Sitect Privacy Policy

1 Who we are

Sitect (Pty) Ltd (referred to as "Sitect", "we", "us" or "our") is the responsible party for personal information collected through our websites (sitect.co.za and related properties) and during the provision of our services.

We are registered in the Republic of South Africa and operate from Johannesburg, Gauteng. Our Information Officer is appointed in line with section 56 of POPIA — see section 15 for direct contact details.

2 Information we collect

We collect different categories of personal information depending on how you interact with us:

2.1 Information you provide directly

• Contact details — name, email address, phone number, company name, role, postal/physical address.
• Project information — business description, technical requirements, project scope, supporting documents.
• Billing & payment information — VAT number, banking details (for invoicing), payment card information (handled by our PCI-compliant payment processors — we never store full card numbers).
• Account information — username, password (hashed), profile preferences, two-factor authentication data.
• Communication content — emails, chat messages, voice notes, support tickets, meeting recordings (with consent).

2.2 Information collected automatically

• Technical data — IP address, device type, browser, operating system, screen resolution, language preferences.
• Usage data — pages visited, links clicked, time on page, referrer URL, search terms used.
• Cookie data — see our Cookie Policy for the full breakdown.
• Location data — country and city derived from IP address (we do not collect precise GPS location without explicit consent).

2.3 Information from third parties

• Public profile data — LinkedIn, company websites, where you have made this information publicly available.
• Service provider data — analytics from Google Analytics, Microsoft Clarity, Hotjar (in anonymised form).
• Marketing data — leads from referral partners, content syndication, or co-marketing arrangements where you have consented.

2.4 Special personal information

We do not seek to collect special personal information (race, health, biometrics, religion, political views) as defined in section 26 of POPIA. If processing such information becomes necessary for an engagement, we will obtain explicit consent first.

3 How we collect it

• When you complete forms on our website (contact, quote, newsletter, careers).
• When you sign a Statement of Work, NDA or other engagement document.
• When you correspond with us by email, phone, WhatsApp, video call, or in person.
• When you use our website (via cookies, server logs and analytics).
• When you use any Sitect-operated SaaS product (LocalHands, HelixDash, PowerWeb, BestDealz, UrbanFind) — each of which has its own privacy notice.
• From publicly available sources (where you have made information public).

4 Lawful basis for processing

POPIA permits us to process personal information only where a lawful basis applies. We rely on:

• Consent — for newsletter subscriptions, marketing communications, optional cookies, and special personal information.
• Contract performance — to provide the services you have engaged us for.
• Legal obligation — to comply with tax laws (SARS), POPIA itself, the Companies Act, and other applicable law.
• Legitimate interest — to operate and improve our business, secure our systems, prevent fraud, and communicate with existing clients about related services.
• Public interest — rarely; only where applicable law specifically authorises this.

5 Purposes for which we use your information

• To respond to enquiries and provide quotes and proposals.
• To deliver the services you have engaged us for and manage the engagement end-to-end.
• To invoice, collect payment, and meet our accounting and SARS obligations.
• To improve our website, services and products (analytics, A/B testing).
• To send service updates, account notifications and transactional messages.
• To send marketing communications (only with your consent or to existing clients with an opt-out).
• To investigate and prevent fraud, abuse and security incidents.
• To comply with legal and regulatory obligations.
• To exercise or defend legal claims.

We will not use your information for any purpose that is incompatible with the purpose for which it was collected without obtaining further consent or relying on another lawful basis.

6 Who we share your information with

We share personal information only when necessary, and only with parties we have appropriate agreements with. Categories of recipients:

6.1 Service providers (operators)

We use specialist providers to deliver our services. Each is bound by an operator agreement and POPIA-compliant terms. Our main operators are:

6.2 Professional advisers

Our auditors, accountants, lawyers, and insurers, where they need access to specific information to provide their services.

6.3 Group companies & partners

Sitect-operated brands (LocalHands, HelixDash, PowerWeb, BestDealz, UrbanFind) are subsidiaries / divisions and may share information with Sitect for centralised functions (billing, support, security). Independent partners receive information only with your specific consent.

6.4 Regulators and law enforcement

SARS, the Information Regulator, courts, and law enforcement — only where legally compelled.

6.5 Business transfers

If Sitect is acquired, merged, or restructured, your personal information may transfer to the acquiring entity, subject to confidentiality obligations equivalent to those in this policy. We will notify you of any such change.

We do not sell your personal information to anyone, ever.

7 International transfers

Some of our service providers operate outside South Africa (notably in the EU and US). When we transfer personal information across borders, POPIA section 72 requires that the foreign country has substantially similar protection — or that we rely on appropriate safeguards.

We rely on:

• Adequacy — for transfers to EU countries with GDPR-equivalent protection.
• Standard contractual clauses — for transfers to providers in the US and elsewhere.
• Consent — where neither of the above applies (with prominent disclosure).

Our default cloud region is AWS Cape Town (af-south-1) — meaning the bulk of your operational data stays inside SA borders.

8 How long we keep your information

We keep personal information only for as long as needed for the purposes it was collected — and as required by law.

9 Your data subject rights

Under POPIA, you have the following rights with regard to your personal information:

• Right to be notified — to know what personal information we hold and for what purposes (s.18).
• Right of access — to request a copy of the personal information we hold about you (s.23).
• Right to correction — to ask us to correct inaccurate, irrelevant or out-of-date information (s.24).
• Right to deletion — to ask us to delete information we no longer need to hold (s.24).
• Right to object — to object to processing on legitimate-interest grounds or for direct marketing (s.11(3)).
• Right to data portability — to receive your information in a structured, machine-readable format.
• Right to withdraw consent — where processing relies on consent, you may withdraw at any time.
• Right to complain — to lodge a complaint with the Information Regulator (see section 15).

How to exercise your rights

Send a written request to our Information Officer (see section 15). We will respond within 30 days — or sooner where the request is straightforward. Identity verification may be required to protect against unauthorised access. There is no fee for reasonable requests; we may charge a reasonable fee for excessive or repeated requests.

10 Cookies and tracking

We use cookies and similar technologies. The full breakdown — categories, purpose, retention, third-party cookies and how to opt out — is in our Cookie Policy. In summary:

• Strictly necessary cookies are always on (session, security, CSRF).
• Performance, functional and marketing cookies are off by default and require your consent.
• You can review and update your cookie preferences at any time via the cookie banner.

11 Security measures

We implement appropriate, reasonable technical and organisational measures to protect your personal information against unauthorised access, loss, destruction or damage (as required by POPIA s.19). These include:

• Encryption — in transit (HTTPS/TLS 1.3) and at rest (AES-256).
• Access controls — role-based access, mandatory 2FA on all staff and admin accounts.
• Network security — firewalls, WAF (Cloudflare), DDoS protection, rate limiting.
• Secret management — AWS Secrets Manager, no credentials in code or environment files.
• Audit logging — every privileged action logged, immutable, queryable.
• Backups — daily, encrypted, retained 30 days, restore-tested quarterly.
• Penetration testing — annual third-party penetration test on production systems.
• Staff training — POPIA and security awareness training on onboarding and annually.
• Operator agreements — every sub-processor signed to POPIA-compliant terms.

No system is 100% secure. If a breach occurs, we will follow our incident response plan (see section 14).

12 Children's privacy

Sitect's services are aimed at businesses, not children. We do not knowingly collect personal information from children under 18 without verifiable parental or guardian consent (as required by POPIA s.34). If we become aware that we have inadvertently collected such information, we will delete it.

Where a Sitect-operated product is used in a context involving minors (e.g. school-management features in HelixDash), additional consent and safeguards apply — see that product's specific privacy notice.

13 Direct marketing

We may send you marketing communications (newsletter, product updates, event invites) where:

• You have given your express consent (e.g. by subscribing to our newsletter), or
• You are an existing client and we are marketing related services (POPIA s.69(3) exemption).

Every marketing email includes a one-click unsubscribe link. WhatsApp and SMS communications follow the same opt-in / opt-out principles. Marketing consent is recorded with timestamp and IP address, and is fully revocable.

14 Data breach response

In the event of a security compromise where personal information has been or is reasonably believed to have been accessed or acquired by an unauthorised person, we will:

• Notify the Information Regulator as soon as reasonably possible (POPIA s.22).
• Notify affected data subjects in writing, with the information required by POPIA s.22(4): description of incident, possible consequences, what we are doing about it, what they can do, and contact details of our Information Officer.
• Document the incident, our response, lessons learned, and changes made.

15 Information Officer & contact

Sitect's Information Officer is appointed in accordance with POPIA section 56. The Information Officer is responsible for:

• Encouraging compliance with POPIA inside Sitect.
• Dealing with requests from data subjects.
• Working with the Information Regulator.
• Ensuring that the conditions for lawful processing are complied with.

Contact our Information Officer

• Email: info-officer@sitect.co.za
• Post: Information Officer, Sitect (Pty) Ltd, 139 Davies Street, Doornfontein, Johannesburg, 2001 Gauteng, South Africa
• Subject Access Request: please use the prescribed POPIA Form 2 — we will assist you in completing it.

Lodge a complaint with the Information Regulator

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:

• Email: POPIAComplaints@inforegulator.org.za
• Website: inforegulator.org.za
• Postal address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

16 Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via our website banner and (for active clients) by email at least 30 days before they take effect. The "Effective" date at the top of this page reflects the date of the current version.