How We Find Buyers — Safely | VRL-AUTO-002

Abstract

Visio Auto operates an AI-powered lead generation platform for South African car dealerships. Our agents identify high-intent vehicle buyers by connecting publicly available signals across financial, corporate, lifecycle, behavioural, and social data sources. This paper documents our complete methodology, our POPIA compliance framework, our technical safeguards, and the principles that govern every signal we process. We publish this paper because we believe trust is built through transparency — not asserted through claims.

1. Why this paper exists

When a dealership partner asks us “how do you find these buyers?” the wrong answer is “trade secret.” The right answer is to hand them this paper.

Lead generation platforms have a reputation problem. Many operate as black boxes, scraping whatever they can find, buying breach data, and sending unsolicited messages without any legal grounding. We refuse to operate that way. South African dealerships are increasingly being held to account for the practices of their data suppliers — and rightly so.

This paper exists so that any dealership partner, any dealership's legal counsel, any Information Officer, and any data subject can read exactly how we operate. Every claim in this document is verifiable. Every method is auditable. If any practice described here changes, this paper will be updated and version-controlled.

2. What we are, and what we are not

Visio Auto is an AI agent platform. We deploy autonomous agents that monitor public data sources for signals indicating that a person or business is likely to purchase a vehicle in the near future. When we identify a high-intent prospect, we deliver that prospect to a dealership partner along with full context, suggested approach, and the legal basis for the outreach.

We are:

An automated signal aggregator processing publicly available data
A POPIA-registered Responsible Party with a designated Information Officer
A research-driven platform publishing our methodology openly
A people-first organisation that treats every data subject with the same care we'd expect for ourselves

We are not:

A breach data buyer — we never purchase data from data leaks, dumps, or stolen sources
An illegal scraper — we do not scrape sites in violation of their terms of service or robot exclusion protocols where applicable
A spam house — we do not send unsolicited bulk communications outside POPIA Section 69 grounds
A re-seller of personal data — we do not sell, transfer, or share data subject information outside our explicit dealership partner relationships

3. The legal framework

South Africa's primary data protection law is the Protection of Personal Information Act, 2013 (Act No. 4 of 2013), commonly referred to as POPIA. POPIA came into full force on 1 July 2021 and is enforced by the Information Regulator of South Africa.

POPIA applies to the processing of personal information by a Responsible Party in South Africa. Visio Auto is a Responsible Party. Our processing must therefore meet POPIA's eight conditions for lawful processing, plus the additional requirements for direct marketing, special personal information, and automated decision-making.

3.1 The Eight Conditions (Section 4)

POPIA requires every Responsible Party to comply with eight conditions when processing personal information. We address each in detail below:

#	Condition	How Visio Auto complies
1	Accountability	Designated Information Officer registered with the Regulator. Annual compliance audit. Public methodology paper.
2	Processing Limitation	Only data necessary for buyer identification. Lawful basis documented per signal type. Data minimisation enforced.
3	Purpose Specification	Single explicit purpose: identifying potential vehicle buyers for dealership partners. Retention limited to active processing.
4	Further Processing Limitation	No secondary use of data. No sale to third parties. Data shared only with the specific dealership partner the lead is matched to.
5	Information Quality	All signal sources verified. Confidence scoring on every data point. Subjects can correct or update information about themselves.
6	Openness	This paper. PAIA manual published. Information Officer contact details public. Data sources disclosed to subjects on request.
7	Security Safeguards	AES-256 encryption at rest, TLS 1.3 in transit. EU-West datacentre. Access controls. Audit logs. See Section 5.
8	Data Subject Participation	Public unsubscribe portal. Right to access, object, correct, and delete. 7-day response SLA.

3.2 Lawful basis under Section 11

POPIA Section 11 sets out the lawful bases for processing. Visio Auto's primary lawful basis is Section 11(1)(f) — the legitimate interests of the responsible party or of a third party to whom the information is supplied. This is the same lawful basis used by Bloomberg, Crunchbase, ZoomInfo, and other research-driven business intelligence platforms operating in POPIA-equivalent jurisdictions (GDPR Article 6(1)(f)).

For each signal type we process, we conduct and document a three-part legitimate interest balancing test:

Purpose test: Is there a legitimate interest? (Yes — matching qualified buyers to legitimate dealerships serves both parties and the broader market.)
Necessity test: Is the processing necessary to achieve the purpose? (Yes — signal-based identification is significantly less intrusive than mass cold-calling.)
Balancing test: Does the data subject's interest in privacy override the legitimate interest? (Documented per signal — we exclude any signal where the answer is yes.)

3.3 Section 69 — Direct Marketing

POPIA Section 69 governs unsolicited electronic communications for direct marketing purposes. It requires either prior consent (opt-in) or, for existing customers, a clear opt-out mechanism. Visio Auto's practice is to operate under Section 69(3)(c) where the data subject is contacted by a dealership partner with whom they have a pre-existing or contextual relationship (e.g., a customer whose vehicle finance is expiring with the same dealership group), and to require explicit opt-in consent for all other outreach.

Every outreach communication sent through our platform includes:

A clear identification of the sender (the dealership)
An explanation of how the recipient's data was identified (signal source disclosed)
A one-click unsubscribe link routed to our central opt-out database
Contact details for our Information Officer

4. The signal sources we use

Every signal Visio Auto processes comes from one of the following categories of public, legally accessible data. We disclose this in detail because transparency is the only way trust survives scrutiny.

4.1 Public regulatory data

CIPC (Companies and Intellectual Property Commission): New business registrations, director appointments, annual returns. CIPC data is public by statute under the Companies Act.
Deeds Office: Property purchase records. Public under the Deeds Registries Act.
Government Gazette: Tender awards, public sector announcements, insolvency proceedings.
JSE SENS: Stock Exchange News Service announcements from listed companies.

4.2 Public news and press

Daily Maverick, Business Day, Forbes Africa, Reuters, Bloomberg South Africa, news24, BusinessTech.
Press releases issued by companies, individuals, or representatives.
Industry trade publications and announcements.

4.3 Public professional networks

LinkedIn public profile data — only fields the user has chosen to make public, accessed in compliance with LinkedIn's terms of service.
Public job postings on platforms permitted under their terms.

4.4 Public social signals

Public posts and comments on YouTube, Reddit, public Facebook pages, X/Twitter, and Instagram — only content explicitly published as public by the author.
We do not access private profiles, private groups, or any content gated behind authentication or friend-list permissions.
We do not use automated account creation, fake personas, or social engineering to access otherwise-private content.

4.5 Behavioural data via partner integrations

Where a dealership partner has obtained explicit consent from a customer to share behavioural data (e.g., website visit history, search behaviour on dealership-owned domains), we process that data on the partner's behalf as an Operator.
We do not aggregate or re-use this data outside the originating dealership relationship.

4.6 What we do not access

For absolute clarity, the following sources are never used by Visio Auto under any circumstances:

Breach data, leaked credentials, or any data of unauthorised origin
Private bank statements, credit reports, or financial records (without explicit consent and a contractual purpose)
Medical records of any kind
Children's data — we exclude any subject we identify as under 18 unless processing relates to license eligibility for parental consideration only
Special personal information as defined in POPIA Section 26 (race, religion, political affiliation, biometric data, sexual orientation, etc.)
Data scraped in violation of platform terms of service or robots.txt directives

5. Technical safeguards

POPIA Condition 7 requires “appropriate, reasonable technical and organisational measures” to secure personal information. Our implementation goes beyond the minimum:

5.1 Encryption

All personal information encrypted at rest using AES-256-GCM
All data in transit protected with TLS 1.3
Database connections require certificate-based mutual TLS
Application-level secrets stored in encrypted vaults with rotation policies

5.2 Access controls

Role-based access control (RBAC) for all internal systems
Multi-factor authentication mandatory for all privileged accounts
Principle of least privilege enforced at the row level for dealership data isolation
Service accounts use short-lived credentials, never long-term API keys

5.3 Audit and logging

Every signal processed is logged with source, timestamp, lawful basis, and processing purpose
Every dealership partner action is auditable
Logs retained for 7 years to support data subject access requests
Logs themselves are protected and access-controlled

5.4 Data minimisation and retention

Signal data is processed in a streaming fashion — we do not maintain bulk databases of personal information beyond what is needed for active matching
Unmatched signals are purged within 30 days
Matched leads are retained for the duration of the dealership relationship plus 12 months for audit, then deleted
Opt-out records are retained indefinitely (required to honour ongoing opt-out wishes)

5.5 Infrastructure

Hosted on Vercel Functions and Supabase (EU-West-1) — both POPIA-equivalent jurisdictions under GDPR
Cross-border transfer compliance under POPIA Section 72 documented
Regular penetration testing by third-party security firms
Vulnerability disclosure programme open to the public

6. Data subject rights — in practice

POPIA grants data subjects specific rights. Here is exactly how we honour them:

Right to access (Section 23)

Any individual can request a copy of all personal information we hold about them by emailing our Information Officer. We respond within 7 working days with: (1) a list of every signal we've processed about them, (2) the source of each signal, (3) the lawful basis, (4) the dealerships that received the lead, if any.

Right to object (Section 11(3))

Any individual can object to processing on legitimate interest grounds. We honour every objection received and immediately cease processing — no “balancing test” debates. The subject is added to our opt-out database and excluded from all future signal matching.

Right to correction (Section 24)

If a subject identifies incorrect information, we correct it within 7 working days and notify any dealership partner who received the affected lead.

Right to deletion (Section 24)

Any subject can request deletion of their personal information. We delete within 7 working days and confirm in writing. Deletion is propagated to all backups within 30 days.

Right to complain

Any subject who believes we have not honoured their rights can complain directly to the Information Regulator at inforegulator.org.za. We cooperate fully with all regulatory enquiries.

7. The case study — anonymised

On our landing page we tell the story of a YouTube comment that led to a R5.2M Porsche sale. Here is how that case study aligns with the framework above:

Methodology Walkthrough

Source 1: Public YouTube comment on a public review video. Lawful basis: legitimate interest (Section 11(1)(f)). Information voluntarily published by the subject for public consumption.

Source 2: Public Deeds Office property record. Lawful basis: statutory public access under the Deeds Registries Act.

Source 3:Public LinkedIn profile (subject's own published professional profile). Lawful basis: legitimate interest, contextually appropriate.

Source 4: Public Instagram post by spouse celebrating an anniversary. Excluded from final lead because it constituted information about a third party (the spouse) that the subject had not himself published. We use this signal for context confirmation only and do not store it.

Outreach:The Cape Town Porsche Centre received the lead with a documented lawful basis trail. Their outreach was a discreet phone call — not a bulk SMS or email blast. The call disclosed how the dealership had identified him and offered a one-click opt-out link for any future communications. Section 69 compliant.

Outcome: A genuine match between a buyer who was actively looking and a dealer who had the inventory. Both parties benefitted. The subject retains all rights to access, object, and delete his data at any time.

8. Information Officer

Visio Auto's designated Information Officer is registered with the Information Regulator and can be contacted at:

Email: privacy@visiocorp.co
Postal: VisioCorp (Pty) Ltd, c/o Information Officer, [address on file with Regulator]
Response SLA: 7 working days for all data subject requests

9. Recent enforcement context

Enforcement under POPIA has accelerated significantly since 2022. Notable matters relevant to AI, data, and lead generation:

Department of Justice (July 2023)— First major enforcement notice. R5 million administrative fine for failure to renew SITA security cluster licence after a 2021 ransomware attack. Established that the Information Regulator will impose maximum statutory fines (Section 109 — up to R10 million) for systemic security failures.
Dis-Chem Pharmacies (October 2022) — Enforcement notice following a breach affecting 3.6 million data subjects via a third-party operator. Significant for confirming that operator liability flows back to the responsible party if Section 21 contracts are inadequate. Lesson for signal-mining platforms: airtight operator agreements with every sub-processor are non-negotiable.
TransUnion (March 2022)— N4ughtySecTU breach affecting 54 million records. Underscored the Regulator's expectation of advanced security controls (encryption, segmentation, anomaly detection) for any party holding large volumes of personal information.
Information Regulator vs WhatsApp (ongoing since 2021)— Established the principle that terms-of-use changes affecting South African users are reviewable under POPIA, regardless of the controller's place of establishment.

At the time of publication, no SA enforcement case directly involves AI inference or web scraping for lead generation. This paper's framework therefore draws on the structural reading of POPIA, the Information Regulator's published guidance notes, and analogous GDPR enforcement (notably the CNIL fines against Tagadamedia and Criteo for legitimate interest failures in 2023) as forward-looking indicators.

Visio Auto operates well within the lawful envelope of POPIA. We publish this paper so that every dealer partner, every legal counsel, and every regulator can verify that for themselves.

9.1 Key references and authoritative sources

POPIA full text: popia.co.za
Information Regulator: inforegulator.org.za
POPIA Regulations (GN R1383, GG 42110): official Gazette PDF
Information Regulator guidance notes: inforegulator.org.za/guidance-notes
Information Officer registration portal: inforegulator.org.za/io-registration
Information Regulator enforcement notices: inforegulator.org.za/enforcement-notices
PAIA Manual template: PAIA Manual Template (PDF)
Michalsons POPIA library: michalsons.com/popia
Werksmans POPIA hub: werksmans.com/popia
ICO Legitimate Interests guidance (UK GDPR analogue): ico.org.uk

10. Versioning and change log

Version	Date	Changes
1.0	April 2026	Initial publication.

11. Closing

We publish this paper because we believe the future of lead generation has to be transparent, compliant, and people-first. The industry has a long history of operating in shadows. We are choosing not to.

If you are a dealership partner, this is the document we will hand your legal team. If you are a data subject, this is how you understand what we do and how to control it. If you are a regulator, this is how you audit us. If you are a competitor, we hope this raises the bar for everyone.

We get nothing wrong by being honest about how we operate. We get everything right.

Visio Research Labs is the research arm of VisioCorp (Pty) Ltd, publishing peer-quality research on AI applications in healthcare, automotive, and music industries. This paper is published under Creative Commons Attribution 4.0 International (CC BY 4.0). You may quote, share, and republish with attribution. Cite as: Jess (2026). “How We Find Buyers — Safely”. Visio Research Labs, VRL-AUTO-002.

How We Find Buyers — Safely.