POPIA Notice

1. Who We Are and Why This Notice Exists

Nimblechapps SA ("we", "us", "our") is a consulting-led technology firm operating in South Africa. We deliver technology consulting services to businesses in mining, construction, healthcare, education, and eCommerce.

The Protection of Personal Information Act 4 of 2013 (POPIA) came into full effect on 1 July 2021. It regulates how organisations collect, store, use, and share the personal information of individuals and juristic persons. As a South African entity, we are a Responsible Party under POPIA and are committed to processing personal information lawfully, fairly, and transparently.

This notice explains what personal information we collect, why we collect it, how we use and protect it, how long we keep it, and what your rights are under POPIA.

2. Information Officer

As required by POPIA, we have designated an Information Officer responsible for ensuring our compliance with the Act and for handling data subject requests.

3. Personal Information We Collect

We collect only the personal information necessary for legitimate business purposes. The categories of personal information we may collect include:

We do not collect special personal information as defined in Section 26 of POPIA (including racial or ethnic origin, health information, criminal records, religious or philosophical beliefs, trade union membership, or biometric information) unless specifically required and with explicit consent.

4. Why We Collect Your Personal Information

We process personal information for the following specific, explicitly defined, and lawful purposes:

• To respond to consultation requests and enquiries — Processing your contact form submission to arrange a consultation call.
• To deliver consulting services — Using client information to fulfil agreed service engagements.
• To manage the business relationship — Sending invoices, project updates, and service-related communications.
• To improve our Website — Using anonymised analytics data (with your consent) to understand how visitors use the site and where improvements can be made.
• To comply with legal obligations — Retaining records as required by South African law, including tax and financial records.
• Direct marketing — Where you have explicitly opted in, sending relevant information about our services. You can opt out at any time.

We will not use your personal information for any purpose not listed above without first obtaining your consent or establishing another lawful basis under POPIA.

5. Lawful Basis for Processing

POPIA requires us to have a lawful basis for every processing activity. Our lawful bases are:

• Consent — For analytics cookies, direct marketing, and any processing not strictly required to deliver services.
• Contract — Processing necessary to fulfil a service agreement with a client.
• Legal obligation — Processing required by South African law, including financial record-keeping.
• Legitimate interest — Processing necessary for our legitimate business interests where those interests are not overridden by your rights. This includes responding to enquiries and managing client relationships.

6. Who We Share Your Information With

We do not sell, rent, or trade personal information. We may share personal information only in the following limited circumstances:

• Service providers (Operators under POPIA) — Third-party tools we use to operate our business, including HubSpot (CRM and forms), Google Analytics (website analytics), and email service providers. These providers process data on our behalf under contractual obligations that require equivalent data protection standards.
• Legal requirements — Where required by law, court order, or regulatory authority, including the Information Regulator.
• Business transfers — In the event of a merger, acquisition, or sale of all or part of our business, personal information may be transferred to the acquiring entity, subject to the same protections described in this notice.

Some of our service providers are based outside South Africa. Where personal information is transferred internationally, we take steps to ensure the receiving country provides adequate data protection or that appropriate safeguards are in place, as required by Section 72 of POPIA.

7. How We Protect Your Personal Information

We implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, disclosure, or misuse. These measures include:

• Encrypted data transmission (HTTPS/TLS) for all website communications.
• Access controls limiting access to personal information to those with a legitimate need.
• Use of reputable, POPIA-aware service providers with contractual data protection obligations.
• Regular review of our security practices and those of our service providers.
• A documented incident response procedure in the event of a data breach.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Regulator and affected data subjects as required by Section 22 of POPIA.

8. How Long We Keep Your Information

We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law:

• Enquiry and contact form data — Retained for up to 24 months from the date of last contact, after which it is deleted unless a service relationship has been established.
• Client engagement records — Retained for the duration of the engagement and for a period of 5 years thereafter, as required for legal and financial record-keeping.
• Analytics data — Retained for 26 months in Google Analytics, after which it is automatically deleted.
• Financial and tax records — Retained for the period required by South African tax legislation (currently 5 years).

When personal information is no longer required, it is securely deleted or anonymised.

9. Your Rights Under POPIA

Section 5 of POPIA grants you the following rights as a data subject:

To exercise any of these rights, submit a written request to our Information Officer at contact@nimblechapps.co.za. We will respond within a reasonable time and no later than 30 days from receipt of your request.

10. Direct Marketing

We will only send you direct marketing communications where you have expressly opted in or where we have an existing client relationship and the communication relates to similar services, as permitted under Section 69 of POPIA.

You may opt out of direct marketing at any time by:

• Clicking the unsubscribe link in any marketing email.
• Emailing contact@nimblechapps.co.za with your opt-out request.

Opt-out requests will be processed within 5 business days.

11. Complaints and the Information Regulator

If you believe that we have not handled your personal information in accordance with POPIA, please contact our Information Officer in the first instance. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, or if you wish to lodge a complaint directly, you may contact the Information Regulator of South Africa:

12. Related Policies

This POPIA Notice should be read together with our other policies:

• Privacy Policy — How we handle personal information collected through our website and services.
• Cookie Policy — What cookies we use, why, and how to manage your preferences.

13. Updates to This Notice

We review and update this POPIA Notice periodically to reflect changes in law, our business practices, or the guidance of the Information Regulator. The date at the top of this page indicates when it was last updated. Material changes will be communicated to existing clients directly.