Privacy and Data Protection

Definitions and Interpretation

In this policy, the following terms bear the following meanings:

• Consent — Any voluntary, specific, and informed expression of will by which permission is given by or on behalf of a user for the processing of their personal information.
• Direct marketing — Approaching a person, either in person or by mail or electronic communication, for the direct or indirect purpose of promoting or offering to supply goods or services.
• Information Officer — The designated officer responsible for ensuring compliance with POPIA. Contact details are listed in the Contact & Officer tab.
• Operator — A third party who processes personal information on our behalf in terms of a contract or mandate.
• PAIA — The Promotion of Access to Information Act 2 of 2000.
• Personal information — Any information linked to a user or that can identify a user, including but not limited to:
  • Name, gender, nationality, ID or passport number, date of birth, and home language
  • Email address, phone number, physical and postal address, and IP address
  • Financial details including banking information and transaction records
  • Account activity and service history
  • Identity documents submitted for compliance or registration services
  • Correspondence of a private or confidential nature
• POPIA — The Protection of Personal Information Act 4 of 2013, including any regulations or codes of conduct issued under it.
• Processing — Any operation performed on personal information, whether by automated or manual means, including collection, storage, use, sharing, alteration, and deletion of that information.
• Responsible Party — The entity that determines the purpose and means of processing personal information. We are the Responsible Party for all data you provide to us directly.
• Services — All products and services we provide through this website and our client portal.
• Special personal information — Information about a person's religious or philosophical beliefs, race or ethnic origin, trade union membership, political views, health, sex life, biometric data, or criminal history.
• User / you — Any person who accesses this website, creates an account, or uses our services.
• Website — This website and client portal, including all pages and subdomains.

Where context requires, singular terms include the plural and vice versa. References to legislation include any amendments to that legislation. The word include means include without limitation.

Information We Collect

We collect only the information necessary to provide our services and meet our legal obligations. We do not collect excessive or irrelevant data.

Information you provide directly:

• Identity details — Full name, South African ID or passport number, date of birth, and home language
• Contact details — Email address, mobile number, physical address, and postal address
• Company information — Registered company name, CIPC registration number, VAT or Tax number, and director details
• Financial details — Bank account details, debit order mandates, and billing history
• Compliance documents — Identity documents, proof of address, and supporting documentation submitted for CIPC, SARS, B-BBEE, COIDA, CSD, or other compliance services
• Communication records — Emails, support tickets, and chat conversations with our team

Information collected automatically:

• Technical data — IP address, browser type, operating system, device type, and screen resolution
• Usage data — Pages visited, time spent, navigation paths, and referral sources
• Session data — Login timestamps, session duration, and access logs
• Cookie data — See the Cookie Policy tab for full details

Information obtained from third parties:

• CIPC, SARS, and other government systems, as part of processing compliance requests on your behalf
• Publicly available company registries where relevant to your service

Providing your personal information is voluntary. However, if you decline to provide certain information, we may be unable to render all or some of our services, enter into contracts with you, or fulfil our statutory obligations.

Certain laws require or authorise us to collect your personal information, including POPIA, PAIA, FICA, RICA, and the Companies Act. Where required by law, we will collect and retain such information regardless of any objection.

How We Use Your Data

We process your personal information only for specific, lawful, and explicitly defined purposes directly related to our business functions. We will not use your information for any purpose incompatible with those stated here without first obtaining your written consent.

We use your information to:

• Create, manage, and administer your client account and portal access
• Provision and manage the services you have subscribed to, including web hosting, domain registration, email, and design services
• Process, submit, and track compliance applications on your behalf with CIPC, SARS, the Compensation Fund, CSD, and other authorities
• Generate and issue invoices, quotations, and billing statements
• Process payments and manage debit orders and billing cycles
• Communicate service-related notices, technical alerts, and invoice reminders
• Deliver documents and completed design or compliance work to you
• Respond to support requests, complaints, and enquiries
• Comply with our legal obligations under South African law
• Prevent fraud, unauthorised access, and abuse of our services
• Improve our website and service quality through anonymised, aggregated analytics
• Send you marketing communications where you have given consent — you may opt out at any time

If we intend to use your information for any purpose not listed above, we will notify you and obtain your written consent before doing so.

We will never sell your personal information to any third party.

Third Party Sharing

We share your personal information only when it is necessary for service delivery or required by law. We do not share your data for advertising or commercial gain with outside parties.

We may share your information with:

• Government and regulatory authorities — CIPC, SARS, the Compensation Fund, National Treasury (CSD), and other authorities, strictly for compliance services you have engaged us to perform
• Domain registrars and registry operators — Your name and contact details as required for domain registration records (WHOIS)
• Payment processors and banks — Financial information for the secure processing of payments and debit orders
• Hosting infrastructure providers — Technical and account data shared with our upstream suppliers solely to provision and manage your services
• Professional service providers — Contracted third parties who assist in delivering specific services such as B-BBEE certification or printing, bound by confidentiality obligations no less protective than this policy
• Law enforcement and courts — When we are legally required to disclose, or where disclosure is necessary to protect the safety, rights, or property of our users or the public
• Business successors — If the business is sold, restructured, or merged, personal information may be transferred to the successor entity, who will be bound by the terms of this policy

All third parties we share data with are contractually required to treat it as confidential, maintain adequate security measures, and process it only for the purpose for which it was shared. We retain written records of all such sharing arrangements.

We may publish aggregated, de-identified usage statistics that cannot be used to identify any individual user.

Other than as stated in this section, we will not share your personal information with any third party without your express written consent.

Security Measures

We are committed to protecting the personal information in our custody against loss, damage, unauthorised access, or destruction. We implement and maintain reasonable, appropriate technical and organisational safeguards.

Our security measures include:

• Encryption — All data transmitted between your browser and our systems uses industry-standard SSL/TLS encryption
• Access controls — Personal information is accessible only to authorised staff members who require it to perform their duties
• Firewalls and monitoring — Enterprise-grade firewalls and intrusion detection systems protect our infrastructure against unauthorised access
• Data backups — All personal information is backed up regularly, with backup copies stored separately from live systems
• Physical security — Physical records containing personal information are stored in secured, access-controlled facilities
• Staff training — Our team receives ongoing training on data protection obligations and information security best practices
• Operator obligations — All third-party operators who process data on our behalf are contractually required to:
  • Process information only on our instructions and within their mandate
  • Treat all personal information as strictly confidential
  • Maintain security measures equivalent to our own
  • Notify us immediately of any suspected or actual breach
  • Comply with applicable data protection laws in their jurisdiction
• Vulnerability management — We conduct regular security reviews and address identified vulnerabilities as a matter of priority

While we take every reasonable precaution, no method of electronic transmission or storage is completely secure. In the event of a breach, we will follow the notification procedure described in the Data Breaches tab.

POPIA Compliance

We are committed to full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA). The following eight conditions for lawful processing guide every aspect of how we handle your data:

• Accountability — We take full responsibility for ensuring personal information in our custody is protected and processed lawfully. We have appointed a designated Information Officer.
• Processing limitation — We collect and process personal information only with your consent, or where another lawful basis exists, such as to fulfil a contract, comply with a legal obligation, or protect a legitimate interest.
• Purpose specification — Personal information is collected for specific, explicitly defined, and lawful purposes directly related to our functions and services.
• Further processing limitation — We will not process your data for any purpose incompatible with the original stated purpose without your written consent.
• Information quality — We take reasonable steps to ensure personal information is complete, accurate, not misleading, and updated when necessary.
• Openness — We maintain documentation of all processing activities and make this policy freely available. We will notify you before collecting your information wherever practicable.
• Security safeguards — We implement appropriate technical and organisational measures to protect personal information against risk of harm.
• Data subject participation — You have the right to access, correct, and request deletion of your personal information as set out in the Your Legal Rights tab.

Special personal information: We do not routinely collect special personal information. Where such information is required for a specific compliance service, we will obtain your explicit written consent before collecting it and process it only for the stated purpose.

Cross-border transfers: Where personal information is transferred to operators or systems outside South Africa, we take steps to ensure the recipient country or organisation provides a level of protection substantially equivalent to POPIA. By using our services, you consent to such transfers as necessary for service delivery.

Information Regulator: You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your rights under POPIA have been infringed. See the Contact & Officer tab for details.

Your Legal Rights

Under POPIA and PAIA, you have the following rights in relation to your personal information:

• Right of access — You may request a record of all personal information we hold about you. We will respond within 30 days of receiving a valid, complete request.
• Right to rectification — If any information we hold is inaccurate, incomplete, or out of date, you may request that we correct or update it. We will stop using disputed information until its accuracy is verified, where reasonably practicable.
• Right to erasure — You may request the deletion of your personal information where it is no longer required for the original purpose, subject to any overriding legal obligation to retain it.
• Right to object — You may object, on reasonable grounds, to the processing of your personal information at any time, including the right to opt out of direct marketing communications at any time and without penalty.
• Right to restriction — You may request that we restrict the processing of your information in certain circumstances, such as while a correction request is being reviewed.
• Right to withdraw consent — Where processing is based on your consent, you may withdraw it at any time in writing. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.
• Right to complain — You may lodge a complaint with the Information Regulator of South Africa at any time.

How to exercise your rights: Submit a written request to our Information Officer using the contact details in the Contact & Officer tab. We may require you to verify your identity before processing your request. We will respond within 30 days of a valid, complete request.

Please note: if you hold an active product or service with us, we may be unable to delete certain records that are necessary for continued service delivery, or that we are legally required to retain under South African law.

Data Retention and Deletion

We retain personal information only for as long as it is necessary to fulfil the purposes for which it was collected, or as required by applicable South African law. We do not retain information indefinitely without lawful basis.

General retention periods:

• Active account data — Retained for the duration of your account and service relationship with us
• Billing and invoice records — Retained for a minimum of 5 years as required by the South African Income Tax Act and the Value Added Tax Act
• Compliance service documents (CIPC, SARS, B-BBEE, CSD) — Retained for as long as required by the relevant regulatory authority, typically a minimum of 5 years
• Support and communication records — Retained for a minimum of 3 years from the date of the last interaction
• Technical and server access logs — Retained for up to 12 months for security and diagnostic purposes
• Marketing consent records — Retained for as long as you remain subscribed, or for 3 years after you opt out, whichever is longer

Deletion and destruction: When we are no longer lawfully authorised or required to retain personal information, we will ensure it is permanently deleted or destroyed in a secure manner as soon as reasonably practicable. Physical documents are shredded; digital records are securely wiped and removed from backup systems within the applicable retention window.

Requesting deletion: Contact our Information Officer in writing. We will assess your request within 30 days and advise you of the outcome. Where deletion is not possible due to legal obligations, we will inform you and explain the applicable retention requirements.

Data Breach Notification

Despite our security measures, no system is entirely immune to a data breach. In the event that personal information in our custody is compromised, we will act promptly and responsibly in accordance with section 22 of POPIA.

Our breach response procedure:

• Identification — Upon discovering or suspecting a breach, we will immediately investigate to determine the scope, cause, and nature of the compromised information
• Containment — We will take immediate steps to contain the breach, prevent further exposure, and secure all affected systems
• Assessment — We will assess the potential harm to affected users and determine whether the breach poses a real risk of harm
• Notification to affected users — Where a breach poses a real risk of harm, we will notify affected users at their registered contact details as soon as reasonably practicable
• Notification to the Information Regulator — We will report qualifying breaches to the Information Regulator of South Africa without unreasonable delay
• Remediation — We will advise affected users of the steps they should take to protect themselves and the potential consequences of the breach

Our notification to you will include:

• The nature and type of personal information that was compromised
• The identity of any unauthorised party involved, if known
• Whether we have been able to restore the integrity of the information
• Recommended protective steps you should take
• Our Information Officer's contact details

If you suspect that your account or personal information has been compromised, please contact our Information Officer immediately using the details in the Contact & Officer tab.

Cookie Policy

Cookies are small text files stored on your device by your browser when you visit our website. They help us provide a functional, secure, and improved experience.

Types of cookies we use:

• Essential cookies — Required for the website and client portal to function. These include session management, login authentication, and security tokens. These cannot be disabled without affecting core portal functions.
• Functional cookies — Remember your preferences such as language, region, and display settings so you do not need to re-enter them on each visit.
• Analytics cookies — Collect anonymised, aggregated data about how visitors interact with our website, including pages visited, time spent, and referral sources. No individual user is identified from this data.
• Performance cookies — Help us measure the loading speed and technical performance of our website and client portal.

What we do not do:

• We do not use cookies to track your activity on other websites
• We do not sell cookie data to third parties
• We do not use cookies for behavioural advertising without your explicit consent

Third-party cookies: Certain pages may include tools or content from third-party providers such as payment gateways. These providers may set their own cookies governed by their own privacy policies. We do not control third-party cookies and are not responsible for them.

Managing cookies: You may accept or reject cookies through your browser settings at any time. Disabling essential cookies will prevent the client portal and checkout functions from working correctly. Disabling analytics cookies will not affect your ability to use any service.

By continuing to use our website without changing your cookie settings, you consent to our use of cookies as described in this section.

Policy Updates

We reserve the right to update, amend, or replace this Privacy Policy at any time to reflect:

• Changes to applicable South African legislation or regulatory guidance
• Changes to our services, business operations, or data processing activities
• Improvements to our privacy and security practices
• Directions or recommendations from the Information Regulator

All changes will be published on this page with immediate effect from the date of publication. We will not send individual notifications for routine updates. It is your responsibility to check this page periodically to remain informed of any changes.

Your continued use of our website or services after any amendment is posted constitutes your acceptance of the updated policy. If you do not agree with any changes, you must stop using our services and notify our Information Officer in writing.

Where a change materially affects how we process your personal information in a way that requires your fresh consent, we will seek that consent before the change takes effect.

This policy is governed by and interpreted in accordance with the laws of the Republic of South Africa. Any disputes arising from or in connection with this policy are subject to the jurisdiction of South African courts.

Contact Us & Information Officer

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal information, please contact our designated Information Officer. All requests must be submitted in writing.

Response times:

• General enquiries — within 2 business days
• Access, correction, and deletion requests — within 30 days of a valid written request
• Data breach reports — acknowledged within 24 hours
• Objections to processing — acknowledged within 5 business days

Information Regulator of South Africa:
If you are not satisfied with our response, or believe your rights under POPIA have been infringed, you may lodge a complaint directly with the Information Regulator:

• Website: inforegulator.org.za
• Email: complaints.IR@justice.gov.za
• Phone: 010 023 5200

This Privacy Policy is effective from the date of publication on this website and is governed by the laws of the Republic of South Africa.