Privacy Policy

1. Introduction

Inkblot Design (Pty) Ltd ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (www.inkblot.co.za) or use our design and development services, in compliance with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ("POPIA") and the Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002) ("ECT Act").

2. Information Officer

In terms of POPIA, Inkblot Design has appointed an Information Officer responsible for ensuring compliance with data protection legislation and handling all data subject requests.

The Information Officer is registered with the Information Regulator of South Africa and is available to assist with any questions or concerns regarding the processing of your personal information.

3. Information We Collect

3.1 Personal Information

We may collect the following types of personal information when you interact with our services:

• Contact information (name, email address, phone number, company name)
• Business information (industry, company size, project requirements, design goals)
• Communication records (emails, messages, feedback, project briefs)
• Payment and billing information
• Project files and content you provide for design and development services
• Employment information (when you apply for positions with us)

3.2 Automatically Collected Information

When you visit our website, we automatically collect certain information through cookies and similar technologies, including:

• IP address and general location data
• Browser type and version
• Device type and operating system
• Pages visited and time spent on our site
• Referral sources and navigation paths
• Date and time of access

This information is collected through the following third-party analytics tools:

• Google Analytics (to understand website traffic and user behavior)
• Microsoft Clarity (for session recordings and heatmap analysis)
• Hotjar (for user behavior analysis and feedback collection)

For more detailed information about how we use cookies and tracking technologies, please refer to our Cookie Policy.

4. How We Use Your Information

We process your personal information for the following lawful purposes under POPIA:

With Your Consent

• Sending marketing communications and newsletters
• Placing non-essential cookies on your device
• Processing your information for purposes beyond our original collection purpose

For Performance of a Contract

• Providing UI/UX design, branding, and web development services
• Communicating with you about your projects
• Delivering project files and final deliverables
• Processing payments and managing billing

For Legitimate Business Interests

• Improving our website and services
• Analyzing website performance and user behavior
• Responding to inquiries and providing customer support
• Maintaining security and preventing fraud
• Conducting business operations and internal administration

For Compliance with Legal Obligations

• Meeting tax and accounting requirements (7-year retention for financial records)
• Responding to lawful requests from authorities
• Complying with court orders or legal processes

5. Legal Basis for Processing

Under POPIA, we process your personal data based on one or more of the following legal bases:

• Your explicit, voluntary, specific, and informed consent
• Performance of a contract to which you are party
• Legitimate interests pursued by us or a third party
• Compliance with legal obligations under South African law
• Protection of your vital interests or those of another person

You have the right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing based on consent before its withdrawal.

6. Information Sharing and Disclosure

We do not sell, trade, rent, or otherwise transfer your personal information to third parties for their own marketing purposes. We may share your information only in the following circumstances:

Service Providers

With trusted third-party service providers who assist our operations under strict confidentiality agreements, including:

• Web hosting providers
• Cloud storage services
• Payment processors
• Email service providers
• Analytics platforms (Google Analytics, Microsoft Clarity, Hotjar)
• Project management tools

Legal Requirements

• To comply with applicable laws, regulations, or legal processes
• To respond to lawful requests from public authorities or courts
• To protect our rights, property, safety, or that of our clients or others
• To enforce our terms and conditions

Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

With Your Consent

For any other purpose with your explicit consent.

All third-party service providers are contractually bound to process your personal information in accordance with POPIA and other applicable data protection laws.

7. International Data Transfers

Some of our service providers (such as Google Analytics, Microsoft Clarity, and Hotjar) may process your personal information outside South Africa, including in the United States and Europe.

When we transfer personal information internationally, we ensure:

• The recipient country is subject to laws providing adequate data protection
• Appropriate safeguards are in place through binding agreements
• The transfer complies with POPIA's requirements for cross-border data flows
• You have provided consent where required

Our service providers are contractually obligated to protect your information in accordance with applicable data protection laws and to implement appropriate security measures.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

• SSL/TLS encryption for data transmission on our website
• Secure data storage systems with access controls
• Password protection and authentication procedures
• Regular security assessments and updates
• Employee training on data protection and confidentiality
• Backup and disaster recovery procedures
• Firewalls and intrusion detection systems

While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you promptly in the event of a data breach as required by POPIA.

9. Data Breach Notification

In the event of a data breach where your personal information may have been accessed or acquired by an unauthorised person, we will:

1. Notify the Information Regulator of South Africa using the prescribed Form SCN1 as soon as reasonably possible after discovering the breach
2. Notify affected data subjects in writing (via email, SMS, or website notice) unless your identity cannot be established
3. Provide details of:
   • The possible consequences of the breach
   • Measures we are taking to address the breach
   • Recommendations for steps you can take to protect yourself
   • The identity of the unauthorized person (if known)

You may contact our Information Officer if you have concerns about a potential data breach.

10. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by South African law. Our retention periods are:

• Contact form submissions and inquiries: 2 years from last contact
• Project client data and files: 7 years after project completion (for tax and legal compliance)
• Newsletter subscribers: Until you unsubscribe or withdraw consent
• Website analytics data: 26 months (Google Analytics default retention period)
• Marketing consent records: Duration of consent plus 1 year for record-keeping
• Financial and accounting records: 7 years (as required by South African tax law)
• Employee applications: 1 year after recruitment process concludes

When personal information is no longer needed, we securely delete or anonymise it in accordance with POPIA requirements.

11. Your Rights Under POPIA

As a data subject, you have the following rights regarding your personal information:

Right to Access:
Request confirmation of whether we hold your personal information and access to that information.

Right to Rectification:
Request correction of inaccurate, incomplete, misleading, or outdated personal information.

Right to Erasure (Right to be Forgotten):
Request deletion of your personal information in certain circumstances, subject to legal retention requirements.

Right to Restriction of Processing:
Request limitation of processing in certain situations, such as when you contest the accuracy of data.

Right to Data Portability:
Request transfer of your personal information in a structured, commonly used, and machine-readable format.

Right to Object:
Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent:
Withdraw consent at any time where processing is based on your consent.

Right to Lodge a Complaint:
Lodge a complaint with the Information Regulator of South Africa if you believe your rights have been violated.

Right Not to Be Subject to Automated Decision-Making:
Not be subject to decisions based solely on automated processing, including profiling, that have legal or similarly significant effects.

To exercise any of these rights, please contact our Information Officer using the details provided in Section 2. We will respond to your request within a reasonable period, generally within 30 days, and may request verification of your identity before processing your request.

12. Direct Marketing Communications

We will only send you marketing communications via electronic means (email, SMS, WhatsApp) if you have provided your explicit, informed consent.

Your Rights Regarding Marketing

• Opt out of marketing communications at any time
• Unsubscribe via the link in every marketing email
• Contact our Information Officer to withdraw consent
• Request that we do not contact you for marketing purposes

In accordance with POPIA regulations and the guidance of the Information Regulator, we will only contact you once to request marketing consent unless you have already provided consent or are an existing client with whom we have a business relationship.

If you wish to be placed on our "Do Not Contact" register, please contact us at jonathan@inkblot.co.za or use the unsubscribe mechanism in our communications.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and personalise content. For detailed information about our use of cookies, the types of cookies we use, and how to manage your cookie preferences, please refer to our Cookie Policy.

14. Third-Party Links

Our website may contain links to third-party websites, platforms, or services. We are not responsible for the privacy practices, content, or data collection activities of these external sites. We encourage you to review the privacy policies of any third-party websites you visit.

Third-party sites have their own terms of use and privacy policies, and your interactions with them are governed by their policies, not ours.

15. Children's Privacy

Our services are not directed at children under 18 years of age. Under POPIA, a child is defined as any natural person under 18 who is not legally competent to make decisions independently.

We do not knowingly collect personal information from children under 18 without the consent of a parent, guardian, or other "competent person" as defined by POPIA. If you are under 18, please do not provide any personal information to us without your parent or guardian's consent.

If we become aware that we have collected personal information from a child under 18 without proper parental or guardian consent, we will take immediate steps to delete such information from our systems.

Parents or guardians who believe we may have collected information from their child should contact our Information Officer immediately.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or for other operational reasons. We will notify you of any material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification to registered users (where appropriate)
• Displaying a prominent notice on our website

Your continued use of our website or services after such changes constitutes acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For Complaints

If you believe your privacy rights have been violated, you may lodge a complaint with:

18. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of South Africa, particularly:

• The Protection of Personal Information Act, 2013 (Act No. 4 of 2013)
• The Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002)
• The Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of South Africa.