Skip to content
DA DataAcuity by The Geek Network
Contact Get an API key

Legal

Privacy Policy

Last updated: 28 May 2026

We collect as little as we can, never sell it, and let you delete it on request. Questions: privacy@dataacuity.co.za.

1. Who we are

The data controller is The Other Bhengu (Pty) Ltd trading as The Geek ("The Geek", "we", "us"), a private company in the Republic of South Africa. The Information Officer can be reached at privacy@dataacuity.co.za.

2. What this covers

This Privacy Policy describes how we collect, use, share, and protect personal information when you visit dataacuity.co.za, sign up for a key, or use the Service. Where we say "you", we mean both you personally and any organisation you sign up on behalf of.

3. What we collect

Short version: email address, optional company name, API usage logs, and payment status (from PayFast). That's it.

We collect:

  • Account details — the email address and optional company name you provide when signing up for a key.
  • API usage — counts of requests, the endpoints they hit, response codes, and the time of each request. Used for quota enforcement, billing, abuse detection, and product improvement.
  • Payment status — we receive a confirmation from PayFast that your subscription is active and the amount billed. We never see your card number. PayFast handles card data under PCI-DSS.
  • Support correspondence — the email, name, topic, and message you send via the contact form, and our replies.
  • Technical data — standard web logs (IP address, user-agent, request path) when you visit the marketing site. Retained for 30 days for security and debugging.

4. How we use it

We use personal information to:

  • provision your API key and email it to you;
  • enforce the monthly quota of your tier;
  • send you account, billing, security, and service-status notices (these are transactional, not marketing);
  • reply to your support messages;
  • investigate abuse or security incidents;
  • comply with our legal obligations under POPIA, FICA, and other applicable laws.

We do not use personal information for behavioural advertising, and we do not profile customers for marketing purposes.

5. Lawful basis

For paid subscriptions we process your data on the basis of performance of a contract with you. For support and security activities we rely on legitimate interests (yours and ours, balanced). For free signups and the contact form we rely on your consent, which you can withdraw at any time by emailing us.

6. Who we share it with

Short version: PayFast (payment), our hosting provider, and nobody else. We never sell your data.

We share personal information only with:

  • PayFast (Pty) Ltd — for processing paid subscriptions. PayFast is the merchant of record and a separate controller for the payment transaction.
  • Our infrastructure providers — we self-host on infrastructure we own and operate in South Africa, with limited use of cloud DNS and TLS-certificate services. These are processors acting only on our instructions.
  • Legal authorities — only where required by valid legal process (court order, subpoena), and only the minimum data needed.

We do not sell, rent, or trade personal information.

7. International transfers

Personal information is stored on infrastructure located in South Africa. Where a processor (e.g. a CDN) operates from outside South Africa, we use a transfer mechanism recognised under POPIA and GDPR (typically Standard Contractual Clauses or an equivalent).

8. Retention

  • Account record and API key: kept while your key is active. After cancellation or revocation, the email + key hash are kept for 12 months for abuse-investigation and accounting audit, then deleted.
  • Billing records: 5 years from invoice date, in line with SARS and FICA requirements.
  • API request logs: 90 days at full granularity, then aggregated to per-month totals (which contain no personal information).
  • Support correspondence: 24 months after the case is closed.
  • Web server logs: 30 days.

9. Your rights

Short version: ask us to see, correct, or delete your data and we will. POPIA and GDPR both give you these rights.

You have the right to:

  • request a copy of the personal information we hold about you;
  • ask us to correct anything that's wrong;
  • ask us to delete your account (subject to legal retention obligations such as FICA's 5-year billing-record rule);
  • object to processing based on legitimate interests;
  • withdraw consent where consent is our lawful basis;
  • lodge a complaint with the South African Information Regulator (inforegulator.org.za) or your local data-protection authority.

To exercise any of these rights, email privacy@dataacuity.co.za. We will respond within 30 days.

10. Security

We use TLS for transport, role-based access control, encryption-at-rest for sensitive fields, and a documented incident-response process. If we have a personal-data breach that is likely to result in a risk to your rights, we will notify you and the Information Regulator within 72 hours of becoming aware of it, as POPIA and GDPR require.

11. Cookies & analytics

The marketing site uses one session cookie required to make the Subscribe form work. We do not use third-party analytics that profile visitors. Server-side request counts (anonymous, aggregated) are what we use to know which pages are useful.

12. Children

The Service is not directed at children under 18. We do not knowingly collect personal information from anyone under 18.

13. Changes

We may update this Privacy Policy. Material changes will be announced by email and on the marketing site at least 30 days before they take effect. The "Last updated" date at the top reflects the current version.

14. Contact

Privacy questions: privacy@dataacuity.co.za
Information Officer: Bonginkosi Bhengu, The Geek.

© 2026 The Other Bhengu (Pty) Ltd t/a The Geek. All rights reserved.

Something went wrong on this page. Reload