ZIVARO.

Legal

Privacy Policy.

Plain-English version of what data I collect, why, where it goes, and your rights under POPIA. No legalese mountains, no dark patterns.

Effective: 13 May 2026 · Last updated: 13 May 2026

1. Who I am

This site is operated by Kent Weyers, trading as Zivaro, a one-person digital studio based in Cape Town, South Africa. For the purposes of the Protection of Personal Information Act, 2013 (POPIA), I am the responsible party for any personal information collected through this site.

You can reach me at hello [at] zivaro [dot] co [dot] za for any privacy-related questions, requests, or complaints. I act as my own Information Officer until the business grows enough to need a dedicated one.

2. What I collect, and when

I keep collection minimal. Specifically:

  • When you submit the contact form: your name, email address, optionally your company name, optionally your phone number, your selection of services, budget range, timeline, and the message you typed. Plus a timestamp and the page you submitted from.
  • When you email me directly: whatever you choose to include in that email.
  • Server logs: the web server that hosts this site keeps standard access logs (IP address, browser, page requested, response code) for a maximum of 30 days, used only for security and diagnostics.
  • Anonymous analytics (Google Analytics 4): aggregate usage data such as pages visited, traffic source, device category, screen size, approximate country/city derived from IP, and event counts. IP addresses are truncated by Google before storage. See section 9 for cookie details and opt-out options.

I do not collect any other personal information through this site. I do not use marketing or advertising cookies, retargeting pixels, or session replay tools.

3. Why I collect it (lawful basis)

I process the personal information described above on two POPIA-recognised lawful bases:

  • Consent: when you fill in the contact form and submit it, you are consenting to me using the information you provide to reply to you and discuss potentially working together.
  • Legitimate interest: for server logs and basic diagnostics, the legitimate interest of running a functioning, secure website.

I do not use your personal information for marketing without separate consent. I do not sell or rent your information to anyone. Ever.

4. Where the data goes

When you submit the contact form, the data flow is:

  1. Your browser sends the form data over HTTPS to an automation workflow hosted on n8n.
  2. n8n forwards the contents to my email inbox.
  3. A copy is retained in the n8n workflow log for up to 30 days for diagnostics, then deleted.

The processors involved (subprocessors, in POPIA terminology) are:

  • n8n — workflow orchestration. Data is processed in the region I have configured (currently the European Union or South Africa, depending on hosting).
  • My email provider — for receiving and storing the message.
  • The site host — for serving this website and keeping access logs.
  • Google (Google Analytics 4) — for aggregate, anonymous usage analytics. Google may process this data on servers in the United States and elsewhere.

All subprocessors are bound by their own privacy policies and applicable data protection laws.

5. How long I keep it

  • Contact form submissions and email correspondence: retained for as long as our conversation is active. If we do not end up working together, I delete the thread within 12 months of the last contact, unless you ask me to delete it sooner.
  • Active client records: retained for the duration of our engagement plus 5 years afterwards (to meet SARS, contractual, and dispute-resolution requirements).
  • Server logs: 30 days maximum.
  • n8n workflow logs: 30 days maximum.

6. Transborder transfers

Depending on where my n8n instance and email provider are hosted, your personal information may be transferred outside South Africa. The destinations involved are subject to data protection laws comparable to POPIA (typically the EU's GDPR or equivalent). By submitting personal information through this site, you consent to this transborder transfer.

7. Your rights under POPIA

You have the right, at any time, to:

  • Access the personal information I hold about you.
  • Correct any inaccurate or outdated information.
  • Delete your personal information (where I am not required by law to retain it).
  • Object to my processing of your information.
  • Withdraw consent at any time, where consent was the lawful basis.
  • Lodge a complaint with the Information Regulator if you believe I have mishandled your information.

To exercise any of these rights, email me. I will respond within 30 days, usually faster.

The Information Regulator's contact details:

  • JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
  • POPIAComplaints@inforegulator.org.za
  • inforegulator.org.za

8. Security

The site itself is static HTML served over HTTPS only, with security headers configured (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Content-Security-Policy). The contact form sends data over HTTPS to an authenticated webhook. I follow standard practices to protect any personal information I receive, including encrypted storage and least-privilege access.

That said, no system is perfectly secure. If I become aware of a breach affecting your personal information, I will notify you and the Information Regulator as required by POPIA section 22.

9. Cookies, consent, and tracking

This site uses Google Tag Manager (GTM) as a container to load and manage any third-party tags (analytics, marketing, etc.). GTM itself does not collect personal information; it only fires the tags I configure inside it. Any tag I add through GTM is governed by Google Consent Mode v2, which means:

  • On your first visit, a cookie consent banner appears asking you to Accept or Reject analytics.
  • Until you choose Accept, all analytics and marketing storage stays denied. No tracking cookies are written.
  • Your choice is remembered in your browser for 180 days, after which I will ask again.
  • You can change your mind any time by clicking "Cookie settings" in the footer.

At present, the GTM container may be configured to fire the following analytics tags:

  • Google Analytics 4 (GA4) — aggregate, anonymous usage analytics. Sets cookies _ga and a session cookie of the form _ga_* with 24-month lifetimes. Uses Google's default IP anonymisation. Provides page views, traffic sources, device categories, and event counts. Not connected to advertising or used to build user profiles.
  • Microsoft Clarity — session recordings, heatmaps, and behavioural analytics to understand how visitors interact with the site. Sets cookies _clck (user ID) and _clsk (session ID). Clarity automatically masks input fields, passwords, and personal information; you will never see your typed information replayed. Data is sent to Microsoft and retained for up to 13 months. Clarity cookie details. Microsoft Privacy Statement.

Neither tool is connected to advertising campaigns or shared with third parties beyond Google and Microsoft. Both stay denied until you accept analytics via the consent banner.

Other ways to opt out (independent of the banner):

  • Use a browser with built-in tracking protection (Firefox with strict mode, Brave, Safari with cross-site tracking prevention).
  • Install Google's official Google Analytics Opt-out Browser Add-on.
  • Block scripts from googletagmanager.com, google-analytics.com, and clarity.ms using uBlock Origin, Privacy Badger, or your browser's content blocking.
  • Refuse cookies for this site in your browser settings.

There are no marketing cookies, no Meta pixel, no LinkedIn Insight Tag, and no retargeting tools currently active on this site. If that changes, this policy will be updated and the consent banner will be expanded to cover the new categories.

10. Children

This site and the services Zivaro provides are aimed at business customers. I do not knowingly collect personal information from anyone under 18. If you believe a child has submitted information through this site, please email me and I will delete it.

11. Changes to this policy

I will update this policy when the site, processors, or data practices change. The "last updated" date at the top reflects the most recent revision. Material changes will be flagged on the site for at least 30 days.

12. Questions

If anything on this page is unclear, or you want to know more about how Zivaro handles your information, email me at hello [at] zivaro [dot] co [dot] za . I am happy to talk you through any part of it in plain language.