Introduction
Pagio (“we,” “our,” or “us”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our RAG (Retrieval-Augmented Generation) engine platform, including our website, mobile application, and related services (collectively, the “Service”).
This Privacy Policy applies to all users, including those on our free tier (with limited chats) and our paid subscription tier (R50.00 per month). By using the Service, you consent to the data practices described in this policy.
Key Commitment: Your uploaded documents and chat history are private and visible only to you. Pagio is a personal knowledge management tool, not a social platform. We do not share your content with other users under any circumstances except as required by law.
Information We Collect
Account Information
When you register for an account, we collect:
- Email address – used for account verification, login, and service communications
- Password – stored using bcrypt hashing with a work factor of 12 (never stored in plain text)
- Subscription status – indicates whether you are on the free tier or paid tier
- Account creation timestamp and last login timestamp
User Content (PDF Documents)
You retain full ownership of all PDF documents you upload to your personal online library. To provide the RAG service, we process:
- Original PDF files – stored and backed up until you delete them
- Extracted text content – indexed and chunked for retrieval
- Document chunks (passages) – stored for retrieval purposes
- Vector embeddings – numerical representations used for semantic search
- Document metadata – filename, size, upload date, page count
Your Content is Private: These documents and their processed data are accessible only to you. No other user can see, search, or interact with your documents.
Chat Data
When you interact with the RAG engine, we collect:
- Your questions/prompts – processed to generate responses
- Retrieved document passages – temporarily combined with your question for context
- AI-generated responses – delivered back to you
- Response timestamps – for usage tracking
- Chat session IDs – to maintain conversation continuity
Free Tier Users: Your chat history is retained for 14 days to help you continue conversations.
Paid Tier Users: Your chat history is retained for 90 days, and you may export your chat history at any time.
Usage Data (Freemium Tracking)
To manage the free tier limitations, we track:
- Number of chat messages sent per user per billing period
- Number of documents uploaded (free tier has limits)
- Total storage used (MB/GB)
- Feature usage patterns (e.g., document upload frequency, chat session length)
This data is used solely to enforce tier limits and improve service quality. We do not sell this data to third parties.
Automatically Collected Information
- IP address – collected for security and rate limiting
- Browser type and version – for compatibility and performance optimization
- Device information (operating system, device model) – for troubleshooting
- Referrer URLs – to understand how users find our Service
- Performance logs (response times, error rates) – to monitor RAG engine health
Payment Information
For paid subscription users:
- Billing information – processed by our third-party payment processor (Stripe/PayFast/Yoco). We do not store full credit card numbers on our servers.
- Subscription status (active, cancelled, past due) – stored in our database
- Payment history (transaction dates, amounts, invoice references) – retained for 7 years for accounting and legal compliance (South African tax law requirements)
How We Use Your Data
We use the information we collect for the following purposes:
- To provide, maintain, and improve our RAG services
- To authenticate your account and provide secure access to the Service
- To store and process documents you upload
- To generate AI responses to your questions based on your documents
- To enforce free tier limits (tracking message counts, storage usage)
- To manage subscriptions and process payments
- To communicate with you about updates, security alerts, and support messages
- To detect, prevent, and address technical issues and security vulnerabilities
- To comply with legal obligations and enforce our terms
- To maintain the privacy and isolation of your personal library – we implement strict access controls to ensure that your documents and chat history are visible only to you
Data Sharing: We do not sell, trade, or rent your personal information to third parties. We share data only with essential service providers (LLM providers, vector database providers, cloud storage, payment processors) under strict confidentiality agreements. We do not use your documents or chat history to train our AI models unless you explicitly opt in.
Your Private Library
Pagio is designed as a personal, private knowledge management tool. We do not offer social features, content sharing, or public profiles. As a result:
- No other user can see your uploaded documents – there is no directory, search index, or discovery mechanism that exposes your documents to anyone else
- No other user can access your chat history – your questions and AI responses are stored only in your account and are not visible to any other user
- No other user can view your document metadata – filenames, upload dates, page counts, and other metadata are strictly tied to your account
- No other user can search your content – your document text and embeddings are isolated using row-level security in our database
- We do not have any feature to share documents or chats – if you wish to share content with others, you must do so manually outside the Service
The only circumstances in which your private library could be accessed by someone other than you are:
- Legal requirement: We receive a valid court order, subpoena, or other binding legal process requiring disclosure (we will notify you where legally permitted)
- You voluntarily share: You choose to share your screen, export your data, or provide your login credentials to someone else (we strongly advise against sharing credentials)
- Security breach: In the unlikely event of a data breach that compromises our systems (we will notify you and all affected users as required by law)
No data mining or surveillance: We do not mine your documents, analyze your content for advertising purposes, or train AI models on your private data. Your library remains yours, and yours alone.
Data Sharing
We share your information only in the following circumstances:
Third-Party Service Providers (Essential for RAG Operation)
- LLM Provider (e.g., OpenAI, Anthropic) – receives your question and retrieved document passages to generate responses. We request zero-data retention.
- Vector Database Provider (e.g., Pinecone, Supabase) – stores document embeddings. Cannot be reverse-engineered to original text.
- Cloud Storage Provider (e.g., AWS S3, Google Cloud Storage) – stores encrypted PDF files.
- Payment Processor (Stripe/PayFast/Yoco) – processes subscription payments. No full card details stored by us.
Legal Compliance
We may disclose your information if required by law or valid legal process (court order, subpoena).
Business Transfers
If Pagio is acquired or merges, your information may be transferred. We will notify you.
What We Do NOT Share: We do not sell your personal information. We do not share your PDFs except as necessary for the RAG service. We do not use your data to train AI models without your explicit opt-in. We do not share your email for marketing without consent.
Data Security
We implement appropriate technical and organizational measures to protect your personal information:
- Passwords are securely hashed using bcrypt with a work factor of 12
- Uploaded PDFs are encrypted at rest using AES-256
- All data in transit is encrypted using TLS 1.3
- Vector embeddings are stored in a database with row-level security ensuring user isolation
- API keys for LLM and vector database providers are rotated every 90 days
- Regular security assessments and monitoring are conducted
- Access logs are maintained for audit purposes
While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure.
Free Tier vs. Paid Tier Security: Both tiers receive the same level of security protection. The only differences are usage limits and retention periods, not security posture.
Data Retention
Retention by Tier
- Free Tier: Chat history retained for 14 days; usage logs retained for 30 days
- Paid Tier: Chat history retained for 90 days; usage logs retained for 90 days
- Both Tiers: PDFs and embeddings retained until you delete them or close your account
Account Deletion
When you delete your account:
- All PDFs are permanently removed from active storage within 7 days
- All vector embeddings are purged from the vector database within 7 days
- Chat history is deleted immediately
- Backups may retain data for up to 30 days after deletion
Inactive Accounts (Free Tier Only)
If your free tier account remains inactive (no logins, no document uploads, no chats) for 6 consecutive months, we will send a warning email. If no action is taken within 30 days, your account and all associated data will be permanently deleted.
Your Rights
Depending on your location, you may have certain rights regarding your personal information:
- Access: Request access to the personal information we hold about you
- Correction: Update or correct your account information through your account settings
- Deletion: Request deletion of your personal information
- Objection: Object to certain processing of your personal information
- Portability: Paid tier users can request a copy of their data in JSON or CSV format
To exercise these rights, contact us at metueldipuo@gmail.com.
Cookie Policy
This Cookie Policy explains how Pagio uses cookies and similar tracking technologies.
GDPR Addendum – For European Union Users
Scope & Legal Basis for Processing
If you are located in the EEA or UK, Pagio is the data controller. Our legal bases are:
- Contractual Necessity (Article 6(1)(b)): Processing necessary to provide the RAG service
- Legal Obligation (Article 6(1)(c)): Compliance with tax and other laws
- Legitimate Interests (Article 6(1)(f)): Service improvement, fraud prevention, security
- Consent (Article 6(1)(a)): For analytics cookies and optional data sharing
Your GDPR Rights
Under GDPR, you have the right to:
- Access (Article 15) – request a copy of your data
- Rectification (Article 16) – correct inaccurate data
- Erasure (Article 17) – request deletion (“right to be forgotten”)
- Restriction (Article 18) – limit how we use your data
- Portability (Article 20) – receive your data in a machine-readable format (paid tier only)
- Objection (Article 21) – object to processing based on legitimate interests
- Withdraw Consent (Article 7(3)) – withdraw consent where given
- Lodge a Complaint (Article 77) – complain to your local supervisory authority
To exercise these rights, email pagio.app@gmail.com with “GDPR Request” in the subject line.
International Data Transfers
We transfer data to the US (LLM providers, cloud storage) and EU (vector databases). We use Standard Contractual Clauses (SCCs) as safeguards.
Data Protection Officer (DPO)
Contact our DPO: pagio.app@gmail.com (ATTN: DPO)
POPIA Compliance – For South African Users
Scope & Application
Pagio complies with the Protection of Personal Information Act, 2013 (POPIA). We are an “responsible party” under POPIA.
The eight conditions for lawful processing under POPIA:
- Accountability
- Processing Limitation
- Purpose Specification
- Further Processing Limitation
- Information Quality
- Openness
- Security Safeguards
- Data Subject Participation
Your POPIA Rights
- Right to be Informed (Section 18) – understand what data we collect and why
- Right to Access (Section 23) – request a copy of your data
- Right to Request Correction (Section 24) – correct inaccurate data
- Right to Object (Section 11(3)) – object to processing on reasonable grounds
- Right to Withdraw Consent (Section 11(1)(a)) – withdraw consent where given
- Right to Complain (Section 55) – lodge a complaint with the Information Regulator
Security Measures (POPIA Section 19)
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Access controls based on least privilege
- Regular security audits
- Data breach response plan with 72-hour notification to Information Regulator
Your Private Library Under POPIA
Under POPIA, you have the right to have your personal information kept confidential. Pagio ensures that your uploaded documents and chat history are accessible only to you through:
- Strict access controls – database row-level security prevents cross-user access
- Isolated vector embeddings – searches only retrieve from YOUR documents
- No cross-user indexing – no global search index exposing your content
- Audit logging – logs of all access for review
Your library is your private space. No other user can see your documents or chat history. Period.
Lodging Complaints with the Information Regulator
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za
Website: https://www.justice.gov.za/inforeg/
Children's Privacy
Our Service is not directed to individuals under 15 years of age. We do not knowingly collect personal information from children under 15. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the “Last Updated” date, and providing in-app notifications for material changes.
Your continued use of the Service after any changes constitutes your acceptance of the new Privacy Policy.
Contact Information
Privacy Officer: Pagio Data Protection Team
Email: metueldipuo@gmail.com
Response Time: We aim to respond within 2–3 business days (privacy/GDPR/POPIA requests within 30 days).
This Privacy Policy, together with our Terms of Use, Cookie Policy, GDPR Addendum, and POPIA Compliance section, constitutes the complete privacy framework for Pagio. Your trust is our priority.