ZIVARO.

Legal

Privacy Policy.

Plain-English version of what data I collect, why, where it goes, and your rights under POPIA. No legalese mountains, no dark patterns.

Effective: 13 May 2026 · Last updated: 1 July 2026

1. Who I am

This site is operated by Kent Weyers, trading as Zivaro, a one-person digital studio based in Cape Town, South Africa. For the purposes of the Protection of Personal Information Act, 2013 (POPIA), I am the responsible party for any personal information collected through this site.

You can reach me at hello [at] zivaro [dot] co [dot] za for any privacy-related questions, requests, or complaints. I act as my own Information Officer until the business grows enough to need a dedicated one.

2. What I collect, and when

I keep collection minimal. Specifically:

  • When you submit the contact form: your name, email address, optionally your company name, optionally your phone number, your selection of services, budget range, timeline, and the message you typed. Plus a timestamp and the page you submitted from.
  • When you email me directly: whatever you choose to include in that email.
  • Server logs: the web server that hosts this site keeps standard access logs (IP address, browser, page requested, response code) for a maximum of 30 days, used only for security and diagnostics.
  • Anonymous analytics (Plausible): aggregate, cookieless usage data such as pages visited, traffic source, device category, screen size, and approximate country derived from IP. No cookies are set, no cross-site identifiers are used, and IP addresses are never stored: they are only used momentarily to derive a country and are discarded. See section 9 for details.

I do not collect any other personal information through this site. I do not use marketing or advertising cookies, retargeting pixels, or session replay tools.

3. Why I collect it (lawful basis)

I process the personal information described above on two POPIA-recognised lawful bases:

  • Consent: when you fill in the contact form and submit it, you are consenting to me using the information you provide to reply to you and discuss potentially working together.
  • Legitimate interest: for server logs and basic diagnostics, the legitimate interest of running a functioning, secure website.

I do not use your personal information for marketing without separate consent. I do not sell or rent your information to anyone. Ever.

4. Where the data goes

When you submit the contact form, the data flow is:

  1. Your browser sends the form data over HTTPS to an automation workflow hosted on n8n.
  2. n8n forwards the contents to my email inbox.
  3. A copy is retained in the n8n workflow log for up to 30 days for diagnostics, then deleted.

The processors involved (subprocessors, in POPIA terminology) are:

  • n8n — workflow orchestration. Data is processed in the region I have configured (currently the European Union or South Africa, depending on hosting).
  • My email provider — for receiving and storing the message.
  • The site host — for serving this website and keeping access logs.
  • Plausible (self-hosted) — for aggregate, cookieless usage analytics. This runs on my own infrastructure, so the data is not shared with any third-party analytics provider.

All subprocessors are bound by their own privacy policies and applicable data protection laws.

5. How long I keep it

  • Contact form submissions and email correspondence: retained for as long as our conversation is active. If we do not end up working together, I delete the thread within 12 months of the last contact, unless you ask me to delete it sooner.
  • Active client records: retained for the duration of our engagement plus 5 years afterwards (to meet SARS, contractual, and dispute-resolution requirements).
  • Server logs: 30 days maximum.
  • n8n workflow logs: 30 days maximum.

6. Transborder transfers

Depending on where my n8n instance and email provider are hosted, your personal information may be transferred outside South Africa. The destinations involved are subject to data protection laws comparable to POPIA (typically the EU's GDPR or equivalent). By submitting personal information through this site, you consent to this transborder transfer.

7. Your rights under POPIA

You have the right, at any time, to:

  • Access the personal information I hold about you.
  • Correct any inaccurate or outdated information.
  • Delete your personal information (where I am not required by law to retain it).
  • Object to my processing of your information.
  • Withdraw consent at any time, where consent was the lawful basis.
  • Lodge a complaint with the Information Regulator if you believe I have mishandled your information.

To exercise any of these rights, email me. I will respond within 30 days, usually faster.

The Information Regulator's contact details:

  • JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
  • POPIAComplaints@inforegulator.org.za
  • inforegulator.org.za

8. Security

The site itself is static HTML served over HTTPS only, with security headers configured (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Content-Security-Policy). The contact form sends data over HTTPS to an authenticated webhook. I follow standard practices to protect any personal information I receive, including encrypted storage and least-privilege access.

That said, no system is perfectly secure. If I become aware of a breach affecting your personal information, I will notify you and the Information Regulator as required by POPIA section 22.

9. Cookies, consent, and tracking

This site uses Plausible Analytics, a privacy-first, cookieless analytics tool, self-hosted on my own infrastructure. Because it does not use cookies or collect any personal information, no cookie consent banner is required:

  • No cookies. Plausible sets no cookies and writes nothing to your device's storage.
  • No cross-site or persistent identifiers. You are not tracked across sites or across visits, and no profile is built about you.
  • No personal information. Only aggregate metrics are recorded: page views, referral source, device category, screen size, and approximate country. Your IP address is never stored: it is used momentarily to derive a country, then discarded.
  • Self-hosted. The analytics data stays on my own infrastructure and is not shared with any third-party analytics provider.

If you still prefer not to be counted, you can:

  • Use a browser with built-in tracking protection (Firefox with strict mode, Brave, Safari with cross-site tracking prevention).
  • Block the script served from test-apps-plausible.renrgg.easypanel.host using uBlock Origin, Privacy Badger, or your browser's content blocking.
  • Enable "Do Not Track" in your browser.

There are no advertising cookies, no Google Analytics, no Meta pixel, no LinkedIn Insight Tag, and no session-replay or retargeting tools active on this site. If that ever changes in a way that involves cookies or personal information, this policy will be updated and, where the law requires it, a consent mechanism will be added.

10. Children

This site and the services Zivaro provides are aimed at business customers. I do not knowingly collect personal information from anyone under 18. If you believe a child has submitted information through this site, please email me and I will delete it.

11. Changes to this policy

I will update this policy when the site, processors, or data practices change. The "last updated" date at the top reflects the most recent revision. Material changes will be flagged on the site for at least 30 days.

12. Questions

If anything on this page is unclear, or you want to know more about how Zivaro handles your information, email me at hello [at] zivaro [dot] co [dot] za . I am happy to talk you through any part of it in plain language.