Legal

GDPR Compliance

This page details how Elementary Digital (Pty) Ltd complies with the EU General Data Protection Regulation (GDPR) when processing personal data of individuals in the European Union and European Economic Area.

Last updated 7 March 2026

On this page

1. Applicability

The General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to the processing of personal data of individuals located in the European Union (EU) and European Economic Area (EEA), regardless of where the data controller is established.

Although Elementary Digital (Pty) Ltd is based in South Africa, we recognise that our website and services may be accessed by individuals in the EU/EEA. We are committed to complying with the GDPR when processing personal data of such individuals.

This page should be read alongside our Privacy Policy, which provides comprehensive details on our data collection and processing practices.

2. Data Controller

For the purposes of the GDPR, the data controller is:

Elementary Digital (Pty) Ltd
Registered in South Africa
Email: hello@elementary.co.za

As a South African company processing EU personal data, we act as the data controller and take responsibility for ensuring GDPR-compliant processing of your personal information.

3. Lawful Basis for Processing

Under Article 6 of the GDPR, we process personal data on the following lawful bases:

Processing ActivityLawful BasisGDPR Article
Project enquiry submissionConsent — you actively submit the formArt. 6(1)(a)
Client portal account and authenticationContractual necessity — required to deliver our servicesArt. 6(1)(b)
Profile and project managementContractual necessity — required for service deliveryArt. 6(1)(b)
Security and fraud preventionLegitimate interest — protecting our services and usersArt. 6(1)(f)
Website analytics (Google Analytics 4)Consent — only activated after you accept analytics cookiesArt. 6(1)(a)
Advertising conversion tracking (Google Ads)Consent — only activated after you accept analytics cookiesArt. 6(1)(a)
Server access logsLegitimate interest — operational securityArt. 6(1)(f)
Legal and regulatory complianceLegal obligationArt. 6(1)(c)

4. Data We Process

For a complete list of personal data we collect and process, please refer to Section 2 of our Privacy Policy. In summary, we process:

  • Identity data: First name, last name
  • Contact data: Email address, phone number, postal address
  • Professional data: Company name, job title, company website
  • Account data: Authentication credentials, session tokens
  • Project data: Project types, project details, enquiry messages
  • Preference data: Timezone, notification preferences
  • Technical data: IP address, browser type, device information

We do not process any special categories of personal data (Article 9) such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data.

5. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data where:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing where:

  • You contest the accuracy of the data (during verification)
  • Processing is unlawful and you prefer restriction over erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing (pending verification of legitimate grounds)

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to Withdraw Consent (Article 7)

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Right Not to Be Subject to Automated Decision-Making (Article 22)

We do not make any decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.

6. Exercising Your Rights

To exercise any of your GDPR rights, please contact us at:

hello@elementary.co.za

When submitting a request, please:

  • Clearly state which right you wish to exercise
  • Provide sufficient information for us to verify your identity
  • Specify the personal data your request relates to, if applicable

We will acknowledge your request within 48 hours and provide a substantive response within 30 days. If your request is complex or we receive a large number of requests, we may extend this period by a further 60 days, in which case we will notify you of the extension and the reasons for it.

There is no fee for exercising your rights. However, if requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request, in accordance with Article 12(5) of the GDPR.

7. International Data Transfers

As Elementary Digital is based in South Africa, personal data of EU/EEA individuals is transferred outside the European Economic Area. We ensure that such transfers comply with GDPR requirements through the following safeguards:

Standard Contractual Clauses

We use EU Standard Contractual Clauses (SCCs) as approved by the European Commission to govern transfers of personal data to jurisdictions that have not received an adequacy decision.

Sub-Processor Safeguards

Our third-party processors implement their own transfer safeguards:

  • Supabase: SOC 2 Type II certified; supports EU region hosting; implements SCCs for international transfers
  • Vercel: SOC 2 Type II certified; EU data residency options; implements SCCs and has a Data Processing Addendum
  • Google (OAuth): Compliant with EU-US Data Privacy Framework; implements SCCs

Transfer Impact Assessment

We conduct transfer impact assessments to evaluate the level of protection afforded to personal data in the recipient country and implement supplementary measures where necessary.

8. Data Protection Measures

In accordance with Articles 25 and 32 of the GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk:

  • Data protection by design and by default: We collect only the minimum data necessary and apply privacy-preserving defaults
  • Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
  • Access controls: Role-based access, principle of least privilege, secure authentication
  • Consent-based analytics: Analytics and advertising cookies are only activated after explicit user consent via Google Consent Mode v2
  • Regular review: Periodic review of data processing activities and security measures

For comprehensive details on our security practices, see our Security page.

9. Data Breach Notification

In accordance with Articles 33 and 34 of the GDPR:

  • We will notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of individuals
  • Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay
  • We maintain an internal breach register documenting all personal data breaches, their effects, and the remedial actions taken

10. Children's Data

Our services are not directed at children under the age of 16 (or the applicable age of digital consent in the relevant EU member state). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that data promptly.

11. Supervisory Authority

If you are located in the EU/EEA and believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority.

A list of EU/EEA supervisory authorities is available on the European Data Protection Board website.

We encourage you to contact us first at hello@elementary.co.za so that we can attempt to resolve your concern directly.

12. Contact Us

For any GDPR-related enquiries, data subject access requests, or concerns about how we handle your personal data, please contact us:

Elementary Digital (Pty) Ltd
Email: hello@elementary.co.za

We aim to respond to all GDPR-related enquiries within 48 hours of receipt.