Privacy Policy

ThinkStory ("we," "us," or "our") is committed to protecting your privacy and personal information in accordance with South Africa's Protection of Personal Information Act 4 of 2013 (POPIA). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services.

Information We Collect

When you interact with our services, we collect various types of personal information to provide you with the best possible experience. This includes your contact information such as your name, email address, phone number, and physical address, as well as identification information like ID numbers and business registration details when necessary for our services.

We also gather communication data from your messages, feedback, and correspondence with us, alongside technical information including your IP address, browser type, device information, and location data. Through our website and services, we collect usage data that shows us how you interact with our platforms, and we receive form data when you complete our online forms. For business clients, we may also collect company details, project requirements, and service preferences to better serve your needs.

We want to be clear that we do not intentionally collect special personal information such as health data, religious beliefs, or biometric information unless specifically required for our services and with your explicit consent.

How We Collect Information

Your personal information comes to us through several channels. Most directly, you provide information when you fill out forms, contact us, or communicate with us about our services. We also collect information automatically through cookies, tracking pixels, and analytics tools as you use our website. In some cases, we may obtain information from publicly available sources or other third parties, but only with your consent or where legally permitted. Additionally, our various integrated platforms and tools may collect information as part of providing our services to you.

Purpose of Processing

We process your personal information to deliver our core business services effectively. This means managing client relationships and projects, processing your inquiries and requests, and delivering the contracted services you've engaged us to provide. Your information helps us maintain internal administration and record-keeping, ensure quality assurance and continuous improvement of our services, manage our financial obligations including invoicing, and meet legal compliance and regulatory requirements.

With your consent, we also use your information for marketing and communication purposes. This includes sending you service updates and newsletters, improving our services based on usage patterns we observe, conducting retargeting and advertising campaigns, and performing market research and analytics to better understand our clients' needs.

From a technical perspective, we process your information to ensure our website functions properly and performs well, monitor security and prevent fraud, maintain and troubleshoot our systems, and backup and recover data when necessary.

Third-Party Services and Data Sharing

To provide you with comprehensive services, we work with several trusted third-party providers who may process your personal information on our behalf. For analytics and tracking, we use Google Analytics to understand website traffic and user behavior, helping us improve your experience. We also use Meta Pixel for advertising retargeting and conversion tracking, but only with your explicit consent.

Our technical infrastructure relies on Google Maps API for location services and mapping functionality, Make.com for workflow automation and system integration, and Fillout Forms for data collection and form management. For data storage and management, we use Dropbox for secure file storage and document management, and Smartsuite for data organization and project management.

When we transfer data to these third parties, we ensure appropriate safeguards are in place, including contractual protections and security measures. Some of these services may store data outside South Africa, and we verify that adequate protection levels are maintained in accordance with POPIA requirements.

Legal Basis for Processing

We process your personal information based on several legal grounds. When you explicitly agree to specific processing activities, we rely on your consent. To fulfill our contractual obligations to you, we process information necessary for contract performance. We also process information to meet regulatory and legal requirements, and for legitimate business interests that don't override your privacy rights.

Data Retention

We retain your personal information only as long as necessary for the purposes outlined in this policy. For active clients, we keep data during the service relationship and for reasonable follow-up periods. Financial records are retained as required by applicable tax and business laws. Marketing data is kept until you withdraw consent or opt out of communications. Technical logs are typically retained for 12 to 24 months for security and performance purposes.

When retention is no longer necessary, we securely delete or anonymize your information in a manner that prevents reconstruction, ensuring your privacy is protected even after our business relationship ends.

Your Rights Under POPIA

As a data subject under POPIA, you have comprehensive rights regarding your personal information. You can request confirmation of whether we hold your personal information and obtain copies of that information. You're also entitled to receive details about how your data is processed.

If you find that your information is inaccurate, incomplete, or misleading, you can request corrections. You also have the right to request deletion of information that is no longer necessary for our purposes or was unlawfully obtained. In certain circumstances, you can request that we restrict how we process your information.

You have the right to object to processing for direct marketing purposes and to object to processing based on our legitimate interests. When we process your information based on consent, you can withdraw that consent at any time. If you believe we've violated your privacy rights, you can lodge complaints with the Information Regulator of South Africa or pursue civil remedies.

Data Security

Protecting your personal information is a top priority for us. We implement comprehensive technical and organizational security measures to safeguard your data. Our technical safeguards include encryption of data both in transit and at rest, secure access controls and authentication systems, regular security monitoring and updates, and robust backup and disaster recovery procedures.

From an organizational perspective, we provide staff training on data protection principles, implement access controls based on need-to-know principles, conduct regular security assessments and audits, and maintain incident response and breach notification procedures to handle any security issues promptly and effectively.

Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your experience. Essential cookies are required for basic website functionality and security and don't require your consent. Analytics cookies help us understand website usage and improve user experience, but we only use these with your consent. Marketing cookies are used for advertising and retargeting purposes and require your explicit consent.

You can manage your cookie preferences through our cookie consent banner when you first visit our site, or adjust your browser settings to control how cookies are handled.

Data Breach Notification

In the unlikely event of a data breach that poses risks to your rights and freedoms, we have procedures in place to respond quickly and effectively. We will notify the Information Regulator without undue delay and inform affected individuals when required by law. We'll take immediate steps to contain and remedy the breach and implement measures to prevent future incidents.

Children's Privacy

We do not knowingly collect personal information from children under 18 without appropriate parental or guardian consent. If we become aware of such collection, we will take steps to delete the information promptly and ensure proper consent is obtained for any future processing.

International Data Transfers

When we need to transfer your personal information outside South Africa, we ensure that adequate protection levels exist in the destination country, establish appropriate contractual safeguards with recipients, obtain your explicit consent when required, and maintain full compliance with POPIA's trans-border transfer requirements.

Contact Information and Exercising Your Rights

Our Information Officer is responsible for overseeing data protection matters and can be reached at Matthew Masson, matt@thinkstory.co.za, 064 248 3429, ThinkStory, WeWork, 173 Oxford Rd, Johannesburg, 2196. For general privacy inquiries, you can contact us at hello@thinkstory.co.za or 0642483429.

To exercise any of your rights under POPIA, please submit a written request to our Information Officer with adequate proof of identity to verify your request. Specify the nature of your request and the information involved, and allow reasonable time for us to process your request. We will respond to valid requests without undue delay and free of charge, except where permitted by law.

Data Deletion Commitment

We are committed to deleting your personal information immediately upon request, subject to any legal retention requirements. To request immediate deletion, contact our Information Officer using the details above, specify that you want all your personal information deleted, and provide sufficient information to identify your data in our systems. We will confirm deletion within 48 hours of verification.

Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in our processing activities, updates to applicable laws and regulations, improvements to our privacy practices, or new technologies and services we implement. We will notify you of material changes through our website or direct communication to ensure you remain informed about how we protect your privacy.

Regulatory Information

This Privacy Policy complies with the Protection of Personal Information Act 4 of 2013 (POPIA). For questions about your privacy rights or to file complaints, you may contact the Information Regulator of South Africa at www.inforegulator.org.za or complaints.IR@justice.gov.za.

Consent and Acceptance

By using our services, you acknowledge that you have read, understood, and agree to this Privacy Policy. For processing activities requiring explicit consent, we will obtain your specific agreement before proceeding with any such processing.

ThinkStory (Pty) Ltd

Registration Number: 2017/660338/07

Physical Address: ThinkStory, WeWork, 173 Oxford Rd, Johannesburg, 2196.

Email: hello@thinkstory.co.za

This Privacy Policy is effective as of the date listed above and governs our collection and use of personal information from that date forward.