Privacy Policy — afrAIca

afrAIca-POL-PRI-001 · Version 1.0 · November 2025 · Next Review: November 2026

Classification: Public Document

1. Introduction

afrAIca (PTY) Ltd is committed to safeguarding the personal information of all individuals who interact with our organisation. This policy explains how we collect, use, store, share and protect personal information in alignment with the Protection of Personal Information Act 4 of 2013 (POPIA) and international data protection standards.

"We process personal information because our work requires it, not because we can."

This policy applies to clients, prospective clients, employees, contractors, suppliers, website visitors and research participants.

2. Who We Are

Organisation Details

Legal Name: afrAIca (PTY) Ltd
Registration: 2025/193186/07
Address: 18C Garsfontein Office Park, 645 Jacqueline Drive, Garsfontein, Gauteng, 0181
Email: progress@afraica.co.za
Website: www.afraica.co.za
Information Officer: Chris Coetzee, Founder and Chief Executive Officer

3. Personal Information We Collect

3.1 Client and Prospective Client Information

Full name, job title and organisation name
Business contact details
AI readiness assessment information
Contractual information and correspondence
Financial information for invoicing
Feedback and survey responses

3.2 Website and Digital Interaction Information

IP address, browser type and device type
Pages visited and navigation paths
Contact form submissions
Cookie data

3.3 Employee, Contractor and Associate Information

Identity information including full name and identity number
Contact details
Employment information including qualifications and work history
Financial information including banking details and tax number
Health information where relevant to occupational health obligations
Emergency contact details

3.4 Research and Survey Participants

Name and organisation (unless anonymous)
Role, industry and organisation size
Survey responses and interview data retained in de-identified form where possible

3.5 Information We Do Not Intentionally Collect

We do not intentionally collect special personal information as defined in POPIA section 26 unless we are legally obliged to, you have provided consent, or it is necessary for legitimate functions. We do not knowingly collect personal information from children under 18 without competent person consent.

4. How We Collect Personal Information

Directly from individuals completing contact forms, proposals, assessments, contracts or correspondence
During service delivery through consulting and implementation engagements
Via website interaction through cookies and analytics
Through employment and contracting processes
Via third-party referrals
Through research activities and surveys
From publicly available sources where lawfully obtained

5. Lawful Basis for Processing

Contractual necessity: processing required to enter into or perform a contract
Legal obligation: processing required by applicable law
Legitimate interest: necessary business interests not overriding privacy rights
Consent: freely given, specific, informed and unambiguous consent that is withdrawable
Vital interests: in limited circumstances to protect life
Public interest: for research activities with appropriate safeguards

6. How We Use Personal Information

6.1 Service Delivery

Conducting AI readiness assessments and advisory engagements
Developing and implementing AI solutions
Managing client relationships and project delivery
Issuing proposals, contracts, invoices and reports

6.2 Business Operations

Managing supplier and contractor relationships
Processing payments
Complying with legal obligations
Maintaining audit records

6.3 Communication and Marketing

Responding to enquiries
Sending thought leadership and event invitations to consenting subscribers
Notifying individuals of relevant services
You may opt out at any time by contacting progress@afraica.co.za

6.4 Research and Improvement

Conducting market research into African AI adoption
Analysing anonymised data to improve assessment frameworks
Contributing to published research where data is anonymised or appropriately consented

6.5 Employment and HR

Recruiting, onboarding, managing and offboarding employees and contractors
Administering payroll and statutory obligations
Maintaining personnel records

7. Sharing Personal Information

We do not sell personal information or share it for unrelated advertising. We share personal information only in these circumstances:

Operators and service providers including cloud hosting, accounting software, email platforms and project management tools, all bound by written POPIA-compliant contracts
Professional advisers including legal, audit and compliance consultants
Legal and regulatory disclosure where required by law or the Information Regulator
Business transactions such as mergers or acquisitions, subject to appropriate agreements
With explicit consent for other purposes

8. Transborder Transfers

Our commitment to African data sovereignty extends to our own data handling. We do not transfer personal information to foreign countries unless that country provides adequate protection, the data subject consents, or another POPIA section 72 condition is satisfied.

All transborder transfers are documented. Where client engagements require data to remain within South Africa, we structure our delivery accordingly and document this in service agreements.

9. Retention of Personal Information

Category	Retention Period
Client engagement records	7 years from end of engagement
Prospective client information	2 years from last contact
Employee and HR records	5 years from end of employment
Contractor and associate records	5 years from end of contract
Financial and invoicing records	7 years
Website analytics data	13 months rolling
Marketing consent records	Until consent withdrawn, plus 1 year
Research and survey data	5 years in anonymised form
Security logs	12 months

When no longer required, information is securely deleted, anonymised or destroyed.

10. Security of Personal Information

10.1 Technical Measures

Encryption of personal information in transit and at rest
Access controls and role-based permissions
Multi-factor authentication
Secure password-protected systems with activity logging
Regular security assessments

10.2 Organisational Measures

Privacy-by-design principles applied to all new systems
Confidentiality obligations in all contracts
Staff awareness and training
Documented procedures for data subject requests and breach response

10.3 Security Incidents and Breach Notification

In the event of a security compromise, we will contain and remediate the incident. Where required under POPIA, we will notify the Information Regulator and affected individuals without unreasonable delay.

11. Cookies and Tracking Technologies

Our website uses cookies to support functionality, performance measurement and user experience improvement.

Strictly necessary: essential for website function and session retention
Functional: remember preferences, retained for up to 12 months
Analytics: measure visitor interaction in aggregated and anonymised form, retained for up to 13 months
Marketing: only with explicit consent, retained for up to 12 months or until consent withdrawn

Cookie preferences may be controlled or withdrawn through your browser settings at any time.

12. Your Rights as a Data Subject

Right of access: request confirmation and a copy of personal information held about you
Right to correction: request correction of inaccurate or incomplete information
Right to deletion: request deletion where no lawful basis for continued retention exists
Right to object: object to processing based on legitimate interest
Right to withdraw consent: withdraw consent at any time without affecting prior processing
Right to complain: lodge a complaint with the Information Regulator of South Africa
Right to data portability: request personal information in a structured format where technically feasible
Right not to be subject to automated decisions: no solely automated decisions with significant effects are made without human review

To exercise any of these rights, contact progress@afraica.co.za. We will acknowledge your request within five business days and provide a full response within 30 days.

13. The Information Regulator of South Africa

Contact Details

Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email: inforeg@justice.gov.za
Website: www.inforegulator.org.za

14. Third-Party Websites and Services

Our website may contain links to third-party sites. We are not responsible for their privacy practices. We recommend reviewing the privacy policy of any third-party website before providing personal information.

15. Children's Personal Information

Our services are directed at organisations and professionals. We do not knowingly collect, process or retain personal information relating to children under 18. If a child's personal information has been submitted, please contact progress@afraica.co.za for prompt deletion.

16. Changes to This Privacy Policy

This policy is reviewed at least annually and whenever material changes occur. Changes are published at www.afraica.co.za with updated version dates. Material changes will trigger direct notification to clients and subscribers.

17. Contact and Complaints

Information Officer

Name: Chris Coetzee, Founder and Chief Executive Officer
Email: progress@afraica.co.za
Address: 18C Garsfontein Office Park, 645 Jacqueline Drive, Garsfontein, Gauteng, 0181
Website: www.afraica.co.za

"Privacy is not a compliance requirement we satisfy. It is a value we hold."

This work is built on the principle that data about people belongs to those people. We handle personal information with care, transparency and respect.

Adopted by: Chris Coetzee, Information Officer, afrAIca (PTY) Ltd
Date: November 2025
Policy Ref: afrAIca-POL-PRI-001
Next Review: November 2026