Section 1
Responsible Party
XEQT (PTY) LTD ("XEQT", "we", "us", "our") is the responsible party as defined in POPIA. We are registered in South Africa and operate from Cape Town, Western Cape.
Information Officer: Erik Bester
Email: erik@xeqt.co.za
Postal address: Available on written request
Our Information Officer is registered with the Information Regulator of South Africa as required under POPIA.
Section 2
Information We Collect
We collect personal information only where it is necessary for a specific, legitimate purpose. The categories of personal information we may collect include:
Information you provide directly
- Name and surname
- Business email address and phone number
- Company name and role
- Business operational information submitted via our Automation Audit questionnaire
- Communication content when you contact us via email or our website
Information collected automatically
- IP address and approximate location (country/region level)
- Browser type and operating system
- Pages visited and time spent (via privacy-respecting analytics)
- Referring website or source
Information collected during service delivery
- Business process data shared with us for the purpose of designing automations
- Integration credentials (API keys, OAuth tokens) stored securely and used solely to build and operate agreed automations
- System access logs created during testing and deployment
Section 3
Why We Collect Personal Information
We collect and process personal information only for the following specified purposes:
- To respond to enquiries - when you contact us or submit the Automation Audit, we use your details to reply and provide your requested report
- To deliver contracted services - we process business information to design, build, and deploy the automation systems you engage us to build
- To send relevant communications - with your consent, we may send information about services, updates, or resources we believe are relevant to your business
- To comply with legal obligations - we retain certain records as required by South African law including the Companies Act and tax legislation
- To improve our services - anonymised and aggregated data helps us understand how our website is used and how to improve it
We do not collect personal information for any purpose beyond what is listed above. We do not sell personal information to third parties under any circumstances.
Section 4
Lawful Basis for Processing
Under POPIA, we rely on the following grounds for processing personal information:
- Consent - where you have given us specific, informed consent (e.g. submitting the audit form or signing up for communications)
- Contractual necessity - where processing is necessary to fulfil a contract with you or to take steps at your request before entering a contract
- Legitimate interest - where processing is necessary for our legitimate business interests, provided these interests are not overridden by your rights
- Legal obligation - where we are required to process information to comply with South African law
Section 5
Sharing Your Information
We do not sell, rent, or trade personal information. We may share information only in the following limited circumstances:
Service providers (operators)
We use trusted third-party services to operate our business. These act as operators under POPIA and are contractually bound to process information only on our instruction:
- Calendly - booking and scheduling
- Cloudflare - website hosting and security
- Supabase - database infrastructure for client systems
- n8n - workflow automation infrastructure
- Anthropic (Claude API) - AI processing within agreed automation workflows
Legal requirements
We may disclose personal information if required to do so by law, court order, or at the request of a regulatory authority with jurisdiction over us.
Business transfers
In the event of a merger, acquisition, or sale of all or part of our business, personal information may be transferred as part of that transaction. We will notify affected data subjects in advance.
Section 6
Retention Periods
We retain personal information only for as long as necessary for the purpose for which it was collected, or as required by law:
- Enquiry and audit data - 12 months from date of last contact, or converted to a client relationship
- Client project data - 5 years from project completion (required for potential warranty, liability, and audit purposes)
- Financial records - 5 years as required by SARS and the Companies Act
- Marketing consent records - Until consent is withdrawn, plus 1 year thereafter
- Website analytics data - 13 months (anonymised, no personal information retained beyond this)
When personal information is no longer required, we securely delete or anonymise it.
Section 7
Security Measures
We implement appropriate technical and organisational measures to protect personal information against loss, unauthorised access, use, disclosure, or destruction, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Role-based access controls - only authorised personnel access personal information
- API credentials stored as encrypted secrets, never in plaintext
- Regular security reviews of our infrastructure
- Cloudflare DDoS protection and WAF on all web properties
- Supabase Row Level Security (RLS) enforced on all client data tables
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Regulator and affected data subjects as required by POPIA.
Section 8
Your Rights Under POPIA
As a data subject under POPIA, you have the following rights. To exercise any of these rights, contact our Information Officer at erik@xeqt.co.za. We will respond within 30 days.
- Right of access - you may request confirmation of whether we hold personal information about you and a copy of that information
- Right to correction - you may request that we correct or update inaccurate or incomplete personal information
- Right to deletion - you may request that we delete your personal information where it is no longer necessary or where you withdraw consent (subject to our legal retention obligations)
- Right to object - you may object to the processing of your personal information on grounds of legitimate interest
- Right to withdraw consent - where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Right to complain - if you believe we have violated your rights under POPIA, you may lodge a complaint with the Information Regulator of South Africa at www.inforegulator.org.za
Section 9
Cookies
Our website uses minimal cookies. We do not use advertising or tracking cookies. The cookies we use are:
- Strictly necessary cookies - required for the website to function (session management, security). These cannot be disabled.
- Analytics cookies - we use privacy-respecting analytics that do not fingerprint individual users or share data with advertising networks. These are anonymised.
You can control cookies through your browser settings. Disabling strictly necessary cookies may affect website functionality.
Section 10
Children's Information
Our services are directed exclusively at businesses and business professionals. We do not knowingly collect personal information from children under the age of 18. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it promptly.
Section 11
Changes to This Policy
We review this policy at least annually and whenever there is a material change to how we process personal information. Where changes are significant, we will notify existing clients by email. The "last updated" date at the top of this page reflects the most recent revision.
Continued use of our website or services after changes are published constitutes acceptance of the updated policy.
