Privacy policy

From this website, we collect only what you submit voluntarily: typically your name, work email, company and a free-text message. Standard server logs (IP address, user-agent, timestamp) are collected automatically for security and abuse prevention.

In the course of providing services to clients, we process personal information on their behalf as a data operator under POPIA and as a data processor under GDPR. The scope, purpose and lawful basis are governed by the Master Services Agreement and Data Processing Agreement we sign with each client.

We use analytics cookies only with your explicit consent. No tracking cookies are placed until you click “Accept analytics” on the cookie banner. You may withdraw consent at any time via the Cookie settings link in the website footer.

When consent is granted, we load:

• Google Analytics 4 (GA4): pages visited, session duration, referral source. IP addresses are anonymised. No advertising features are enabled.
• Microsoft Clarity: session recordings and heatmaps to identify usability issues. No personally identifiable information is stored.

No other cookies are set. We do not use cookies for advertising, retargeting, or cross-site tracking.

• Consent: analytics cookies. Withdrawable at any time.
• Legitimate interests: security logs; responding to enquiries; business improvement.
• Contract performance: delivering services to clients under signed agreements.
• Legal obligation: compliance with applicable law and regulatory requirements.

To respond to enquiries, deliver contracted services, fulfil legal obligations, and improve our operations. We do not sell, rent or trade personal information to third parties under any circumstances.

We share personal information only with sub-processors required to operate our services (cloud hosting via Microsoft Azure, analytics via Google and Microsoft) and with regulators or law enforcement where legally required. We do not share personal information for third-party marketing. A current sub-processor list is available on request.

Enquiry data is retained for 24 months from last contact. Client-engagement personal information is retained per the relevant DPA, typically for the duration of the engagement plus 12 months. Server logs are retained for 90 days. Analytics data follows GA4 and Clarity retention settings (13 months).

Depending on where you are based, you have the right to access, correct or delete personal information we hold about you, to object to or restrict processing, to data portability, and to lodge a complaint with the relevant supervisory authority.

• South Africa: rights under the Protection of Personal Information Act (POPIA). See our POPIA notice.
• UK / EU: rights under UK GDPR and EU GDPR (Arts. 15–22). See our GDPR notice.
• California, USA: rights under the CCPA and CPRA. See our California privacy notice.

To exercise any right, email legal@inboxd.agency.

Where personal information is transferred outside its country of origin (for example, to Google or Microsoft infrastructure in the US), we rely on Standard Contractual Clauses or UK International Data Transfer Agreements as approved by the relevant supervisory authority.

Material changes will be communicated by updating the effective date above and, where appropriate, notifying registered contacts directly.