1. Data Controller
The data controller responsible for your personal information is:
Elementary Digital (Pty) Ltd
Registered in South Africa
Email: hello@elementary.co.za
For the purposes of the South African Protection of Personal Information Act (POPIA) and the EU General Data Protection Regulation (GDPR), Elementary Digital is the responsible party / data controller for the personal information processed through our services.
2. Information We Collect
We collect personal information that you provide directly to us, as well as limited technical data generated through your use of our services.
2.1 Project Enquiry Form
When you submit a project enquiry through our website, we collect:
- First name and last name
- Email address
- Phone number
- Entity type (individual or company)
- Company name and website (if applicable)
- Project types of interest and project details
2.2 Authentication and Account Data
When you sign in to our client portal, we process:
- Email address
- Authentication credentials (password hash — we never store plain-text passwords)
- Google OAuth tokens (if you sign in with Google)
- Session identifiers stored in cookies
2.3 Client Portal Profile
If you use our client portal, you may provide additional profile information:
- First name, last name, email, and phone number
- Company name and job title
- Address (line 1, line 2, city, postcode, country)
- Timezone preference
- Notification preferences (email notifications for projects, messages, invoices, and marketing)
2.4 Technical Data
Our hosting infrastructure automatically collects limited technical data including:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and referring URL
- Timestamps of requests
2.5 Analytics Data
With your consent, we use Google Analytics 4 to collect anonymised usage data about how visitors interact with our website. This includes page views, navigation patterns, and general engagement metrics. We also use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns.
Analytics data is only collected after you provide consent via our cookie banner. We implement Google Consent Mode v2 to ensure compliance. See our Cookie Policy for full details.
3. How We Use Your Information
We use your personal information for the following purposes:
- Responding to enquiries: To process and respond to your project enquiry submissions
- Service delivery: To provide access to the client portal and manage your projects, proposals, invoices, and communications
- Authentication: To verify your identity and maintain secure access to your account
- Communication: To send you project updates, messages, and invoice notifications based on your preferences
- Security: To protect our services and detect fraudulent or unauthorised activity
- Legal compliance: To comply with applicable laws, regulations, and legal processes
4. Legal Basis for Processing
We process your personal information on the following legal grounds:
- Consent: When you submit an enquiry form or opt in to marketing communications, you provide explicit consent for us to process that information
- Contractual necessity: Processing required to deliver our services to you, including client portal access, project management, and invoicing
- Legitimate interest: Processing necessary for our legitimate business interests, such as improving our services and ensuring security, where these interests are not overridden by your rights
- Legal obligation: Processing required to comply with applicable laws and regulations
5. Third-Party Processors
We share your personal information with the following categories of third-party service providers who process data on our behalf:
| Processor | Purpose | Data Processed |
|---|---|---|
| Supabase (via Route Royal) | Authentication and database services | Account credentials, profile data, enquiry submissions |
| OAuth authentication provider | Email address and basic profile (when using Google sign-in) | |
| Google Analytics | Website analytics (with consent) | Anonymised usage data, page views, device information |
| Google Ads | Advertising conversion tracking (with consent) | Conversion events, campaign attribution data |
| Vercel | Website and application hosting | IP addresses, request logs, technical data |
| Cloudinary | Image and media delivery (CDN) | No personal data — used for static media assets only |
We do not sell, rent, or trade your personal information to any third party. All third-party processors are contractually bound to process your data only as instructed by us and in accordance with applicable data protection laws.
6. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected:
- Enquiry data: Retained for up to 24 months after your last interaction, unless a business relationship is established
- Client account data: Retained for the duration of our business relationship and for up to 36 months thereafter, or as required by law
- Authentication data: Session cookies expire automatically; account credentials are retained while your account is active
- Technical logs: Retained for up to 90 days for security and operational purposes
When personal information is no longer required, it is securely deleted or anonymised.
7. International Data Transfers
Elementary Digital is based in South Africa. Our third-party processors may store and process data in jurisdictions outside South Africa, including the United States and the European Union.
Where your data is transferred internationally, we ensure appropriate safeguards are in place, including:
- Standard contractual clauses approved by relevant data protection authorities
- Transfers to jurisdictions recognised as providing adequate levels of data protection
- Binding data processing agreements with all third-party processors
8. Your Rights
Under POPIA (South Africa)
As a data subject under the Protection of Personal Information Act, you have the right to:
- Be notified that your personal information is being collected
- Request access to your personal information
- Request correction of inaccurate personal information
- Request deletion of your personal information
- Object to the processing of your personal information
- Lodge a complaint with the Information Regulator of South Africa
Under GDPR (EU/EEA)
If you are located in the European Union or European Economic Area, you additionally have the right to:
- Data portability — receive your data in a structured, machine-readable format
- Restriction of processing
- Withdraw consent at any time
- Lodge a complaint with your local supervisory authority
For full details on GDPR-specific rights and how to exercise them, please see our GDPR Compliance page.
How to Exercise Your Rights
To exercise any of these rights, please contact us at hello@elementary.co.za. We will respond to your request within 30 days. We may need to verify your identity before processing your request.
9. Children's Privacy
Our services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page with a revised “last updated” date.
For material changes, we will make reasonable efforts to notify you via email or through a notice on our website prior to the changes taking effect.
11. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Elementary Digital (Pty) Ltd
Email: hello@elementary.co.za
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa or, if you are in the EU/EEA, with your local data protection supervisory authority.