Privacy Policy

1. Who we are

LRWKleinhans (Pty) Ltd, trading as Kleinhans Digital, is a Johannesburg-based digital agency. We design and build websites, deliver SEO and digital marketing, and operate a local-AI workflow product called Kleinhans AI for South African SMEs.

We are the Responsible Party under the Protection of Personal Information Act, 2013 (POPIA) for personal information collected through this website. Our Information Officer's contact details appear at the end of this policy.

2. Information we collect, why we collect it, and what happens if you do not provide it

We collect personal information directly from you, only when you provide it, and only for the purposes set out below. Provision is voluntary in every case, but without certain information we cannot perform the service.

Contact form

We collect your name, business name, email address, phone number, and the content of your message. We use this information to respond to your enquiry. If you do not provide an email address or phone number, we cannot reply.

Quote configurator and account registration

We collect your name, business name, phone number, email address, and project requirements. We use this information to prepare a written proposal and manage the resulting project. Without it, we cannot quote or onboard you.

Authentication via Google

When you sign in using Google OAuth, we receive your name and email address from Google. We do not receive your Google password or any payment information held by Google. You may review Google's own privacy policy to understand how Google processes your data.

Usage analytics

We may collect anonymised information about how visitors use the site, including pages viewed and time on site. This information is anonymised and cannot be used to identify you individually.

We do not collect special personal information (children's information, race or ethnic origin, religious or philosophical beliefs, health or sex life, biometric information, financial information beyond invoicing) through this website.

3. How we use your information

We use your personal information to:

• respond to your enquiries and prepare proposals
• manage your project and communicate progress
• issue invoices and process payments
• provide ongoing support and maintenance under your retainer
• send service-related communications relevant to your account
• comply with our legal obligations under South African law (including the Companies Act 2008, the Tax Administration Act 28 of 2011, and POPIA itself)

We do not use your information for unsolicited marketing. We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

4. Data storage, location, and cross-border transfers

Your data is stored in Supabase, a managed PostgreSQL service whose underlying infrastructure runs on Amazon Web Services. The AWS region in use is outside South Africa (typically the United States or the European Union). This means a transborder transfer of your personal information takes place when we collect it.

Under Section 72 of POPIA, we are permitted to make this transfer because the recipient operates under laws or binding rules that uphold principles substantially similar to POPIA, and the transfer is necessary for the performance of a contract between you and us, or for the conclusion or performance of a contract with a third party in your interest.

We use industry-standard encryption in transit (TLS) and at rest. Access to stored data is restricted to authorised personnel on a need-to-know basis.

Our local-AI product Kleinhans AI runs entirely on the customer's premises and does not transfer personal information offshore at all. Agency-side data stored under this website (quotes, project records, contact submissions) currently sits with the cloud providers named above. We are working towards an option to host agency-side personal information on South African infrastructure.

5. Third-party services

We share the minimum information necessary with the following service providers in order to operate this site:

• Supabase: authentication and database storage. Receives your name, email, project data.
• Google OAuth: sign-in functionality. Google returns your name and email to us.
• Web3Forms: contact form delivery. Receives the fields you submit.
• Make.com: internal workflow notifications. Receives quote and contact submission summaries.
• Google Fonts: font delivery. Receives your IP address as a standard side effect of any web font request.
• Microlink: website screenshot generation for our portfolio. Receives the URL of the site being captured.

Each provider has its own privacy policy. We have reviewed each and are satisfied that they offer protection in line with POPIA.

6. Your rights as a data subject

Under POPIA you have the following rights:

• Right of access (Section 23): request a copy of the personal information we hold about you
• Right to correction or deletion (Section 24): ask us to correct inaccurate or out-of-date information, or to destroy or delete information we are no longer entitled to retain
• Right to object (Section 11(3)): object on reasonable grounds to processing
• Right to object to direct marketing (Section 69): object to direct marketing at any time, free of charge
• Right to complain to the Information Regulator: at any time, particularly if we have not handled your concern to your satisfaction

To exercise any of these rights, contact our Information Officer using the details at the end of this policy. We respond as soon as reasonably possible and ordinarily within 30 calendar days.

7. Cookies

This website uses session cookies necessary for authentication and session management. We do not use advertising or tracking cookies. We do not run cookie-based behavioural profiling.

8. Data retention

We retain personal information only for as long as necessary for the purposes set out in this policy, or as required by law:

• Account, project, and quote data: for the duration of our relationship with you and for five years after the last invoice, in line with retention requirements under the Companies Act 2008 and the Tax Administration Act 28 of 2011
• Contact form submissions: up to two years, unless a project relationship begins, in which case the data moves into the project record
• Anonymised analytics: indefinitely, since this data cannot identify you individually

You may request deletion of your account data at any time. Where deletion would conflict with a legal retention obligation, we will explain the basis and retain only the minimum required.

9. Security and breach notification

We apply reasonable technical and organisational measures to protect your information from loss, unauthorised access, interference, modification, or disclosure. These include TLS encryption for all data in transit, encryption at rest within our database provider, multi-factor authentication on administrative accounts, restricted access on a need-to-know basis, and regular review of our suppliers' security practices.

If we become aware of a security compromise affecting your personal information, we will notify you and the Information Regulator as soon as reasonably possible, in line with Section 22 of POPIA.

10. Changes to this policy

We update this policy from time to time. The “Last updated” date at the top reflects the most recent change. We do not retroactively reduce your rights. Material changes are communicated by email to active account holders.

11. Information Officer and complaints

For privacy queries, requests, or complaints, contact our Information Officer:

• Company: LRWKleinhans (Pty) Ltd, trading as Kleinhans Digital
• Email: info@kleinhansdigital.co.za
• WhatsApp: +27 72 634 0848
• Location: Johannesburg, Gauteng, South Africa

You also have the right to complain to the Information Regulator of South Africa:

• Web: inforegulator.org.za
• Email: complaints.IR@justice.gov.za
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Telephone: +27 (0)10 023 5200