Privacy Policy
Version 1.0 · Effective May 2026
Konductro (Pty) Ltd · konductro.com · privacy@konductro.com
This Privacy Policy explains how Konductro collects, uses, shares, and protects personal information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA). Please read it carefully.
Summary
Konductro is a South African software delivery platform. We collect the information needed to run your account and deliver our services. We do not sell your personal information. We do not use your data to train AI models without your consent. You have the right to access, correct, and delete your information.
1. Who We Are
Konductro (Pty) Ltd (registration number 2026/423844/07) is a company registered in the Republic of South Africa. We are the operating entity of the Konductro platform, which we make available under licence from our holding company, Konductro Holdings (Pty) Ltd. The platform is accessible at platform.konductro.com.
We are a Responsible Party as defined by POPIA in relation to personal information we collect about visitors to our website and administrators of our platform.
For personal information relating to your employees, contractors, or end users that you process through the Platform, you are the Responsible Party and we act as your Operator under a separate POPIA Operator Agreement.
Contact details for data protection matters:
- Email: privacy@konductro.com
- Website: konductro.com/privacy
- Postal: The Information Officer, Konductro (Pty) Ltd, Unit 2, Kilwa House, Bondev Office Park, Wierda Rd, Zwartkop 356-Jr, Centurion, 0185, South Africa
2. Personal Information We Collect
We collect personal information in the following categories:
| Category | Examples | Purpose | Basis |
|---|---|---|---|
| Account Information | Name, work email, job title, company name | Account creation and management | Contract |
| Authentication Data | Email address, hashed password, MFA tokens, OAuth tokens (for Git integrations) | Secure platform access | Contract |
| Billing Information | Invoice contact details, organisation name, billing address | Invoicing and payment processing | Contract |
| Usage Data | Feature usage patterns, page views, session duration, error logs | Platform improvement and technical support | Legitimate interest |
| Platform Metrics Data | Aggregate project, task, story, and test case counts; delivery cycle metrics (cycle time, rework rate, sprint cadence); AI usage volumes; industry sector and organisation size | Platform analytics, industry benchmarking, and marketing (see Section 3A) | Contract + Legitimate interest |
| Work Activity Data | Assigned tickets, PR submissions, QA outcomes, sprint participation | Core platform functionality — delivery workflow | Contract |
| AI Interaction Data | Prompts submitted to the Conductor AI assistant, generated outputs | AI service delivery and session context | Contract |
| Communication Data | Emails and messages sent to Konductro support or sales | Support and account management | Legitimate interest |
| Technical Data | IP address, browser type, device type, operating system | Security monitoring and fraud prevention | Legitimate interest |
We do not intentionally collect Special Personal Information (such as health data, race, religion, or trade union membership). Please do not include Special Personal Information in project descriptions, tickets, or AI prompts.
3. How We Use Your Personal Information
We use personal information for the following purposes:
- Providing and managing the Platform: creating and maintaining accounts, processing subscriptions, enabling the Conductor AI assistant, and delivering all Platform functionality.
- Billing and payments: generating invoices, tracking subscription status, and managing payment records.
- Technical support: diagnosing issues, responding to support requests, and maintaining platform stability.
- Security and fraud prevention: monitoring for unauthorised access, investigating potential breaches, and enforcing our Acceptable Use Policy.
- Product improvement: analysing aggregated usage patterns to improve Platform features and performance. We do not use personally identifiable data for this purpose without consent.
- Industry benchmarking and marketing: generating aggregated, anonymised Benchmark Reports describing software delivery patterns, productivity trends, and AI adoption rates across our customer base. We use these reports in our marketing materials and public communications to demonstrate Platform value. All data used for this purpose is aggregated across a minimum of five customer organisations before publication. See Section 3A for full detail.
- Communications: sending account notifications, security alerts, product updates, and (where you have opted in) marketing communications about Konductro.
- Legal and regulatory compliance: meeting our obligations under POPIA, the Cybercrimes Act, and other applicable South African law.
AI and your data
When you use the Conductor AI assistant, your inputs are sent to Anthropic's API. This is necessary to generate responses. Anthropic's API terms provide that data submitted via API is not used to train their foundational models. We do not opt any of our customers into AI training. You can read more about Anthropic's data practices at anthropic.com/privacy.
3A. Platform Benchmarking and Marketing Use
This section explains how Konductro uses Platform Metrics Data — aggregate usage and operational data — for its own analytics and marketing purposes. This is distinct from our role as an Operator processing your employees' personal information on your instructions.
What is Platform Metrics Data?
Platform Metrics Data is usage and activity data generated when your organisation uses the Platform. It includes:
- Feature adoption and usage frequency — which Platform features are used, how often, and by how many users in your organisation
- Aggregate project, story, task, and test case counts at the organisational level
- Aggregate delivery cycle metrics — cycle time ranges, rework rates, sprint cadence, planning overhead — measured across your organisation as a whole
- AI usage volumes and prompt category patterns at the organisational level
- AI Usage Cap consumption patterns
- Your industry sector, organisation size, and geographic location as provided at account setup
Platform Metrics Data does not include: the content of your requirements, architecture documents, source code, or acceptance criteria; named individual employee performance data; or any Special Personal Information.
How we use Platform Metrics Data
Konductro uses Platform Metrics Data as a Responsible Party in its own right (not as your Operator) for the following purposes:
- Operating and improving the Platform — understanding how features are used helps us fix problems and prioritise development.
- Generating Benchmark Reports — we combine and anonymise Platform Metrics Data across our customer base to produce industry benchmarks describing software delivery performance, AI adoption rates, and productivity trends across South African and international software teams.
- Marketing — we publish statistics and insights derived from Benchmark Reports in our website, sales collateral, and public marketing materials to demonstrate the value that teams experience when using Konductro. For example: "Konductro customers reduce average cycle time by X%" or "Teams on Konductro run an average of Y test cases per sprint."
- Product research and commercial strategy — internal analysis of Platform Metrics Data informs our roadmap and pricing decisions.
How we protect your identity in marketing use
We apply the following protections before using Platform Metrics Data in any external Benchmark Report or marketing material:
- Your organisation is never named in Benchmark Reports or marketing materials without your separate written consent.
- All data used in Benchmark Reports is aggregated across a minimum of five separate customer organisations before publication — no individual customer's data is identifiable in isolation.
- We do not publish your specific project counts, cycle times, or individual operational metrics in any form that would allow a competitor or third party to identify your organisation's internal delivery performance.
Your opt-out right
You may opt out of having your Platform Metrics Data included in Benchmark Reports and external marketing materials at any time by emailing privacy@konductro.com with the subject line "Benchmark opt-out — [your organisation name]".
Opt-out applies to future Benchmark Reports and publications only. We are not required to retroactively remove aggregated data from materials that have already been published, as individual organisations cannot be identified in those materials anyway.
Opting out of Benchmark Reports does not affect our right to use your Platform Metrics Data for internal operational monitoring and product improvement purposes, which are necessary to operate and maintain the Platform.
4. Who We Share Your Personal Information With
We do not sell personal information to third parties. We share personal information only as described below:
4.1 Sub-Processors
We use third-party service providers (sub-processors) to help us deliver the Platform. Each sub-processor is bound by a data processing agreement:
| Provider | Country | Purpose |
|---|---|---|
| Amazon Web Services | Ireland / United States | Cloud hosting, database storage, and compute infrastructure |
| Anthropic, Inc. | United States | AI language model API powering the Conductor assistant |
| Microsoft Corporation | EU / United States | Teams integration for workflow notifications (where applicable) |
4.2 Legal Disclosures
We may disclose personal information to law enforcement, regulators, or courts if required by South African law (including the Cybercrimes Act 19 of 2020), court order, or regulatory requirement. Where permitted, we will notify you before making such a disclosure.
4.3 Business Transfers
If Konductro (Pty) Ltd or Konductro Holdings (Pty) Ltd is acquired, merges with another company, or sells substantially all of its assets (including the Platform), personal information may be transferred to the acquiring entity, subject to the same protections described in this Policy.
5. Cross-Border Transfer of Personal Information
South Africa's POPIA restricts the transfer of personal information to countries that do not have equivalent data protection laws. Our sub-processors (Amazon Web Services and Anthropic) are based in the United States, which does not currently have a formal adequacy designation under POPIA.
We manage this by:
- Entering into data processing agreements with each sub-processor that include protections equivalent to those required by POPIA.
- Selecting sub-processors that maintain appropriate security certifications (such as ISO 27001 and SOC 2).
- Limiting the personal information transferred to what is strictly necessary for service delivery.
By using the Platform, you consent to these cross-border transfers as necessary to deliver the contracted services.
6. How Long We Keep Your Personal Information
We retain personal information only for as long as necessary for the purposes described in this Policy:
| Category | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of subscription + 30 days | Service delivery and data export window |
| Billing records and invoices | 5 years after contract end | South African tax and accounting obligations |
| Security and audit logs | 12 months | Security monitoring and incident investigation |
| Support communications | 3 years | Quality assurance and legal protection |
| Marketing opt-in records | Until opt-out + 3 years | Proof of consent |
After the applicable retention period, personal information is securely deleted or anonymised.
7. Your Rights Under POPIA
As a Data Subject under POPIA, you have the following rights:
- Right to access: You can request a copy of the personal information we hold about you.
- Right to correction: You can ask us to correct any inaccurate or incomplete personal information.
- Right to deletion: You can ask us to delete your personal information where we no longer have a lawful basis for holding it (subject to our legal retention obligations).
- Right to object: You can object to the processing of your personal information for direct marketing or on legitimate interest grounds.
- Right to restrict processing: You can ask us to limit how we process your information in certain circumstances.
- Right to data portability: You can request your account data in a standard machine-readable format.
- Right to complain: If you are not satisfied with how we handle your personal information, you have the right to lodge a complaint with the Information Regulator of South Africa (see Section 11).
- Right to opt out of Benchmark Reports: You may instruct us not to include your organisation's Platform Metrics Data in our external Benchmark Reports and marketing materials. See Section 3A for how to exercise this right.
To exercise any of these rights, please email privacy@konductro.com. We will respond within 30 days of receiving a valid written request, in accordance with POPIA requirements.
8. Security
We implement technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. Our measures include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256
- Access controls based on the principle of least privilege
- Multi-factor authentication for platform access
- Regular security assessments of our infrastructure
- Incident response procedures aligned with the Cybercrimes Act 19 of 2020
In the event of a security compromise that involves your personal information, we will notify you and the Information Regulator as required by section 22 of POPIA.
9. Cookies and Tracking
Our website (konductro.com) and platform use cookies and similar technologies sparingly. We use:
- Essential cookies: required for the Platform to function, including authentication session cookies. These cannot be disabled.
- Analytics (cookieless): we use a privacy-friendly, cookieless analytics tool (Plausible) to understand how visitors use our website. It does not set cookies, does not track you across sites, and collects only aggregated, anonymised data. Because no analytics cookies are set, there is nothing to opt out of and no cookie-consent banner is required.
- Preference cookies: remember your platform settings and preferences.
We do not use advertising or third-party tracking cookies. You can manage cookies through your browser settings; disabling essential cookies will affect Platform functionality.
10. Children
The Konductro Platform is designed for business use only and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected personal information from a minor, please contact us at privacy@konductro.com and we will delete it promptly.
11. The Information Regulator
You have the right to lodge a complaint with the Information Regulator of South Africa if you believe we have handled your personal information unlawfully. Contact details:
- Website: inforegulator.org.za
- Email: inforeg@justice.gov.za
- Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
- Telephone: 010 023 5207
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the effective date at the top of this Policy
- Notify registered account administrators by email
- Display a notice on the Platform for 30 days following the change
Continued use of the Platform after the effective date of the updated Policy constitutes acceptance of the changes.
13. Contact Us
For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal information, please contact us:
- Email: privacy@konductro.com
- Website: konductro.com/privacy
- Subject line: Privacy enquiry — [your organisation name]
We aim to respond to all privacy-related communications within 5 business days. For formal Data Subject access requests, we will respond within 30 days as required by POPIA.