Privacy Policy

In terms of POPIA, the “responsible party” is the entity that determines the purpose of and means for processing personal information. For the purposes of this policy, the responsible party is:

In terms of section 55 of POPIA, we have designated an Information Officer who is responsible for ensuring that Beyond Imagination complies with its obligations under POPIA and for handling data subject requests.

You may contact our Information Officer at any time to exercise your rights under POPIA, to raise a concern about how we handle your personal information, or to request a copy of our POPIA manual.

Depending on how you interact with us, we may collect the following categories of personal information (as defined in section 1 of POPIA):

From website visitors and enquiries

• Full name
• Email address
• Telephone number
• Company name and job title
• The nature of your enquiry or project brief

From clients entering into a service agreement

• Identification and contact details of individuals and authorised representatives
• Banking details necessary for invoicing and payment processing
• VAT registration number (where applicable)
• Company registration number (where applicable)
• Project-specific content, brand materials, and data you provide to us

Automatically collected when you visit our website

• IP address and approximate geographic location
• Browser type, version, device type, and operating system
• Pages visited, time spent on pages, and referral source
• Cookie identifiers (see Section 10)

We collect personal information:

• Directly from you when you complete a contact form, submit an enquiry, accept a proposal, or engage our services.
• Via correspondence by telephone, email, or messaging platforms.
• Automatically through our website's analytics tools and cookies when you browse our site.
• From third parties such as referees, business partners, or professional introductions — only where this is permissible under POPIA.

In terms of section 18 of POPIA, we will notify you at or before the time of collecting your personal information about the purposes for which it is collected, your rights, and how to contact our Information Officer — consistent with this Privacy Policy.

We collect and process personal information only for specific, explicitly defined, and lawful purposes:

• Service delivery: To provide the marketing, design, development, and AI solutions you have contracted us to deliver, and to manage the ongoing client relationship.
• Communication: To respond to enquiries, send proposals, provide project updates, and communicate about your account.
• Invoicing and accounting: To issue invoices, process payments, and maintain financial records as required by South African tax law.
• Legal compliance: To comply with our obligations under SARS tax requirements, FICA obligations, POPIA, the ECT Act, and any other applicable legislation or court order.
• Direct marketing: To send you information about our services, industry insights, case studies, or promotions — only where you have given consent or where we have a legitimate interest permitted by POPIA, with an easy opt-out mechanism at all times.
• Website improvement: To understand how our website is used, identify issues, and improve the user experience — through aggregated and anonymised analytics.
• Security and fraud prevention: To protect our systems, your information, and the integrity of our services.

We will not process your personal information for purposes incompatible with those listed above without your consent or a further lawful basis.

Section 11 of POPIA requires us to have a lawful ground for every processing activity. We process your personal information on the following grounds:

• Performance of a contract (s11(1)(b)): Processing necessary to deliver services you have contracted with us to perform, or to take steps at your request before entering into a contract.
• Legal obligation (s11(1)(c)): Processing required to comply with South African law, including tax obligations, FICA, and court orders.
• Legitimate interest (s11(1)(f)): Processing for our legitimate business interests where these are not overridden by your interests or rights — including website analytics, security, communication with existing clients, and marketing to existing clients subject to your right to opt out.
• Consent (s11(1)(a)): Where we rely on your consent — for example, for direct marketing to new prospects or for optional cookies — we will request it clearly and separately, and you may withdraw it at any time.

We do not sell, rent, or trade your personal information. We share personal information only to the extent necessary and only with:

• Operators and service providers: Third-party tools and platforms we use to deliver our services — including cloud hosting providers, email platforms, accounting software, CRM systems, and analytics tools. These parties are appointed as operators under POPIA and are contractually required to apply equivalent protections to your personal information.
• Payment processors: For secure processing of client payments.
• Professional advisers: Our attorneys, auditors, and accountants, who are bound by professional confidentiality obligations.
• Regulatory and law enforcement authorities: SARS, the Information Regulator of South Africa, the South African Police Service, or other authorities where we are legally required or compelled to disclose.

We do not share personal information with third parties for their own independent marketing purposes without your explicit consent.

Some of our service providers are based outside South Africa (for example, cloud infrastructure or analytics platforms based in the United States or European Union). Where we transfer personal information across South Africa's borders, we comply with section 72 of POPIA by ensuring that:

• The recipient country provides an adequate level of protection substantially similar to POPIA; or
• We have put in place appropriate safeguards, such as contractual protections equivalent to POPIA conditions; or
• You have given explicit consent to the specific transfer.

We will not transfer your personal information internationally unless we are satisfied that adequate protections are in place.

We retain personal information only for as long as is necessary to fulfil the specific purpose for which it was collected, or as required by applicable law (section 14 of POPIA — Retention and restriction of records):

• Client records: 5 years from the end of the service relationship, consistent with the prescription period under the Prescription Act 68 of 1969 and SARS record-keeping requirements.
• Accounting and tax records: 5 years from the end of the relevant financial year, as required by the Income Tax Act 58 of 1962 (section 73A) and the Tax Administration Act 28 of 2011.
• Marketing contact lists: Until you object or withdraw consent, or after 3 years of no engagement or communication.
• Website analytics data: Up to 26 months in aggregated or anonymised form.
• Security and access logs: 12 months.

When personal information is no longer required, we destroy, delete, or permanently de-identify it in a secure manner, in accordance with our record destruction policy.

Our website uses cookies — small text files placed on your device — to improve your browsing experience, remember your preferences, and understand how the site is used.

Types of cookies we use

• Strictly necessary cookies: Essential for the website to function correctly (e.g. session management, security). These cannot be disabled without affecting core functionality.
• Analytics cookies: Help us understand traffic patterns and how visitors navigate our site. Data is aggregated and anonymised — we cannot identify you individually through these cookies.
• Preference cookies: Remember your settings and choices (e.g. dark or light mode).
• Marketing cookies: Used where we run targeted advertising campaigns through third-party platforms. These are only placed with your consent.

You may manage or decline non-essential cookies through your browser settings or our consent banner. Disabling certain cookies may affect your experience on our site.

In accordance with section 19 of POPIA, we implement appropriate technical and organisational measures to protect your personal information against loss, unauthorised access, disclosure, interference, modification, or destruction. These measures include:

• Encrypted data transmission over HTTPS (TLS).
• Role-based access controls limiting access to personal information to authorised personnel only.
• Regular security assessments of our systems and infrastructure.
• Staff awareness and confidentiality obligations.
• Secure destruction protocols for records no longer required.

Under POPIA, you have the following rights in respect of your personal information held by Beyond Imagination:

• Right of access (s23): You may request confirmation of whether we hold personal information about you, and a description of that information and the purposes for which it is used.
• Right to correction or deletion (s24): You may request that we correct, delete, or destroy personal information that is inaccurate, incomplete, irrelevant, excessive, out of date, obtained unlawfully, or no longer necessary for the purpose it was collected.
• Right to object (s11(3)): You may object to the processing of your personal information on reasonable grounds, unless legislation permits such processing.
• Right to object to direct marketing (s69): You have an unconditional right to opt out of direct marketing at any time, without providing a reason.
• Right not to be subject to automated decision-making (s71): You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects concerning you, except where permitted under POPIA.
• Right to complain (s74): You have the right to submit a complaint to the Information Regulator if you believe your personal information rights have been violated.

To exercise any of the rights listed above:

• Email our Information Officer at Info@beyondic.co.za.
• Include the subject line “POPIA Data Request”.
• Describe your request clearly and provide sufficient information to identify yourself and the personal information concerned.

We will acknowledge your request within 3 business days and respond substantively within 30 days of receiving a valid, complete request. We may ask you to verify your identity before acting on your request to protect you against fraudulent submissions.

A first request within any 12-month period is processed at no charge. Subsequent requests in the same period may attract a reasonable administrative fee, which we will disclose to you before proceeding.

If you are not satisfied with our response to your complaint or request, or if you believe we are processing your personal information unlawfully, you have the right to lodge a complaint directly with the Information Regulator of South Africa, as provided for in section 74 of POPIA.

We may update this Privacy Policy from time to time to reflect changes in applicable law, our processing activities, or the services we offer. The “Effective” date at the top of this document will always reflect when it was last updated.

Where changes are material, we will notify you by email (if we hold your address) or by a prominent notice on our website. We encourage you to review this policy periodically. Continued use of our website or services after notification of material changes constitutes acceptance of the updated policy.

For all privacy-related queries, access requests, corrections, objections, or complaints:

This Privacy Policy was last updated on 9 May 2026. It supersedes all previous versions.