Skip to content
CipherShift

// privacy.policy

Privacy Policy

How Cipher Shift (Pty) Ltd collects, uses, stores and protects your personal information — written in plain language, compliant with the Protection of Personal Information Act (POPIA), Act 4 of 2013.

Last updated: 25 April 2026

// who we are

The basics, in one paragraph.

Cipher Shift (Pty) Ltd (“we”, “us”, “our”) is a South African digital agency registered in the Republic of South Africa. We operate the website at ciphershift.co.za and provide CIPC company registration, website design, branding, CRM automation, advertising setup and related services to small businesses across South Africa. Our registered address is Roodepoort, South Africa. Our CIPC enterprise registration number is 2026/295833/07 and our B-BBEE certificate number is 9456442513.

We are the “Responsible Party” for any personal information you provide to us through this site or in the course of receiving our services, as defined in POPIA. Our Information Officer can be reached at quintonhoy@ciphershift.co.za.

1. What information we collect

We collect only what we need to deliver the service you’ve asked for. The information we collect depends on which form you submit and which package you buy:

1.1 Contact form

  • Name
  • Email address
  • Phone number (optional)
  • Topic of enquiry
  • Message content

1.2 Brief form (when commissioning work)

  • Full name and ID number (required for CIPC company registration)
  • Email and phone / WhatsApp numbers
  • Physical and postal address
  • Existing company details (if any)
  • Preferred company name(s) and domain(s)
  • Industry and business description
  • Brand preferences, website content, advertising goals
  • Budget and timeline information
  • Digital signature (typed name acceptance under ECTA)

1.3 Automatic technical information

  • IP address (used for rate limiting and abuse prevention only)
  • Browser type and version, device type, screen size (used for error diagnostics and to ensure the site renders correctly)
  • Pages visited, time spent on pages, referring page (used in aggregate for site improvement; never tied to your identity without your consent)

2. Why we collect it

We process your personal information for these specific purposes:

  • To deliver the services you request — e.g. ID number is needed to file CIPC company registration on your behalf; address is needed for CIPC and SARS records.
  • To communicate with you about your project, quotes, invoices, and project updates.
  • To send a confirmation copy of your brief to the email address you provide.
  • To meet our legal obligations — South African companies are required to keep tax-related records for at least five years (Tax Administration Act, 2011).
  • To prevent abuse — IP addresses are used for rate limiting public form endpoints. Submission counts per IP are kept temporarily and never combined with your name or email.

3. Lawful basis for processing

We process your personal information on these lawful bases:

  • Performance of a contract — to deliver the services in the brief you signed.
  • Consent — for analytics cookies, marketing emails, and any optional information you provide.
  • Legal obligation — for tax record retention, CIPC filings, and any subpoena or regulator request.
  • Legitimate interest — for fraud prevention, security monitoring, and aggregate site analytics that don’t identify you.

4. Who we share it with

We do not sell, rent or trade your personal information. We share it only with the following parties, and only the minimum needed for them to do their job:

  • The Companies and Intellectual Property Commission (CIPC) — for company registration filings (your name, ID number, address, company name).
  • The South African Revenue Service (SARS) — for income tax number applications and any compliance filings.
  • Google (Workspace) — emails sent to and from@ciphershift.co.za are processed by Google Workspace under their Data Processing Addendum.
  • Resend (transactional email provider) — used to deliver brief confirmations and contact form messages. See Resend’s privacy policy.
  • Netlify (web host) — serves the website. They process IP addresses and request logs for the duration of each request. See Netlify’s privacy policy.
  • Google Ads — if you click a paid Google ad to reach our site, Google receives anonymous click attribution data. We do not pass back your name, email or any identifying information to Google. Conversion tracking only fires after you submit a form, and only confirms a conversion happened — not who you are.
  • Domain registrar — for clients buying a.co.za domain through us, your name and contact details are submitted to the registry as required by ZADNA (the South African domain authority).
  • Payment processors — when payment systems are connected to a client account, those processors handle cardholder data directly and we never see or store payment card details.

We will share your information with law enforcement, courts or regulators when legally required to do so. We will notify you first unless prohibited by law.

5. How long we keep it

  • Active project data — kept for the duration of the project and for the post-launch support window stated in your package (7, 30 or 60 days).
  • ID numbers and CIPC documents — encrypted at rest and deleted within 90 days of project closure unless retention is required by law.
  • Invoices and tax records — retained for five years as required by the Tax Administration Act, then permanently deleted.
  • Brief and contact form submissions — retained in our CRM for up to 24 months from last contact, then deleted. You can request earlier deletion at any time.
  • Email correspondence — retained for 24 months from the last reply, then archived or deleted.
  • Analytics data — Google retains aggregate analytics data for 14 months by default. We do not extend this.

6. Where it’s stored

Your information is stored on secure cloud infrastructure operated by Google (Workspace, Sheets), Resend (email delivery), and Netlify (web hosting). Some of these providers process data outside South Africa (typically in the EU and US), under standard contractual clauses or other lawful cross-border transfer mechanisms recognised by POPIA section 72.

7. How we protect it

  • All data in transit is encrypted via TLS 1.2 or higher.
  • The website enforces HTTP Strict Transport Security with a two-year preload, blocking downgrade attacks.
  • Strict Content-Security-Policy and Permissions-Policy headers are set to prevent script injection and unauthorised access to browser APIs.
  • Form endpoints use rate limiting and bot protection (honeypot + Turnstile) to prevent automated abuse.
  • Access to the CRM, email accounts and source repositories is limited to authorised personnel using two-factor authentication.
  • Secrets (API keys, passwords) are stored encrypted in the hosting platform’s environment variables and are never committed to source control.

8. Cookies and analytics

We use a single third-party tag — Google Ads (gtag.js) — to measure the performance of our advertising campaigns. By default, advertising and analytics cookies are set to denied (Google Consent Mode v2) and only activate after you accept on the consent banner shown on your first visit.

We do not use Google Analytics, Facebook Pixel, third-party retargeting cookies, or any session-replay tools. You can revoke consent at any time by clearing your browser cookies or contacting us.

9. Your rights under POPIA

You have the following rights with respect to your personal information:

  • The right to be informed — what we collect, why, and what we do with it. This document fulfils that obligation.
  • The right of access — request a copy of all personal information we hold about you.
  • The right to correction — request that inaccurate or out-of-date information is corrected.
  • The right to deletion — request that we delete your information, subject to retention obligations under tax law.
  • The right to object — object to processing that you believe is unlawful or that no longer has a valid lawful basis.
  • The right to lodge a complaint — with the Information Regulator at inforegulator.org.za if you believe we’ve mishandled your information.

10. How to exercise your rights

To request access, correction, or deletion of your personal information, email quintonhoy@ciphershift.co.za with the subject line “POPIA request”. We will respond within 30 days, as required by POPIA section 23. We may need to verify your identity before releasing or deleting data, to prevent fraudulent requests.

11. Children

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has submitted information to us, please email quintonhoy@ciphershift.co.za and we will delete it.

12. Changes to this policy

We may update this policy from time to time to reflect changes in our services, the law, or industry practice. The “Last updated” date at the top of this page tells you when it was last changed. Material changes will be communicated to active clients by email at least 14 days before they take effect.

13. Information Officer contact

Quinton Hoy
Information Officer
Cipher Shift (Pty) Ltd
Registration No: 2026/295833/07
B-BBEE certificate No: 9456442513
Roodepoort, South Africa
quintonhoy@ciphershift.co.za
082 421 9527

This policy has been drafted to comply with the Protection of Personal Information Act, 2013 (Act 4 of 2013) of South Africa and follows the Information Regulator’s published guidance. It does not constitute legal advice.