Back to home

/ Legal

Privacy Policy

Last updated: 9 May 2026

Your privacy matters. This Privacy Policy explains how XYZ Development ("XYZ", "we", "us" or "our") collects, uses, stores, shares and protects your personal information when you visit xyzdevelopment.co.za, create an account, engage our services, or otherwise interact with us. We comply with the Protection of Personal Information Act, 2013 ("POPIA") of South Africa, and apply equivalent principles for visitors in jurisdictions covered by the GDPR or similar laws.

1. About this policy

This policy applies to all personal information we process about you in connection with the XYZ Development website, our services, and any project we undertake for you. Read it together with our Terms of Service.

2. Who we are

XYZ Development is a sole proprietorship operating from Johannesburg, Gauteng, South Africa. We are the responsible party (data controller) for the personal information we process about you.

3. What information we collect

Depending on how you interact with us, we may collect:

  • Identity and contact data: name, email address, phone number, business name, role.
  • Account data: the email and password you use to sign up, your role (user or admin), profile picture (if Google-linked), connected providers (e.g. Google).
  • Project data: messages, briefs, files, code samples and other materials you share with us during a Project Engagement.
  • Communication data: emails, WhatsApp messages, call notes and meeting summaries.
  • Usage data: pages visited, time on site, browser type, device type, approximate location (city level), referring site.
  • Technical data: IP address, browser version, operating system, screen size, language preference.
  • Local storage data: session tokens, preferences and AI tool history stored in your browser (see Cookies, section 12).
  • Marketing data: if you subscribe, your preferences for receiving updates from us.

We do not knowingly collect special categories of personal information (such as health, biometric, or political data).

4. How we collect it

  • Directly from you when you fill in the contact form, sign up, sign in, send us a message, or share project materials.
  • Automatically when you browse the website, through cookies and analytics technologies.
  • From third parties such as Google (when you sign in with Google) and your team, if they invite you to a project.

5. Why we use it

We use your personal information to:

  • Provide and operate the website, your account, and our services;
  • Respond to enquiries and prepare quotes;
  • Deliver Project Engagements, including communication, file sharing, and review;
  • Issue invoices, collect payment, and keep accounting records as required by law;
  • Improve our website, tools, and service offering;
  • Send service-related notifications (e.g. project updates, important account changes);
  • Send marketing communications you have opted in to receive (you can opt out at any time);
  • Comply with our legal and regulatory obligations.

We process your personal information under one or more of the following legal bases:

  • Consent — when you agree to specific processing (e.g. marketing emails). You may withdraw your consent at any time.
  • Contract — to perform a service contract with you or take steps before entering into one.
  • Legal obligation — to comply with tax, accounting and other statutory requirements.
  • Legitimate interest — to operate, secure and improve our business in a way that does not unduly affect your rights (e.g. analytics, fraud prevention).

7. Who we share it with

We do not sell your personal information. We share it only as needed:

  • Service providers — hosting, email, analytics, payment, AI APIs, file storage, and similar tools that help us run the business. These providers are bound by their own privacy and security obligations.
  • Professional advisers — accountants, lawyers and auditors when reasonably required.
  • Authorities — when required by law, court order, or to protect our rights.
  • Successors — if our business is sold, merged or restructured, your data may transfer with the business under the same protections.

8. International transfers

Some of our service providers (for example AI APIs, email services and analytics tools) are based outside South Africa, including in the United States and the European Union. Where personal information is transferred internationally, we rely on lawful transfer mechanisms recognised under POPIA, including:

  • Adequacy decisions where applicable;
  • Standard contractual clauses or equivalent safeguards;
  • The provider's binding privacy commitments and certifications.

9. How long we keep it

We retain personal information only for as long as necessary:

  • Account data — for as long as your account is active. Closed accounts are deleted within 90 days, unless we are required to keep them longer.
  • Project data — for the duration of the engagement and up to 5 years thereafter, to handle queries, defend claims, and comply with tax law.
  • Invoices and tax records — for at least 5 years, as required by South African tax law.
  • Marketing data — until you unsubscribe or after 24 months of inactivity.
  • Website logs and analytics — typically 12 to 26 months in aggregate form.

10. How we protect it

We take reasonable, appropriate technical and organisational measures to protect personal information, including:

  • Encryption in transit (HTTPS/TLS) for all web traffic;
  • Access control on internal systems, with role-based permissions;
  • Reputable hosting and cloud providers with their own security certifications;
  • Regular software and dependency updates;
  • Limiting access to personal data on a need-to-know basis.

No system is 100% secure. If we become aware of a breach affecting your personal information, we will notify you and the Information Regulator as required by POPIA.

11. Your rights

Under POPIA (and equivalent laws), you have the right to:

  • Be told what personal information we hold about you;
  • Request a copy of that information;
  • Correct any inaccuracies, or have outdated data deleted;
  • Object to processing on legitimate grounds;
  • Withdraw consent at any time, where we rely on consent;
  • Lodge a complaint with the Information Regulator.

To exercise any of these rights, email business@xyzdevelopment.co.za. We will respond within 30 days. We may need to verify your identity before acting on a request.

12. Cookies and local storage

We use a small amount of cookies and browser local storage to make the site work and to remember your preferences. We do not use third-party advertising cookies.

Categories we use

  • Strictly necessary — keep you signed in, remember which dashboard tab you're on, and ensure secure session handling. The site does not function without these.
  • Functional — remember your preferences, such as the AI assistant's settings and your chat history (stored locally in your browser, never transmitted unless you trigger an action that sends it).
  • Performance — anonymous, aggregated stats about how visitors use the site, used to improve performance and content. We may add analytics tools (e.g. Google Analytics or a privacy-respecting alternative) in future.

What we currently store

  • xyz-session — your sign-in session token (local only).
  • xyz-users — accounts registered locally during the prototype phase (will move to a secure backend before public launch).
  • xyz-intro-seen, xyz-dash-boot-seen, xyz-sales-boot-seen — flags so the intro animation does not replay every navigation.

How to control cookies

You can clear cookies and local storage at any time from your browser's settings. Note that doing so will sign you out and reset your AI tool history.

13. Children's privacy

Our services are intended for adults (18 years or older). We do not knowingly collect personal information from children. If you believe we have done so, contact us and we will delete the information promptly.

Our website may link to third-party sites (e.g. our calendar booking tool, TikTok, WhatsApp, GitHub). We are not responsible for the privacy practices of those sites. Please read their own privacy policies before submitting any information.

15. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes affecting active accounts, we will notify you by email or via your dashboard. Continued use of the site or our services after the change means you accept the updated policy.

16. Contact and complaints

For privacy-related questions, requests or complaints, contact us first:

If you are not satisfied with our response, you may lodge a complaint with the South African Information Regulator:

Read our Terms of Service