Privacy Notice

Last Updated On 09-December-2023
Effective Date 09-December-2023

This is the privacy notice of Zwana ICT & Consulting (Pty) Ltd of 12 Wilgeboom Drive, Randburg 2188, South Africa (‘we’, ‘our’, or ‘us’).

Introduction

We value your privacy and are committed to ensuring that your personal information is safeguarded and used appropriately in accordance with applicable laws. These laws include:

• The General Data Protection Regulation (Regulation (EU) 2016/679 (“EU GDPR”)
• The General Data Protection Regulation ((EU) 2016/679) (EU GDPR) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”)
• South Africa’s Protection of Personal Information Act, Act No. 4 of 2013 (“POPIA”)

This notice describes how we collect, store, transfer and use personal data. It tells you about your privacy rights and how the law protects you.

We encourage you to read this Privacy Notice carefully to understand how your data is used and how we ensure its security. By engaging with our services, you consent to the practices described in this notice. If you have any questions or concerns about your personal data, please don’t hesitate to contact us using the details provided in this document.

Your trust is important to us, and we are dedicated to being transparent about our data processing practices.

In the context of the law and this notice, ‘personal data’ (referred to as ‘personal information’ in POPIA) is information that clearly identifies you as an individual (or, if applicable, as a juristic person in terms of POPIA) which could be used to identify you if combined with other information. Acting in any way on personal data is referred to as ‘processing’.

This notice applies to personal data collected through our website and through social media platforms.

Except as set out below, we do not share or disclose to a third party, any information collected through our website.

Personal data we process

1. How we obtain personal data

The information we process about you includes information:

• you have directly provided to us
• that we gather from third party databases and service providers
• as a result of monitoring how you use our website or our services

The personal data we collect is related to your role on behalf of a business and is often already widely disclosed and readily available to the public.

2. Types of personal data we collect directly

When you use our website or our services, we ask you to provide personal data such as:

• Name
• Business email address
• Company name
• Business phone number
• Job title / job role

3. Types of personal data we collect from third parties

We confirm some of the information you provide to us directly using data from other sources. We also add to the information we hold about you, sometimes to remove the need for you to provide it to us and sometimes in order to be able to assess the services you offer.

The additional information we may collect can be categorised as follows:

• information that confirms your identity
• business information, including your business trading name and address, your company’s registration number (if incorporated), and your VAT number (if registered)
• information that confirms your contact information
• information about your business on other websites through which you sell your services or on review websites

4. Types of personal data we collect from your use of our services

By using our website and our services, we process:

• where required, your username and password and other information used to access our website and our services
• your requests for information via “Contact Us” forms, your requests to download gated material via landing pages as well as your replies to polls and surveys
• technical information about the hardware and the software you use to access our website and use our services, including your Internet Protocol (IP) address, your browser type and version and your device’s operating system
• usage information, including the frequency you use our services, the pages of our website that you visit, whether you receive messages from us and whether you reply to those messages
• transaction information that includes the details of the products / services you have bought through us
• your preferences to receive marketing from us; how you wish to communicate with us; and responses and actions in relation to your use of our services

5. Our use of aggregated information

We may aggregate anonymous information such as statistical or demographic data for any purpose. Anonymous information is that which does not identify you as an individual. Aggregated information may be derived from your personal data but is not considered as such in law because it does not reveal your identity.

For example, we may aggregate usage information to assess whether a feature of our website is useful.

However, if we combine or connect aggregated information with your personal data so that it can identify you in any way, we treat the combined information as personal data, and it will be used in accordance with this privacy notice.

6. Special personal data

Special personal data is data about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.

We do not collect any special personal data about you.

7. If you do not provide personal data we need

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform that contract.

In that case, we may have to stop providing a service to you. If so, we will notify you of this at the time.

The bases on which we process information about you

The law requires us to determine under which of six defined bases we process different categories of your personal data, and to notify you of the basis for each category.

If a basis on which we process your personal data is no longer relevant then we shall immediately stop processing your data.

If the basis changes then if required by law we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.

The bases on which we could process your personal data are:

8. Information we process because we have a contractual obligation with you (GDPR Art. 6 (1) (b) / POPIA Section 11 (1) (b))

When you create an account on our website, buy a product or service from us, or otherwise agree to our terms and conditions, a contract is formed between you and us.

In order to carry out our obligations under that contract we must process the information you give us. Some of this information may be personal data.

We may use it in order to:

• verify your identity for security purposes when you use our services
• provide you with suggestions and advice on products, services and how to obtain the most from using our website
• provide you with our services
• sell products to you

We process this information on the basis there is a contract between us, or that you have requested we use the information before we enter into a legal contract.

We shall continue to process this information until the contract between us ends or is terminated by either party under the terms of the contract.

9. Information we process with your consent (GDPR Art. 6 (1) (a) / POPIA Section 11 (1) (a))

Through certain actions when otherwise there is no contractual relationship between us, such as when you browse our website or ask us to provide you with more information about our business, including our products and services, you provide your consent to us to process information that may be personal data.

Wherever possible, we aim to obtain your explicit consent to process this information, for example, we ask you to agree to our use of non-essential cookies when you access our website.

If you have given us explicit permission to do so, we may from time to time pass your name and contact information to selected associates whom we consider may provide services or products you would find useful.

We continue to process your information on this basis until you withdraw your consent or it can be reasonably assumed that your consent no longer exists.

You may withdraw your consent at any time by instructing us by sending us an email at privacy(at)zwana.net. However, if you do so, you may not be able to use our website or our services further.

We aim to obtain and keep your consent to process your information. However, while we take your consent into account in decisions about whether or not to process your personal data, the withdrawal of your consent does not necessarily prevent us from continuing to process it. The law may allow us to continue to process your personal data, provided that there is another basis on which we may do so. For example, we may have a legal obligation to do so.

10. Information we process for the purposes of legitimate interests (GDPR Art. 6 (1) (f) / POPIA Section 11 (1) (d) and (f))

We may process information on the basis there is a legitimate interest to us of doing so.

Where we process your information on this basis, we do after having given careful consideration to:

• whether the same objective could be achieved through other means
• whether you would expect us to process your data, and whether you would, in the round, consider it reasonable to do so

For example, we may process your data on this basis for the purposes of:

• improving our services
• record-keeping for the proper and necessary administration of our business
• responding to unsolicited communication from you to which we believe you would expect a response
• preventing fraudulent use of our services
• exercising our legal rights, including to detect and prevent fraud and to protect our intellectual property
• insuring against or obtaining professional advice that is required to manage our business risk
• protecting your interests where we believe we have a duty to do so

11. Information we process because we have a legal obligation (GDPR Art. 6 (1) (c) / POPIA Section 11 (1) (c))

Sometimes, we must process your information in order to comply with a statutory obligation.

For example, we may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order.

This may include your personal data.

How and when we process your personal data

12. Your personal data is not shared

With the exceptions referred to in paragraph 15 “Service providers and business partners” we do not share or disclose to a third party, any information collected through our website.

Information you provide

Our website may allow you to post information with a view to that information being read, copied, downloaded, or used by other people.

For example, if you were to leave a review or post a message on our website, we reasonably assume that you consent for the message to be seen by others. We may include your username with your message, and your message may contain information that is personal data.

Other examples may include tagging an image or clicking on an icon next to another visitor’s message to convey your agreement, disagreement or thanks.

In posting personal data, it is up to you to satisfy yourself about the privacy level of every person who might use it.

Once your information enters the public domain, we have no control over what any individual third party may do with it. We accept no responsibility for their actions at any time.

Provided your request is reasonable and there is no legal basis for us to retain it, then at our discretion we may agree to your request to delete personal data that you have posted. You can make a request by contacting us at privacy(at)zwana.net.

13. Payment information

We do not collect or store any payment information of yours.

14. Job application and employment

If you send us information in connection with a job application, we may keep it for up to three years in case we decide to contact you at a later date.

If we employ you, we collect information about you and your work from time to time throughout the period of your employment. This information will be used only for purposes directly relevant to your employment. After your employment has ended, we will keep your file for six years before destroying or deleting it.

15. Service providers and business partners

We as a “Controller” in terms of GDPR or a “Responsible Party” in terms of POPIA may share your personal data with:

• businesses that provide services to us and process your personal data on our behalf (“Processors” in terms of GDPR or “Operators” in terms of POPIA) or
• business partners which determine the purpose and means of processing your personal data (other “Controllers” or “Responsible Parties”)

This arises in the following situations:

• We provide organisations (“Controllers” or “Responsible Parties”) for which we are a channel partner with your personal information in order for them to know that we have introduced you to their product or service or, should the relationship between you and us reach this stage, for us to hand you over to them for you and them to enter into a contract for the provision of the service/s in which you have expressed an interest
• Our website is hosted in Germany by Cloudways Ltd (incorporated in Malta) (“Processor” or “Operator”)
• Our marketing automation solution is hosted in Spain by Webempresa America Inc. (“Processor” or “Operator”). Please note that any information you submit to us via our “Contact Us” forms, our gated content landing page forms on our website or our email or social media marketing is processed by this service
• We use the Belgium-based Mailfence email, file storage etc. service of ContactOffice Group sa (incorporated in Belgium) (“Processor” or “Operator”)

Please note that in the event that such organisations are based in third countries (outside of the EU if you are a EU resident or citizen, outside of the UK if you are a UK resident or outside of South Africa if the Responsible Party has a presence in South Africa), the transfer of your personal data will be subject to the conditions in paragraph 22 of this agreement.

16. Referral partners

This is information given to us by you in your capacity as an affiliate of us or as a referral partner.

It allows us to recognise visitors that you have referred to us, and to credit to your commission due for such referrals. It also includes information that allows us to transfer commission to you.

The information is not used for any other purpose.

We undertake to preserve the confidentiality of the information and of the terms of our relationship.

We expect any affiliate or partner to agree to reciprocate this policy.

Use of information we collect through automated systems

17. Cookies

Cookies are small text files that are placed on your computer’s hard drive by your web browser when you visit a website that uses them. They allow information gathered on one web page to be stored until it is needed for use at a later date.

They are commonly used to provide you with a personalised experience while you browse a website, for example, allowing your preferences to be remembered.

They can also provide core functionality such as security, network management, and accessibility; record how you interact with the website so that the owner can understand how to improve the experience of other visitors; and serve you advertisements that are relevant to your browsing history.

Some cookies may last for a defined period of time, such as one visit (known as a session), one day or until you close your browser. Others last indefinitely until you delete them.

To see a list of the different services / cookies we use and their types / groups, click on the “Change privacy settings” link under the “Information” heading in the bottom left of the footer of our website. Click on the links called “Show service information” next to each group / type. If you wish to change any of your settings, please tick (to consent to the service / cookie) or untick (to withdraw your consent) the appropriate box/es and click on the “Save custom choices” button to save your selection/s.

Your web browser should also allow you to delete any cookie you choose. It should also allow you to prevent or limit their use. Your web browser may support a plug-in or add-on that helps you manage which cookies you wish to allow to operate.

The law requires you to give explicit consent for use of any cookies that are not strictly necessary for the operation of a website.

When you first visit our website, we ask you whether you wish us to use cookies. If you choose not to accept them, we shall not use them for your visit except to record that you have not consented to their use for any other purpose.

If you choose not to use cookies or you prevent their use through your browser settings, you may not be able to use all the functionality of our website.

We use cookies in the following ways:

• to track how you use our website
• to record whether you have seen specific messages we display on our website
• to keep you signed in to our website
• to record your answers to surveys and questionnaires on our site while you complete them
• to record the conversation thread during a live chat with our support team
• to use progressive profiling in our web forms, thus reducing the number of fields we ask you to complete during any one visit because we can build the information we need to understand your requirements and be able to contact you (if you have given your consent) over multiple visits

To manage the cookies and similar technologies used (tracking pixels, web beacons, etc.) and related consents, we use the consent tool “Real Cookie Banner”. Details on how “Real Cookie Banner” works can be found at https://devowl.io/rcb/data-processing/.

The legal basis for the processing of personal data in this context are Art. 6 (1) lit. c GDPR / Section 11 (1) (c) POPIA and Art. 6 (1) lit. f GDPR / Section 11 (1) (d) and (f) POPIA. Our legitimate interest is the management of the cookies and similar technologies used and the related consents.

The provision of personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide the personal data. If you do not provide the personal data, we will not be able to manage your consents.

18. Personal identifiers from your browsing activity

Requests by your web browser to our servers for web pages and other content on our website are recorded.

We record information such as your geographical location, your Internet service provider and your IP address. We also record information about the software you are using to browse our website, such as the type of computer or device and the screen resolution.

We use this information in aggregate to assess the popularity of the webpages on our website and how we perform in providing content to you.

If combined with other information we know about you from previous visits, the data possibly could be used to identify you personally, even if you are not signed in to our website.

Other matters

19. Your rights

The law requires us to tell you about your rights and our obligations to you in regard to the processing and control of your personal data.

We do this now, by requesting that you read the information provided at http://www.knowyourprivacyrights.org .

20. Use of our services by children

We do not market products to children nor do we provide services for purchase by children.

If you are under 18, you may use our website only with consent from a parent or guardian.

21. Encryption of data sent between us and storage of your information

Data between your web browser and our website is sent using hypertext transfer protocol secure (HTTPS). These communications are encrypted using the transport layer security (TLS) protocol, formerly known as secure sockets layer (SSL).

Whenever information is transferred between us, you can check that it is done so using SSL/TLS by looking for a closed padlock symbol or other trust mark in your browser’s URL bar or toolbar.

At a minimum, any email we send you (and emails we receive from you) will be encrypted using SSL/TLS. This requires that your email client and your email server support SSL/TLS. Should your email client and your email server not support SSL/TLS, we will agree with you on a different secure method for us to communicate with you unless you give your consent for us to communicate with you insecurely. Please note that SSL/TLS encrypts the connection between us, not the email content. Neither does it provide end-to-end encryption because even though the connection between our email client and email server as well as between your email client and email server may be encrypted using SSL/TLS, our emails may be routed via other servers where encryption cannot be guaranteed.

Should you wish to correspond with us using end-to-end encrypted emails, we support asymmetric and symmetric PGP (Pretty Good Privacy) encryption. In the case of asymmetric encryption, your email client should support PGP encryption. We can also sign our emails with digital signatures (even if you choose not to receive the email via end-to-end encryption) in order to verify that it was us who sent the email (sender verification), that the message was not altered during transport (integrity) and so we cannot deny having sent the message (non-repudiation). In the case of symmetric encryption, the email remains on our email server and you access it using a link we send you via email and a shared secret/passphrase we send you via your preferred secure messaging service to decrypt it.

22. Your data may be processed in foreign jurisdictions

We are a channel partner for service providers, some of which might be based in countries referred to as “third countries” in the GDPR (countries outside the European Economic Area (EEA) including the UK), even though these services might be provided from within the EEA or the UK. We ourselves are based in South Africa and may also use outsourced services in countries outside the EEA and UK (such as South Africa) from time to time in other aspects of our business.

In order to give you the peace of mind that your personal data is secure with us, we endeavour to follow best practice information security practices. With respect to our processing of personal data / information, all information we process is held in secure data centres in the EU. In addition, although we might access this information from South Africa, our internal security policy requires that this information be accessed and processed via web browser over secure connections and not be downloaded to any computers or devices in South Africa unless the storage is secured and encrypted.

For Data Subjects in the EEA or UK

As described above, data directly obtained by us from users within the EEA, the UK or any other country may be processed outside the EEA or the UK in jurisdictions which, even though they might have privacy legislations such as South Africa’s POPIA, are determined by the European Commission or the UK not to have equivalent levels of data protection as your home jurisdiction (so-called “adequacy regulations”).

Please note we are not bound by the requirements of GDPR Chapter V “Transfer of personal data to third countries or international organizations” when we ourselves process your personal data in South Africa if you as a data subject are a citizen or resident of the EEA or the UK. This is because we are collecting your data directly from you as data subject, not through a third party to whom you have provided the information.

However, in the interest of transparency, we want you to be aware that your information might be processed outside of the EEA or the UK as described above. We will thus request your consent to process your information in a foreign jurisdiction when you submit personal information to us. Please note that if you do not provide us with this consent, we will not be able to receive any requests you might have for information etc. before you do so.

However, when we pass your personal information on to organisations outside of the EEA or UK for which we are a channel partner, we are bound by the requirements of GDPR Chapter V. For this reason, even though we might not be obliged to secure your consent because of GDPR Art. 49 (1) (b) or (c), we will request your consent in terms of GDPR Art. 49 (1) (a) to do so.

For Data Subjects in South Africa or the broader Africa region

Given our presence in South Africa, if you as a data subject are a citizen or resident of a country where we source business outside of the EEA and the UK such as South Africa or the broader Africa region, our processing as a responsible party of your personal information is subject to POPIA. All this information is provided to us by data subjects via our web site, our marketing automation system or via email and is held in secure data centres in the European Union (as mentioned in paragraph 15 above). It thus enjoys adequate legal protection with respect to POPIA given that the storage meets the requirements of the EU GDPR. We conform to the requirements of POPIA Section 72 “Transfers of personal information outside Republic” by requesting that you as the data subject consent to our processing your information in a foreign jurisdiction when you submit personal information to us.

Please note that if you do not provide us with this consent, we will not be able to receive any requests you might have for information etc. before you do so.

Please note that personal information as defined by POPIA also covers the personal information of juristic persons in addition to the personal information of you as a identifiable, living, natural person.

23. Control over your own information

It is important that the personal data we hold about you is accurate and up to date. Please inform us by sending an email to privacy(at)Zwana.net if your personal data changes.

At any time, you may contact us to request that we provide you with the personal data we hold about you.

At any time you may review or update personally identifiable information that we hold about you, by sending an email to us at privacy(at)zwana.net.

To obtain a copy of any information that is not provided on our website you should contact us to make that request.

When we receive any request to access, edit or delete personal data we first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.

Please be aware that we are not obliged by law to provide you with all personal data we hold about you, and that if we do provide you with information, the law allows us to charge for such provision if doing so incurs costs for us. After receiving your request, we will tell you when we expect to provide you with the information, and whether we require any fee for providing it to you.

We remind you that we are not obliged by law to delete your personal data or to stop processing it simply because you do not consent to our doing so. While having your consent is an important consideration as to whether to process it, if there is another legitimate basis on which we may process it, we may do so on that basis.

24. Communicating with us

When you contact us, whether by telephone, through our website or by email, we collect the data you have given to us in order to reply with the information you need.

We record your request and our reply in order to increase the efficiency of our business.

We may keep personally identifiable information associated with your message, such as your name and email address so as to be able to track our communications with you to provide a high quality service.

25. Complaining

If you are not happy with our privacy notice, or if you have any complaint, then you should tell us.

When we receive a complaint, we record the information you have given to us on the basis of consent. We use that information to resolve your complaint.

If your complaint reasonably requires us to notify some other person, we may decide to give to that other person some of the information contained in your complaint. We do this as infrequently as possible, but it is a matter for our sole discretion whether we do give information, and if we do, what that information is.

We may also compile statistics showing information obtained from this source to assess the level of service we provide, but not in a way that could identify you or any other person.

If a dispute is not settled then we hope you will agree to attempt to resolve it by engaging in good faith with us in a process of mediation or arbitration.

If you are in any way dissatisfied about how we process your personal data, you have a right to lodge a complaint with your national Data Protection Authority (DPA):

• For Europe see https://edpb.europa.eu/about-edpb/about-edpb/members_en
• For the UK see https://www.gov.uk/data-protection/make-a-complaint
• For South Africa see https://inforegulator.org.za/complaints/

We would, however, appreciate the opportunity to talk to you about your concern before you approach the relevant authority.

26. Retention period

Except as otherwise mentioned in this privacy notice, we keep your personal data only for as long as required by us:

• to provide you with the services you have requested
• to comply with other law, including for the period demanded by our tax authorities
• to support a claim or defence in court

27. Compliance with the law

Our privacy notice complies with the legislation listed in the Introduction to this document.

28. Review of this privacy notice

We shall update this privacy notice from time to time as necessary.