write to nikesh@afrimintel.com with the subject line "Privacy rights request." We will respond within 30 days (extendable to 60 days for complex requests, with notice).

You will not be charged a fee for exercising these rights, except in cases of manifestly unfounded or excessive requests.

9. Security

We protect your data through:

TLS encryption for all data in transit
Encryption at rest for our primary database
Multi-factor authentication available on all paid tier accounts
Access controls limiting which Afrimintel personnel can access user data (for the foreseeable future, that is Nikesh Patel and any future named team members listed at afrimintel.com/team)
Regular security review of our hosting and service-provider stack
Incident response process: in the event of a data breach affecting your personal data, we will notify you and the relevant data protection authority within 72 hours of becoming aware of the breach, in line with GDPR Art. 33 / 34 obligations

No system is fully secure. If you suspect your account has been compromised, write to nikesh@afrimintel.com immediately.

10. Cookies and similar technologies

Afrimintel uses minimal cookies:

Essential cookies: required for login session, payment processing, security. No consent required under GDPR / DPA — these are strictly necessary for the service to function.
Analytics: Plausible. Plausible is privacy-respecting and does not use cookies, does not track users across sites, and does not collect personal data. See Section 3.5 for the full list of what Plausible does and does not measure.
No third-party advertising cookies. We do not run advertising. We do not allow third-party advertising tracking on the platform.

Because Plausible operates without cookies, no cookie banner is required for analytics consent under most jurisdictions. If we ever introduce a tool that requires non-essential cookies, we will display a banner allowing you to accept or reject before any non-essential cookie is set, and we will update this section.

11. Children

Afrimintel is a B2B intelligence platform intended for professional use only. We do not knowingly collect data from anyone under 18. If you believe we have inadvertently collected data from a minor, write to nikesh@afrimintel.com and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be:

Notified to all registered users by email at least 30 days before they take effect
Posted on this page with an updated "Last updated" date
Logged in the platform Audit Log

Continued use of the platform after a material change indicates acceptance of the updated policy.

13. Contact and complaints

For any privacy enquiry, exercise of your rights, or complaint:

Nikesh Patel

Editorial responsibility, Afrimintel

[ENTITY], Mauritius

nikesh@afrimintel.com

If you are not satisfied with our response, you have the right to lodge a complaint with:

Mauritius: Data Protection Office of Mauritius (dpo.govmu.org)
EU member states: your national data protection authority (full list at edpb.europa.eu)
United Kingdom: Information Commissioner's Office (ico.org.uk)
South Africa: Information Regulator (inforegulator.org.za)
Other jurisdictions: your local data protection or privacy authority

Notes for counsel and Nikesh — not part of the public policy

These notes appear in the draft for working purposes only. They will not appear in the published version.

What needs counsel calibration

Lawful basis review (Section 4) — the legitimate-interest balancing test for personalisation and analytics needs documentation. Counsel should help draft the LIA (Legitimate Interest Assessment) for retention.
International transfer mechanism (Section 6) — Mauritius is not on the EU adequacy list. SCCs are the default but require supplementary measures assessment under Schrems II reasoning. Counsel should confirm.
Retention periods (Section 7) — these are template defaults. Mauritius VAT statute of limitations should be confirmed; the 7-year figure is standard but worth verifying.
DPO requirement (Article 37 GDPR) — Afrimintel as a small B2B SaaS likely does NOT trigger mandatory DPO appointment, but the editorial responsibility model suggests Nikesh acts as the de facto privacy contact. Counsel to confirm whether explicit DPO designation is needed.
POPIA Information Officer — South Africa POPIA requires a registered Information Officer if Afrimintel processes personal information of South African residents in any volume. Counsel to confirm threshold and whether registration is needed.
AML / KYC framework — Institutional subscribers that are DFIs or financial institutions may trigger AML obligations on Afrimintel. Counsel to confirm scope.
Section 3.5 "what we deliberately do not collect" list — published commitment. Needs review for two things: whether it is enforceable as drafted under Mauritius DPA 2017 / GDPR, and whether the language survives a future change in vendor. Substantive commitment about what is and is not collected should remain regardless of vendor.
Section 5.2 no-cross-portfolio-routing commitment — deliberate commitment included to address a specific risk pattern (covert cross-portfolio data routing in multi-product founder portfolios). Editorial-policy in form. Counsel to review for whether it creates contractual exposure if a future commercial change requires revisiting it. Intent is that any future revisit would be a published, versioned policy change with user notification — not a silent change.
Plausible 24-month retention is vendor-driven. Plausible's settings allow user-configured retention down to 6 months. Decision deferred until counsel feedback.

What needs Nikesh's confirmation

Legal entity name and registration number (Section 1, throughout)
Service provider names (Section 5.1) — confirm exact stack: which email provider, which analytics provider, which AI providers
Whether partnerships@afrimintel.com and info@afrimintel.com mailboxes exist and route somewhere monitored
Confirmation of payment processor: Stripe is assumed in this draft. If you use Paddle, Lemon Squeezy, or another, the reseller-of-record vs. processor distinction changes some clauses
Whether OAuth (Google / LinkedIn sign-in) is offered — assumed yes, draft accordingly
Backup retention windows — assumed 90 days; confirm against your hosting setup
Cookie banner: required if any non-essential cookies are used. If you stick to Plausible (cookieless) and no other tracking, you may be able to operate without a banner. Counsel to advise.

Companion documents needed

This Privacy Policy assumes the following companion documents will exist:

Terms of Service — drafted alongside this policy
Cookie Policy — short standalone page, can be a section of this Privacy Policy or separate; counsel preference
Data Processing Agreement (DPA) template — for Institutional clients who require one
Sub-processor list — public list of service providers used; updated when changes are made

Audit Log entry — Privacy Policy v1.0 → v1.1 merge

What changed: Analytics & behavioural-data section merged into Privacy Policy DRAFT. Plausible.io confirmed as analytics vendor (replaces tentative "Plausible / Posthog" language). New Section 3.5 added covering what behavioural data is and is not collected. Section 5.2 strengthened with no-cross-portfolio-routing commitment. Sections 5.1, 7, and 10 updated to reflect Plausible confirmation. Counsel notes section extended with three new items for review.

Why: Sprint task 3.18 (W3) introduces first-party analytics. Privacy Policy must accurately reflect what is collected and what is not before analytics goes live and before counsel review. The "no-cross-portfolio-routing" commitment in Section 5.2 closes a specific structural risk pattern (covert cross-portfolio data routing in multi-product founder portfolios) and must be on the page in published form so the commitment is externally enforceable, not just internal policy.

Source of authoritative correction: Editorial decision documented in Claude conversation thread, 26 April 2026. Vendor capability per plausible.io/data-policy at retrieval date 25 April 2026 (subject to verification at install per task 3.18 operational note). EU jurisdiction per Plausible Insights OÜ Estonia registration. ISO 27001 certification per vendor compliance page.

Version marker: Privacy Policy v1.0 → v1.1.

Regression check: Section 3.5 added; sections 3.1–3.4 unchanged. Section 5.1 updated to remove tentative analytics language and confirm Plausible. Section 5.2 strengthened with new commitment, retaining all existing commitments. Section 7 retention table updated for analytics row only; all other rows unchanged. Section 10 updated to remove tentative Posthog reference and remove cookie banner default; reverts to "no banner unless non-essential cookies are introduced." Counsel notes extended with three new review items. No deletions; all original content preserved or strengthened. The "no-cross-portfolio-routing" language in Section 5.2 is consistent with Quality Standard internal governance Section 12 and with Independence Policy. Counsel review still required before Privacy Policy goes live.