Super Coachly Logo

WEBSITE PRIVACY POLICY

Burger Industrial Psychology Consulting (Pty) Ltd

1. RESPONSIBLE PARTY AND INFORMATION OFFICER

  1. The Responsible Party for the Processing of Personal Information through the Website is Burger Industrial Psychology Consulting (Pty) Ltd, a private company registered in South Africa with registration number [insert registration number], having its registered address at [insert physical address].
  2. The Responsible Party has appointed [Full Name] as its Information Officer in accordance with section 56 of POPIA. The Information Officer oversees compliance with data protection laws and may be contacted at: Email: privacy@supercoachly.com
  3. Telephone: [insert contact number]
  4. Postal Address: [insert postal address] (marked for the attention of the Information Officer)
  5. The Information Officer is responsible for ensuring compliance with POPIA and GDPR requirements, including the implementation of appropriate technical and organisational measures to protect Personal Information, handling Data Subject requests, managing data breach notifications, and serving as the primary contact point for data protection authorities.

2. DEFINITIONS

  1. "Agreement" means this Website Privacy Policy, as amended from time to time.
  2. "Calendly" means the third-party online appointment scheduling service integrated with the Website.
  3. "Data Subject" means the natural or juristic person to whom Personal Information relates, as defined in section 1 of POPIA and Article 4(1) of the GDPR.
  4. "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  5. "Information Officer" means the person appointed by the Responsible Party in terms of section 56 of POPIA to oversee compliance with data protection laws.
  6. "Operator" means a third-party service provider that Processes Personal Information on behalf of the Responsible Party under a written mandate, as defined in section 1 of POPIA.
  7. "PAIA" means the Promotion of Access to Information Act 2 of 2000 (South Africa).
  8. "Personal Information" means information relating to an identifiable, living natural person or existing juristic person, as defined in section 1 of POPIA and Article 4(1) of GDPR, including the special categories of data listed in section 26 of POPIA.
  9. "POPIA" means the Protection of Personal Information Act 4 of 2013 (South Africa).
  10. "Processing" means any operation or activity concerning Personal Information, including collection, storage, use, dissemination, modification or destruction, whether by automatic means or otherwise, as defined in section 1 of POPIA and Article 4(2) of the GDPR.
  11. "Responsible Party" means Burger Industrial Psychology Consulting (Pty) Ltd, the private company that owns and operates the Website and determines the purpose and means of Processing Personal Information.
  12. "Special Personal Information" means Personal Information concerning a Data Subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour, as defined in section 26 of POPIA.
  13. "Third Country" means a country outside South Africa or the European Economic Area (EEA) that does not provide an adequate level of data protection as determined by the European Commission or the South African Information Regulator.
  14. "Website" means SuperCoachly (www.supercoachly.com) and all related subdomains, pages and content.
  15. "Website Analytics" means the collection and analysis of data relating to user interactions with the Website, including IP addresses, browser types, and pages visited.

3. SCOPE AND APPLICABILITY

  1. This Agreement governs the Processing of all Personal Information collected through the Website, including but not limited to data submitted via contact forms, lead magnet downloads, newsletter sign-ups, Calendly integrations, and Website Analytics.
  2. The Policy applies to all Processing activities conducted by or on behalf of the Responsible Party within South Africa in compliance with POPIA, and to international Data Subjects in accordance with GDPR requirements where applicable.
  3. The provisions of this Policy extend to all Operators processing Personal Information on behalf of the Responsible Party, subject to the terms of written operator agreements as required by POPIA.
  4. This Policy does not apply to third-party websites or services linked from the Website, which are governed by their own privacy policies.

4. PERSONAL INFORMATION COLLECTED

  1. The Responsible Party collects the following categories of Personal Information through the Website:
    1. Contact Form Submissions: Name, email address, telephone number (optional), subject line, and message content provided by Data Subjects.
    2. Lead Magnet Downloads: Name and email address voluntarily provided by Data Subjects for accessing free PDF resources.
    3. Newsletter Sign-ups: Email address provided by Data Subjects for marketing communications.
    4. Calendly Integration: Name, email address, telephone number, and any additional information voluntarily provided by Data Subjects when scheduling consultations.
    5. Website Analytics: IP address, browser type, device information, pages visited, time spent on site, and interaction data collected automatically through cookies and similar technologies.
  2. The Responsible Party does not intentionally collect Special Personal Information through the Website unless voluntarily provided by Data Subjects in free-text fields, in which case such information will be processed in accordance with section 26 of POPIA.

6. COOKIES AND SIMILAR TECHNOLOGIES

  1. The Website uses cookies and similar tracking technologies to enhance user experience, analyze Website usage, and support marketing activities. These technologies may include browser cookies, pixel tags, and web beacons.
  2. The Responsible Party employs the following categories of cookies:
    1. Essential Cookies: Necessary for the Website to function properly, enabling core functionality such as page navigation and access to secure areas. These cannot be disabled through the cookie banner.
    2. Performance Cookies: Collect anonymous information about how visitors use the Website to improve its performance.
    3. Functionality Cookies: Remember user preferences to provide enhanced, more personalized features.
    4. Targeting Cookies: Used to deliver relevant advertising and track the effectiveness of marketing campaigns.
  3. Data Subjects may manage cookie preferences through the cookie consent banner displayed upon first visit to the Website or by adjusting browser settings. Disabling certain cookies may affect Website functionality.
  4. Third-party service providers, including analytics and advertising partners, may place cookies on Data Subjects' devices through the Website. These Operators process such data in accordance with their respective privacy policies and the Responsible Party's contractual obligations with them.
  5. Cookie data is retained for varying periods depending on the specific cookie's purpose, with session cookies expiring at the end of the browsing session and persistent cookies retained for maximum periods not exceeding 24 months unless renewed through subsequent visits.

7. THIRD-PARTY PROCESSORS AND OPERATORS

  1. The Responsible Party engages the following categories of Operators to Process Personal Information on its behalf:
    1. Calendly for appointment scheduling services;
    2. Email marketing service providers for newsletter distribution and lead magnet delivery;
    3. Website analytics service providers for performance monitoring;
    4. Technical infrastructure and hosting providers.
  2. The Responsible Party maintains written Operator agreements with all third-party Processors in compliance with section 20 of POPIA and Article 28 of GDPR. These agreements mandate that Operators:
    1. Process Personal Information only on documented instructions from the Responsible Party;
    2. Implement appropriate technical and organisational security measures;
    3. Ensure confidentiality of all Processed data;
    4. Prohibit engagement of sub-processors without prior authorization;
    5. Assist the Responsible Party in fulfilling Data Subject rights requests;
    6. Cooperate with data protection audits and inspections;
    7. Delete or return all Personal Information upon termination of services.
  3. Where Operators Process data in Third Countries, the Responsible Party ensures compliance with POPIA section 72 and GDPR Chapter V through implementation of appropriate safeguards, including Standard Contractual Clauses approved by the European Commission where applicable.

8. DATA RETENTION AND DELETION

  1. The Responsible Party retains Personal Information only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements in accordance with section 14 of POPIA and Article 5(1)(e) of GDPR.
  2. Specific retention periods apply as follows:
    1. Contact Form Submissions: Retained for 36 months from date of last interaction unless required longer for legal proceedings or regulatory compliance.
    2. Lead Magnet Download Data: Retained for 24 months from last active engagement or until consent is withdrawn, whichever occurs first.
    3. Newsletter Subscriptions: Retained until consent is withdrawn or after 12 months of subscriber inactivity, provided no other lawful basis for retention exists.
    4. Calendly Appointment Data: Retained for 60 months from last appointment to comply with professional services record-keeping requirements and potential liability periods.
    5. Website Analytics: Aggregated data retained indefinitely; identifiable data anonymized within 14 months of collection.
  3. Upon expiry of the applicable retention period or when no longer required for the original purpose, Personal Information will be securely deleted or anonymized using industry-standard methods that prevent reconstruction.
  4. Data Subjects may request early deletion of their Personal Information in accordance with their rights under clause 11, subject to any overriding legal or regulatory requirements that mandate continued retention.
  5. The Responsible Party maintains documented retention schedules and implements periodic reviews to ensure compliance with this storage limitation principle.

9. DATA SECURITY MEASURES

  1. The Responsible Party implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the Processing of Personal Information, in accordance with section 19 of POPIA and Article 32 of GDPR.
  2. These security measures include, but are not limited to:
    1. Encryption of Personal Information both in transit (using TLS/SSL protocols) and at rest (using industry-standard encryption algorithms);
    2. Implementation of role-based access controls to restrict Processing to authorised personnel only, with unique user credentials and multi-factor authentication where appropriate, and regular review of access privileges;
    3. Regular security testing and vulnerability assessments of the Website and associated systems, including penetration tests conducted annually or following significant system changes, with prompt remediation of identified risks;
    4. Secure development practices for all website applications, including code review and security patching procedures;
    5. Network security controls including firewalls, intrusion detection systems, and regular monitoring of system access logs;
    6. Secure storage infrastructure with physical and logical access restrictions for servers and databases containing Personal Information;
    7. Established incident response procedures for suspected or actual data breaches, including containment, assessment, notification and remediation protocols.
  3. All employees and contractors with access to Personal Information receive mandatory training on data protection principles, security protocols and confidentiality obligations, with refresher courses conducted annually. These obligations survive termination of employment or engagement.
  4. The Responsible Party maintains documented information security policies and procedures that are regularly reviewed and updated to address emerging threats and regulatory developments.
  5. Where Operators Process Personal Information on behalf of the Responsible Party, contractual obligations are imposed to ensure equivalent security measures are implemented, as specified in clause 7.
  6. While the Responsible Party employs industry-standard security measures, no electronic transmission or storage method is completely secure. Data Subjects who believe their Personal Information has been compromised should immediately contact the Information Officer as specified in clause 1.

10. INTERNATIONAL DATA TRANSFERS

  1. The Responsible Party may transfer Personal Information to Operators located in Third Countries, including but not limited to service providers in the United States and other jurisdictions where adequate data protection levels have not been formally recognized by the South African Information Regulator or European Commission.
  2. All international transfers of Personal Information comply with section 72 of POPIA and Chapter V of GDPR, implemented through one or more of the following safeguards:
    1. Standard Contractual Clauses approved by the European Commission for transfers subject to GDPR;
    2. Binding corporate rules for intra-group transfers where applicable;
    3. Other adequacy mechanisms recognized under applicable data protection laws.
  3. Prior to any new international transfer, the Responsible Party conducts a transfer impact assessment to evaluate the level of protection afforded in the Third Country and implement supplementary measures where necessary to ensure an adequate level of data protection, considering factors such as the nature of the data, purpose and duration of processing, and legal framework of the destination country.
  4. Data Subjects may request information about the specific safeguards applied to international transfers of their Personal Information by contacting the Information Officer as specified in clause 1.

11. DATA SUBJECT RIGHTS

  1. In accordance with sections 23-25 of POPIA and Articles 15-22 of GDPR, Data Subjects have the following rights regarding their Personal Information:
    1. Right of Access: To request confirmation whether the Responsible Party Processes their Personal Information and to obtain a copy of such information in a structured, commonly used and machine-readable format.
    2. Right to Rectification: To request correction of inaccurate or incomplete Personal Information.
    3. Right to Erasure: To request deletion of Personal Information where no lawful basis for continued Processing exists, subject to legal retention requirements.
    4. Right to Restriction: To request limitation of Processing in specific circumstances where accuracy is contested, Processing is unlawful, or the data is no longer needed but required for legal claims, as specified in Article 18 of GDPR.
    5. Right to Object: To object to Processing based on legitimate interests, direct marketing, or for research/statistical purposes.
    6. Right to Data Portability: To receive Personal Information in a structured, commonly used and machine-readable format and to transmit it to another controller where Processing is based on consent or contract and carried out by automated means.
    7. Right to Withdraw Consent: To revoke previously given consent at any time, without affecting the lawfulness of Processing before withdrawal.
    8. Right to Lodge Complaints: To file a complaint with the South African Information Regulator or relevant EU supervisory authority regarding alleged violations of data protection laws.
  2. The exercise of these rights may be subject to limitations as provided by law, including when necessary to comply with legal obligations, protect public interests, or establish, exercise or defend legal claims.
  3. Data Subjects may exercise these rights by submitting a written request to the Information Officer using the contact details in clause 1, accompanied by sufficient information to verify the requester's identity. The Responsible Party will respond to valid requests within 30 days, with a possible extension of up to 60 additional days for complex requests. No fee will be charged unless the request is manifestly unfounded, excessive or repetitive.

12. EXERCISING YOUR RIGHTS

  1. To exercise any rights under clause 11, Data Subjects must submit a written request to the Information Officer using the contact details provided in clause 1, clearly specifying:
    1. The right being exercised;
    2. The Personal Information to which the request relates;
    3. Sufficient information to verify the Data Subject's identity.
  2. The Responsible Party may require additional verification documentation for requests involving sensitive Personal Information or where identity cannot be reasonably confirmed through initial information provided, including but not limited to government-issued identification or proof of address.
  3. The Responsible Party will acknowledge receipt of valid requests within 5 business days and provide a substantive response within 30 days of receipt, unless the request is complex or voluminous, in which case the response period may be extended by up to 60 additional days with prior notification to the Data Subject.
  4. Where requests are manifestly unfounded, excessive or repetitive, the Responsible Party reserves the right to charge a reasonable administrative fee or refuse to act on the request, with written justification provided to the Data Subject.
  5. Data Subjects dissatisfied with the Responsible Party's response may lodge a complaint as detailed in clause 19.

13. DIRECT MARKETING AND OPT-OUT

  1. The Responsible Party may engage in direct marketing communications via electronic means only with Data Subjects who have provided prior consent in accordance with section 69 of POPIA and Article 21 of GDPR, or where permitted under applicable law.
  2. Data Subjects expressly consent to direct marketing when voluntarily subscribing to newsletters, downloading lead magnets, or explicitly opting in through other Website mechanisms. Each marketing communication will include:
    1. Clear identification of the sender as Burger Industrial Psychology Consulting (Pty) Ltd;
    2. An unsubscribe mechanism that is functional for at least 30 days after transmission;
    3. A valid physical postal address or other contact details as required by section 45 of ECTA.
  3. Data Subjects may opt out of receiving direct marketing communications at any time by:
    1. Clicking the unsubscribe link included in all marketing emails;
    2. Updating their preferences through the Website account settings (where applicable);
    3. Submitting a written request to the Information Officer using the contact details in clause 1.
  4. Opt-out requests will be processed within 10 business days and will result in cessation of marketing communications, without affecting non-marketing service messages related to active engagements. The Responsible Party will maintain suppression lists to prevent future marketing to opted-out Data Subjects.
  5. The Responsible Party will not disclose Data Subjects' Personal Information to third parties for their direct marketing purposes without separate, explicit consent.
  6. Withdrawal of consent for marketing purposes will not affect the lawfulness of Processing prior to withdrawal.

14. CHILDREN'S PERSONAL INFORMATION

  1. The Website is not directed at children under the age of 18, and the Responsible Party does not knowingly collect or Process Personal Information from such Data Subjects without prior verifiable parental or guardian consent in accordance with section 35 of POPIA.
  2. Where a Data Subject indicates they are under 18 years of age through any Website interaction, the Responsible Party will:
    1. Immediately cease Processing such Personal Information;
    2. Take reasonable steps to verify the age of the Data Subject;
    3. Where age is confirmed as under 18, require valid consent from a parent or legal guardian before proceeding with any further Processing, using verification methods appropriate to the context and risk level of the Processing activity.
  3. Parents or guardians who become aware that their child has provided Personal Information without their consent may contact the Information Officer using the details in clause 1 to request deletion of such information. The Responsible Party will take reasonable steps to verify the requester's relationship to the child before complying with such requests.
  4. The Responsible Party implements age-verification measures on all data collection points of the Website to prevent unintentional collection of children's Personal Information, including clear notices prohibiting use by persons under 18 without parental supervision.
  5. Where services are intentionally offered to minors aged 13-17, the Responsible Party will obtain consent from a parent or legal guardian prior to Processing such Data Subject's Personal Information, using enhanced verification methods.
  6. The Responsible Party will promptly delete any Personal Information collected from a child under 18 where parental consent was required but not obtained, unless retention is necessary to comply with legal obligations.

15. BREACH NOTIFICATION AND INCIDENT RESPONSE

  1. The Responsible Party maintains an incident response plan to address actual or suspected breaches of Personal Information in compliance with section 22 of POPIA and Article 33 of GDPR. This plan includes procedures for containment, assessment, notification and remediation.
  2. In the event of a security compromise affecting Personal Information, the Responsible Party will:
    1. Immediately initiate investigation and containment procedures to limit further unauthorized access or disclosure;
    2. Conduct a risk assessment to determine the likelihood and severity of harm to affected Data Subjects, considering the nature of the data, sensitivity, volume of records, and potential consequences;
    3. Where a breach creates a reasonable likelihood of harm to Data Subjects, notify the South African Information Regulator within 72 hours of becoming aware of the breach, using the prescribed Form 1 under POPIA Regulations;
    4. Where required under GDPR, notify the relevant EU supervisory authority within 72 hours where feasible, unless the breach is unlikely to result in a risk to rights and freedoms of natural persons;
    5. Notify affected Data Subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms, providing sufficient information to allow them to take protective measures;
    6. Notify relevant third parties such as Operators where their cooperation is required to mitigate the breach.
  3. Breach notifications will include, where possible:
    1. A description of the nature of the breach;
    2. The categories and approximate number of Data Subjects and Personal Information records concerned;
    3. The likely consequences of the breach;
    4. Measures taken or proposed to address the breach and mitigate possible adverse effects;
    5. Contact details for the Information Officer where further information can be obtained.
  4. The Responsible Party will document all data breaches, including the facts relating to the breach, its effects and remedial actions taken, to demonstrate compliance with this clause and for regulatory review purposes.
  5. The Responsible Party will implement appropriate corrective actions following any breach, including security enhancements, staff retraining, and procedural updates to prevent recurrence.
  6. Where an Operator becomes aware of a breach involving Personal Information Processed on behalf of the Responsible Party, the Operator must notify the Responsible Party without undue delay to enable compliance with notification obligations.

16. PAIA MANUAL AND ACCESS TO INFORMATION

  1. The Responsible Party maintains a manual in accordance with section 51 of PAIA, which contains information required for Data Subjects to exercise their rights of access to records held by the Responsible Party, including the procedures, prescribed fees and forms for such requests.
  2. The PAIA manual is available for inspection at the Responsible Party's physical address during normal business hours upon prior written request to the Information Officer, and may be accessed electronically or downloaded from the Website where available.
  3. Data Subjects may request access to records containing their Personal Information in terms of section 23 of POPIA or section 53 of PAIA by submitting a completed Form C as prescribed in the POPIA Regulations to the Information Officer at the contact details provided in clause 1, accompanied by the prescribed fee (if applicable).
  4. The Responsible Party will process access requests within 30 days of receipt, subject to any lawful grounds for refusal as set out in PAIA and POPIA, including but not limited to protection of third party privacy, commercial confidentiality, or where disclosure would prejudice lawful proceedings.

17. CHANGES TO THIS PRIVACY POLICY

  1. The Responsible Party reserves the right to amend this Agreement from time to time to reflect changes in legal requirements, Processing activities, or business practices. Material changes will be communicated to Data Subjects through prominent notices on the Website and, where appropriate, via email to registered users.
  2. The effective date of the current version will be displayed at the top of the Policy. The amended version will supersede all previous versions. Continued use of the Website following such changes constitutes acceptance of the updated terms, except where further consent is required by law.
  3. Data Subjects are encouraged to periodically review this Policy to stay informed about how their Personal Information is protected. Historical versions will be archived and made available upon request to the Information Officer.
  4. Where changes require new consent under POPIA or GDPR, the Responsible Party will obtain such consent before implementing the revised Processing activities.

18. CONTACT INFORMATION

  1. For all privacy-related inquiries, including requests to exercise Data Subject rights under clause 11, please contact the Information Officer using the following details: Email: privacy@supercoachly.com
  2. Telephone: [insert contact number]
  3. Postal Address: [insert physical address], marked for the attention of the Information Officer
  4. The Responsible Party will respond to all legitimate privacy inquiries within 30 days of receipt, or within any extended timeframe permitted by applicable law, in which case the Data Subject will be notified of the extension period.

19. COMPLAINTS TO THE INFORMATION REGULATOR

  1. Data Subjects have the right to lodge a complaint with the South African Information Regulator if they believe their rights under POPIA have been infringed by the Responsible Party's Processing of their Personal Information.
  2. Prior to lodging a complaint with the Information Regulator, Data Subjects are encouraged to first attempt resolution by contacting the Responsible Party's Information Officer as specified in clause 1.
  3. Complaints must be submitted in writing to the Information Regulator using the prescribed form available on the Regulator's website, and should include:
    1. The Data Subject's full contact details;
    2. A detailed description of the alleged infringement;
    3. Any supporting documentation;
    4. Steps already taken to resolve the matter with the Responsible Party.
  4. The Information Regulator may be contacted at:

    JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

    P.O Box 31533, Braamfontein, Johannesburg, 2017

    Email: complaints.IR@justice.gov.za

    Website: justice.gov.za/inforeg

  5. Data Subjects located in the European Union may alternatively lodge complaints with their local supervisory authority under GDPR.
  6. The Information Regulator may require complainants to complete prescribed forms and provide supporting documentation as specified in the POPIA Regulations.

20. GOVERNING LAW AND JURISDICTION

  1. This Agreement shall be governed by and construed in accordance with the laws of the Republic of South Africa, without regard to its conflict of law provisions.
  2. Any disputes arising from or relating to this Agreement or the Processing of Personal Information shall be subject to the exclusive jurisdiction of the High Court of South Africa, Gauteng Division, Pretoria, for matters falling outside the competence of lower courts.
  3. Notwithstanding clause 20.2, Data Subjects located in the European Union may bring proceedings in their country of residence where required under Article 79 of GDPR.
  4. The application of South African law under this clause shall be without prejudice to any mandatory data protection provisions that may apply under GDPR to Data Subjects located in the European Economic Area.
Back to topHome