Privacy Policy
Effective date: 16 March 2026 | Last updated: 16 March 2026
Dalu Digital ("we", "us", "our") is a digital agency based in Johannesburg, South Africa. We build custom websites, booking systems, online stores and dashboards for small businesses. This Privacy Policy explains how we collect, use, store and protect your personal information in compliance with the Protection of Personal Information Act, 2013 (POPIA).
By using our website (daludigital.co.za), engaging our services, or subscribing to a support plan, you agree to the practices described in this policy.
1. Information We Collect
We may collect the following personal information:
- Identity information: first name, last name
- Contact information: email address, phone number, WhatsApp number
- Service information: project details, service requests, website URLs
- Payment information: payment method, transaction references, amounts, dates (processed securely through PayFast — we do not store card numbers)
- Subscription information: plan name, start/end dates, billing cycle, payment history
- Technical information: IP address, browser type, device type (collected automatically when you visit our site)
- Communication records: emails, WhatsApp messages, and form submissions related to your project or account
2. How We Collect Your Information
We collect personal information in the following ways:
- Directly from you — when you fill in a contact form, book a session, subscribe to a plan, or communicate with us via email or WhatsApp
- From payment processors — PayFast sends us transaction confirmations and subscription notifications (ITN callbacks)
- Automatically — our website and hosting providers may collect technical data such as IP addresses and browser information
3. Purpose of Processing
We use your personal information for the following purposes, each with a lawful basis under POPIA:
- To deliver our services — building your website, system or digital product (basis: contract)
- To manage subscriptions — processing payments, sending invoices, and managing your support plan (basis: contract)
- To communicate with you — sending verification codes, project updates, invoices, and service-related notices (basis: contract and legitimate interest)
- To send data retention notices — notifying you before we delete your records under our retention policy (basis: legal obligation)
- To comply with the law — meeting tax, financial record-keeping, and regulatory requirements (basis: legal obligation)
- To improve our services — understanding how clients use our site and services (basis: legitimate interest)
4. Data Sharing
We do not sell, rent or trade your personal information. We may share limited data with the following third parties, strictly for the purposes described above:
- PayFast (payment processing) — receives your name, email, and payment amount to process transactions securely
- Resend (email delivery) — receives your email address and name to send transactional emails such as verification codes, invoices and notifications
- Supabase (database hosting) — stores your data securely on cloud infrastructure
- Hosting providers — your website files may be hosted on services like Vercel, Netlify or similar, which may process technical data
All third-party providers are bound by their own privacy policies and data protection obligations.
5. Data Retention
Key point: We keep your personal information for a maximum of 5 years after your subscription ends or your last transaction, in line with South African tax law (Tax Administration Act, Income Tax Act). After that, your data is permanently deleted.
Our retention process works as follows:
- Active clients: your data is retained for as long as your subscription or project is active
- Cancelled or completed subscriptions: data is retained for 5 years from the cancellation or completion date
- 30-day warning: approximately 30 days before the 5-year mark, we send you an email letting you know your records are scheduled for deletion and offering you a chance to request a copy
- Deletion: after 5 years, all your personal data, subscription details and payment history are permanently deleted from our systems, and we send you a final confirmation
- Verification codes: temporary codes (used for email verification) expire within 10 minutes and are automatically cleaned up within 24 hours
6. Your Rights Under POPIA
As a data subject, you have the following rights:
- Right to access — request a copy of the personal information we hold about you
- Right to correction — ask us to update or correct inaccurate information
- Right to deletion — request that we delete your personal information (subject to legal retention requirements)
- Right to object — object to the processing of your information for specific purposes
- Right to data portability — request your data in a structured, commonly used format
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time
- Right to lodge a complaint — you may lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, email us at info@daludigital.co.za or reply to any email from Dalu Digital. We will respond within 30 days.
7. Security Measures
We take reasonable measures to protect your personal information, including:
- All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
- Payment processing is handled by PayFast, a PCI-DSS compliant payment gateway — we never see or store your card details
- Database access is restricted using row-level security and service-role authentication
- Verification codes are time-limited (10 minutes) and single-use
- Email verification is required before accessing subscription details
While we implement industry-standard safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you promptly in the event of a data breach, as required by POPIA.
8. Cookies and Tracking
Our website does not use tracking cookies or third-party analytics tools. We do not use Google Analytics, Facebook Pixel or similar services. Any technical data collected (such as IP addresses) is handled by our hosting provider as part of standard web server operations.
9. Children's Privacy
Our services are designed for businesses and are not directed at children under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a child without parental consent, we will delete it immediately.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
11. Information Regulator
If you are not satisfied with how we handle your personal information, you have the right to lodge a complaint with:
12. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
← Back to homepage