Privacy Approach

Details We Obtain During Engagement

Information reaches us through three distinct pathways, each tied to a specific stage of your relationship with us.

Initial Contact Phase

When someone from your organisation first reaches out—whether through our website form, email, or phone—we record identifying elements: names of individuals involved, job titles, organisation name, contact coordinates (email addresses, phone numbers), and the nature of your inquiry. This happens at the exact moment you initiate communication. Without these basics, responding becomes impossible.

Service Delivery Requirements

Once we begin actual work together, additional operational specifics emerge. These vary wildly depending on what you've hired us to do. A communications audit requires access to different material than media training or strategy development. We might need organisational charts, past campaign data, internal communication samples, stakeholder lists, or details about your market positioning. The collection happens incrementally as project stages unfold, not as a one-time data grab.

Ongoing Account Administration

Active client relationships generate their own information trail: billing addresses, payment transaction records, meeting notes, project deliverables, feedback exchanges, contract amendments. This accumulates naturally through the course of doing business together. We don't manufacture reasons to capture additional details—what we keep serves a documented function.

What Drives Our Need for This Information

Data collection without clear purpose is wasteful and creates unnecessary liability. Every category of detail we work with ties back to a specific operational or legal requirement. Let me break down the reasoning.

Contract fulfilment represents the most straightforward justification. You hire us to solve a communications challenge; we need relevant information to deliver that solution. If we're developing an internal communications strategy, understanding your organisational structure and current channels isn't optional—it's the foundation of the work. The legal term here is "contractual necessity," but practically speaking, it's just the reality of professional service delivery.

Financial administration creates its own informational demands. South African tax law requires we maintain certain records. Payment processing involves third-party systems that have their own compliance needs. When someone pays an invoice, that transaction generates a paper trail we're obligated to preserve for specified periods. This isn't discretionary data retention—it's regulatory compliance.

Then there's the category of legitimate operational interests, which sounds vague but covers specific situations. Protecting our intellectual property, defending against legal claims, improving service quality through client feedback analysis—these represent genuine business needs that sometimes require working with client information in ways that extend beyond the immediate project scope.

Occasionally, explicit consent becomes the appropriate framework, particularly when we're exploring new service approaches or case study development. If we want to feature your project in our portfolio or share results in industry presentations, we ask directly. Consent-based processing is opt-in, not assumed.

• Delivering the specific services outlined in our agreement with you
• Maintaining financial records as required by South African Revenue Service regulations
• Responding to questions, resolving issues, and providing ongoing support
• Protecting against fraud, security incidents, or misuse of our systems
• Analysing service performance to identify improvement opportunities
• Fulfilling legal obligations when authorities make valid information requests

What we don't do: repurpose client information for unrelated commercial activities, sell contact lists, or engage in speculative data mining. If a proposed use falls outside the boundaries of our service relationship and legal requirements, we either seek permission or don't proceed.

External Information Movement

Complete operational self-sufficiency is unrealistic for a consultancy of our scale. Certain functions require specialist infrastructure or expertise we don't maintain in-house. This means controlled information sharing with external entities under specific circumstances.

Service Infrastructure Partners

Our technology stack includes cloud hosting services, email delivery systems, project management platforms, and accounting software. These providers operate under data processing agreements that restrict how they can handle client information. They're acting on our instructions, not pursuing their own purposes. We select partners based partly on their security standards and compliance credentials.

Payment processing represents a distinct category. When you pay by credit card or electronic transfer, financial institutions and payment gateways become involved. These entities operate under banking regulations and payment card industry standards. We don't control their systems, but we choose providers with strong security reputations.

Professional Collaborators

Complex projects sometimes require bringing in specialist contractors—graphic designers, web developers, video producers. When this happens, we share only the information necessary for their specific contribution. These collaborators operate under confidentiality terms that mirror our own commitments to you.

Legal and Regulatory Disclosures

Certain authorities can compel information disclosure through proper legal channels. South African law enforcement with valid warrants, courts issuing subpoenas, or regulatory bodies conducting authorised investigations represent scenarios where we might need to provide client information. We don't volunteer data to authorities, but we comply with legitimate legal requirements.

Business structure changes—mergers, acquisitions, ownership transfers—could theoretically result in client information moving to a successor entity. Should such a scenario arise, affected clients would receive advance notice and information about their options.

Security Approach and Inherent Limitations

Protection measures fall into two categories: technical controls and operational protocols. Both matter, but neither eliminates risk entirely. Let's be honest about capabilities and constraints.

Technical safeguards include encrypted connections for data transmission, access controls that limit who can reach what information, regular security updates for the systems we operate, and backed-up data storage with redundancy protections. We use strong authentication methods, segment network access, and maintain activity logs that create accountability trails.

Operational security involves human practices: staff training on information handling, clear policies about device usage and remote work, vendor security assessments before we integrate third-party services, and incident response procedures if something does go wrong. We have a designated person responsible for security oversight—that's not a distributed responsibility.

Now the reality check: no protection scheme is impenetrable. Sophisticated attacks, human error, or unknown vulnerabilities represent persistent threats. We can reduce probability and limit damage, but absolute security doesn't exist. Anyone promising otherwise is either uninformed or dishonest.

If a security incident affects client information, our response protocol involves containing the breach, assessing what was exposed, notifying affected parties, and reporting to authorities where legally required. South Africa's Protection of Personal Information Act establishes notification obligations we take seriously.

Your role in security matters too. Using strong passwords for any systems we provide access to, not sharing login credentials, keeping your own devices protected—these basic practices significantly affect overall security posture.

Your Control Mechanisms

Information rights aren't theoretical—they require practical implementation. Here's what you can actually do and how the process works.

Access and Review

You can request a copy of the information we hold about you or your organisation. This isn't an instant process; compiling comprehensive records takes time. We typically fulfil access requests within 21 business days, though complex situations might extend that timeframe. There's no charge for reasonable requests, but excessive or repetitive demands might incur administrative fees.

Correction and Updates

If details we hold are inaccurate or outdated, you can request corrections. We'll update records promptly when the error is clear-cut. Situations involving disputed facts or conflicting information require more careful assessment—we might need to document disagreement rather than simply overwriting existing records.

Deletion Requests

Asking us to delete your information is straightforward in principle but complicated in practice. If we're still working together under an active contract, deletion might prevent us from fulfilling our obligations. If legal retention requirements apply—tax records, for instance—we can't delete material we're obligated to preserve. Outside those constraints, we'll process deletion requests and confirm completion.

Processing Restrictions

You can object to certain uses of your information, particularly those based on legitimate interests rather than contractual necessity. We'll evaluate such objections against our operational requirements. If your objection has merit and alternatives exist, we'll accommodate the restriction. If the processing is essential for service delivery or legal compliance, we'll explain why we need to continue.

Portability

For information you've directly provided to us in structured formats, you can request a copy in a commonly used, machine-readable format. This matters most when you're switching service providers and want to transfer records.