Privacy Policy

How The Vigilance Initiative Group collects, uses, and protects your personal information for the Vigil platform

Last Updated: 24 May 2026

1. Who We Are

The Vigilance Initiative Group (Pty) Ltd (“Company”, “we”, “us”, “our”) is a company registered in the Republic of South Africa. We provide and operate the Vigil managed DMARC platform at vigil.solutions.

Vigil Solutions is a brand and service-line name owned and used by the Company for Vigil-related services. It is not a separate legal entity, responsible party, supplier, contracting party, invoicing party, or independent commercial actor.

The Company is the responsible party as defined by the Protection of Personal Information Act 4 of 2013 (“POPIA”). In terms of POPIA Section 55, we have appointed an Information Officer who is responsible for ensuring compliance with this policy and the Act.

Responsible party: The Vigilance Initiative Group (Pty) Ltd

Information Officer: info-officer@vigil.solutions

General support: support@vigil.solutions

Telephone: 087 820 5005

2. What We Collect and Why

We collect only what is necessary to provide the service and to meet our legal obligations.

Account and identity data

When you register, we collect your name and email address. We use this to create your account, send service notifications, and communicate with you about your subscription.

Authentication data

We store hashed passwords and session tokens. Passwords are never stored in plain text. Session tokens authenticate your requests to the platform and expire on logout or after a defined period of inactivity.

DMARC aggregate report data

This is the core data the platform processes on your behalf. DMARC aggregate reports contain metadata about email authentication results: source IP addresses, sending domain names, and SPF and DKIM pass/fail status. These reports do not contain email message content, subject lines, or recipient information.

DMARC failure-report data

DMARC failure reports (RUF), historically called forensic reports, are optional advanced diagnostics. They may contain message-level failure metadata and, if retention is explicitly enabled, original-message identifiers or headers. Vigil minimises this data by default and does not treat RUF as routine reporting data.

DNS configuration data

We store the DMARC, SPF, and TLS-RPT records you configure through the platform, together with DKIM selector, result, and evidence data used for monitoring. This data is necessary to provide the managed DNS and monitoring service.

Usage analytics

If you consent to analytics cookies, we collect page views and navigation events via Google Analytics 4. This data is pseudonymised and is used to improve the platform. You can withdraw consent at any time using the cookie settings on the platform.

Support correspondence

If you contact us by email or through the support portal, we keep records of that correspondence to track and resolve your query.

3. Lawful Basis

We rely on the following bases under POPIA Section 11 for processing your personal information:

  • Contract: Processing account data, authentication data, and DMARC report data is necessary to perform the service you have contracted for.
  • Legitimate interest: Processing usage logs for security, platform stability, and fraud prevention is necessary for our legitimate operational interests, where those interests are not overridden by your rights.
  • Consent: We process usage analytics only where you have given consent via the cookie banner. You may withdraw consent at any time.
  • Legal obligation: We may process and retain certain data where required by applicable South African law.

4. Sub-Processors

We share data with the following sub-processors to operate the platform. We have data processing agreements in place with each.

Provider Data Shared Location Safeguard
Supabase Account data, authentication tokens, DMARC aggregate reports, optional minimised DMARC failure reports, DNS records EU (Frankfurt) GDPR adequacy
Amazon Web Services (SES) Email addresses (transactional email delivery) EU AWS DPA and SCCs
ipinfo.io Source IP addresses from DMARC reports United States SCCs
Google Analytics 4 Page views, navigation events (consent-gated) United States Google DPA and SCCs
Google reCAPTCHA v3 Browser behavioural signals (bot protection on public forms) United States Google DPA and SCCs

We do not sell your data to third parties and do not share it with any parties outside this list except where required by law.

5. Cross-Border Transfers

Our primary database and authentication infrastructure is hosted by Supabase in Frankfurt, Germany, which falls within the European Union. The EU is regarded as providing an adequate level of protection for personal information under POPIA Section 72.

For transfers to the United States (ipinfo.io, Google Analytics, and Google reCAPTCHA), we rely on Standard Contractual Clauses (SCCs) as the appropriate safeguard under POPIA Section 72(1)(b).

6. Your Rights

Under POPIA, you have the following rights regarding your personal information:

  • Access (Section 23): You may request a record of the personal information we hold about you.
  • Correction and deletion (Section 24): You may request that inaccurate, irrelevant, or outdated information be corrected or deleted.
  • Objection (Section 11(3)(a)): You may object to the processing of your personal information on grounds relating to your particular situation, where we rely on legitimate interest as our lawful basis.
  • Withdrawal of consent: Where processing is based on consent (analytics), you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, contact our Information Officer at info-officer@vigil.solutions. We will respond within 30 days. If your request requires verification of your identity, we will ask for reasonable confirmation before acting.

For the full contractual treatment of data subject rights, see our Terms of Service, section 7.5.

7. Data Retention

We retain personal information only for as long as necessary for the purpose for which it was collected.

  • Account and profile data: Retained for the duration of your account, and deleted 90 days after account termination.
  • DMARC aggregate report data and DNS configuration: Retained for the duration of the service agreement and deleted following account closure.
  • Authentication and session logs: Retained for 12 months from creation.
  • Support correspondence: Retained for 24 months from the date of the last message in the thread.
  • Usage analytics: Governed by Google Analytics 4 retention settings, set to 14 months.

For full details of data handling obligations on termination, see our Terms of Service, section 7.8.

8. Cookies and Tracking

We use two categories of cookies:

Essential cookies: Session tokens and authentication state cookies are required for the platform to function. You cannot opt out of these while using the service.

Analytics cookies: We use Google Analytics 4 to collect pseudonymised usage data, but only where you have given explicit consent via the cookie banner presented on your first visit. If you decline or withdraw consent, no analytics data is collected or transmitted.

We do not use advertising cookies, remarketing cookies, or cross-site tracking of any kind.

9. Bot Protection (reCAPTCHA)

We use Google reCAPTCHA v3 on certain public forms (registration, contact enquiry, and DMARC checker) to protect against automated abuse. reCAPTCHA v3 operates invisibly in the background and does not present challenges or checkboxes.

reCAPTCHA collects browser behavioural signals (such as mouse movement, scroll patterns, and typing cadence) to generate a risk score. It does not use cookies. This data is processed by Google and is subject to the Google Privacy Policy and Terms of Service.

We do not share the reCAPTCHA data with any party other than Google. The data is used solely for bot protection and is not used for advertising purposes.

10. Security

We implement the following technical and organisational measures to protect your personal information:

  • All data in transit is encrypted using TLS.
  • Data at rest is encrypted by our hosting provider (Supabase/AWS).
  • Access to production systems is restricted to authorised personnel and is controlled by role-based access.
  • Authentication tokens are short-lived and invalidated on logout.

In the event of a data breach that poses a risk to your rights and interests, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with POPIA Section 22.

11. Information Regulator

If you believe your rights under POPIA have been violated and are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:

Information Regulator (South Africa)

Email: complaints.IR@justice.gov.za

Website: inforegulator.org.za

Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

We encourage you to contact us first at info-officer@vigil.solutions so we can attempt to resolve the matter directly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, the services we offer, or applicable law. When we make changes, we will update the “Last Updated” date at the top of this page. For significant changes that affect how we process your personal information, we will notify you by email or through a notice on the platform.

We recommend reviewing this page periodically. Continued use of the service after a change to this policy constitutes acceptance of the updated terms.

Questions About This Policy?

If you have any questions about how we handle your personal information or want to exercise your data subject rights, please get in touch.

Contact Us

Terms of Service