Privacy Policy.

1. Overview
The Mokingbrd Collective (Pty) Ltd ("The Mokingbrd Collective", "we", "us", "our") is committed to protecting the personal information of everyone who interacts with our business — whether you are a prospective client completing a contact form, a current client whose project data we manage, a subscriber to our newsletter, or a visitor to our website.
This Privacy Policy explains what personal information we collect, how and why we use it, who we share it with, how long we keep it, and what rights you have under the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR), The Personal Information Protection and Electronic Documents Act (PIPEDA), The Personal Information Protection Act (PIPA).
The short version: We collect only what we need. We keep it only as long as necessary. We do not sell it. We do not share it without a lawful reason. You have the right to access, correct, or delete it. If you have any questions, email us at psoonderjee@themokingbrdcollective.com.
 

2. Who We Are
The Mokingbrd Collective (Pty) Ltd is a South African company registered under the CIPC in 2026. For the purposes of POPIA, The Mokingbrd Colllective (Pty) Ltd is the Responsible Party — the entity that determines the purpose and means of processing your personal information.

 
3. What We Collect
3.1 Information you provide directly
Contact and enquiry data. When you complete a contact form, request a free audit, or send us an email (your name, company name, email address, phone number, and the contents of your message).
Newsletter subscription data. Your email address, and optionally your name, when you subscribe to our Insights newsletter.
Client engagement data. For active clients, project-related information including business details, access credentials (stored encrypted), and communication records necessary to deliver our services.
Event registration data. Name, email address, and company details when you register for a webinar or workshop we host.
3.2 Information collected automatically
Usage data. Pages visited, time spent on pages, referring URLs, browser type, operating system, device type, and screen resolution. This is collected via Google Analytics 4.
IP address. Collected automatically by our hosting infrastructure. Used for security monitoring and aggregated geographic analysis only.
Cookies and local storage. See Section 9 (Cookies) for full detail.
3.3 Information we do not collect
We do not collect payment card information. All payments are processed directly by our payment provider and card data is never transmitted to or stored by The Mokingbrd Collective.
We do not collect special categories of personal information as defined by POPIA (including health data, biometric data, religious beliefs, race, or political affiliation) unless you voluntarily include such information in a message to us, in which case it is used solely to respond to you and is not retained beyond that purpose.
We do not knowingly collect personal information from persons under the age of 18. See Section 12 (Children's Privacy).


 
4. Why We Collect It — Purposes of Processing
We process personal information only for the following specific, lawful purposes:
To respond to enquiries. When you contact us, we use your details to respond to you. Simple.
To provide our services. Client engagements require us to hold and process project-related information in order to deliver web design, SEO, and cybersecurity services.
To send our newsletter. Only to subscribers who have explicitly opted in. Every newsletter contains a one-click unsubscribe link.
To improve our website. Aggregated, anonymised analytics help us understand which content is valuable and identify technical issues affecting user experience.
To comply with legal obligations. Invoicing, tax records, and responses to lawful requests from regulatory authorities.
To protect our security and yours. IP-level monitoring to detect and respond to malicious activity against our infrastructure and, by extension, the systems we manage for clients.
We do not process personal information for profiling, automated decision-making, advertising targeting, or any purpose beyond those listed above.

 
5. Legal Basis for Processing
Under POPIA, every processing activity must have a lawful ground. Our grounds are as follows:
Contractual necessity. Processing required to fulfil our obligations to clients under signed service agreements — including holding project data, credentials, and communication records.
Legitimate interest. Website analytics, security monitoring, and business development communications — where our interest in operating a safe, effective website is balanced against your rights and interests. You may object to processing on this basis at any time and we will stop unless we have a compelling legitimate ground that overrides your interests.
Consent. Newsletter subscriptions and non-essential cookies — always freely given, specific to the purpose, informed, and withdrawable at any time without consequence. Withdrawal of consent does not affect the lawfulness of processing that occurred prior to withdrawal.
Legal obligation. Retention of financial and contractual records as required by South African tax law (seven years under the Income Tax Act) and the Companies Act.

 
6. Sharing Your Personal Information
We do not sell your personal information. We do not share it for advertising purposes. We do not share it with data brokers. We share it only in the following limited, documented circumstances:
6.1 Service providers (Operators under POPIA)
We use a small number of third-party tools to operate our business. Each is bound by a written data processing agreement under which they may only process personal information as directed by us and for no other purpose:

• Google Analytics 4 — website usage analytics. IP anonymisation is enabled. Data is aggregated and not used to identify individuals.

• Mailchimp — newsletter distribution. Subscriber email addresses and names are shared with Mailchimp solely for the purpose of sending newsletters.

• Calendly — meeting scheduling. Name and email address are processed when you book an appointment.

• Xero — accounting and invoicing. Client name, company name, address, and banking reference details for invoicing purposes.

• Cloudflare — content delivery network and DDoS protection. IP addresses are processed in transit only; Cloudflare does not retain them beyond their stated security logging period.

6.2 Legal requirements
We will disclose personal information if we are required to do so by applicable law, court order, or a lawful request from a government or regulatory authority. We will disclose only the minimum information required and, where legally permissible, will notify the affected individual.
6.3 Business transfers
In the event of a merger, acquisition, restructuring, or sale of all or part of the business, personal information may be transferred to the successor entity as part of the transaction. All transferred data will remain subject to the same protections as outlined in this policy. Affected individuals will be notified by email prior to any transfer where their information will be subject to a different privacy policy.
6.4 Protection of rights
We may disclose personal information where we believe in good faith that disclosure is necessary to prevent harm, fraud, or a violation of our terms of service and where the disclosure is proportionate to that risk.

 
7. Data Retention
We retain personal information only for as long as necessary for the purpose for which it was collected, or as required by law. Our retention periods are as follows:
Contact form enquiries and email correspondence. Three years from the date of last contact, or until you request deletion — whichever comes first.
Client project records. Seven years from the end of the engagement. This period is mandated by the South African Income Tax Act and the Companies Act for financial and contractual records.
Newsletter subscriber data. Retained until you unsubscribe. Following unsubscription, your data is permanently deleted from our systems and from Mailchimp within 30 days.
Website analytics data. 26 months, in accordance with Google Analytics 4 default settings. All data is aggregated and anonymised.
Security and access logs. 90 days, after which logs are automatically purged. Logs are used solely for security monitoring and incident response.
Recruitment applications. Six months from the date of the decision on your application, unless you consent to a longer period for future consideration.
When retention periods expire, data is permanently deleted or irreversibly anonymised using industry-standard methods. You may request early deletion at any time. See Section 8 (Your Rights).

 
8. Your Rights
Under POPIA, you have the following rights regarding your personal information. We take these rights seriously and will not penalise you in any way for exercising them.
8.1 Right of Access (Section 23, POPIA)
You have the right to request a copy of all personal information we hold about you. We will provide this free of charge within 30 days of a verified request. The information will be provided in a commonly used electronic format unless you specify otherwise.
8.2 Right to Correction (Section 24, POPIA)
You have the right to request correction of personal information that is inaccurate, incomplete, misleading, or out of date. We will correct it and, where the information has been shared with third parties, notify those parties of the correction.
8.3 Right to Deletion (Section 24, POPIA)
You have the right to request deletion of your personal information where we no longer have a lawful basis to hold it, where you have withdrawn consent, or where the information is no longer necessary for the purpose for which it was collected. We will comply unless we are required to retain the information by law or for the establishment, exercise, or defence of legal claims.
8.4 Right to Object (Section 11(3), POPIA)
You have the right to object at any time to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.
8.5 Right to Withdraw Consent
Where processing is based on consent, you may withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing that occurred prior to withdrawal. You can unsubscribe from our newsletter at any time using the link in any email we send. You can withdraw cookie consent at any time via the Cookie Settings link in our footer.
8.6 Right to Complain
You have the right to lodge a complaint with the Information Regulator of South Africa if you believe we have processed your personal information unlawfully or in breach of POPIA. The Information Regulator can be contacted at:
Information Regulator (South Africa) Website: www.inforegulator.org.za Email: complaints.IR@justice.gov.za Telephone: +27 12 406 4818 Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
We strongly encourage you to contact us first at psoonderjee@themokingbrdcollective.com before lodging a formal complaint. In our experience, privacy concerns are almost always resolved quickly through direct engagement.
8.7 How to Exercise Your Rights
Email psoonderjee@themokingbrdcollective.com with the subject line "Privacy Request [Type of Request]". We will acknowledge your request within 3 business days and respond fully within 30 days. We may require verification of your identity before fulfilling requests to prevent unauthorised disclosure. We will not charge a fee for reasonable requests.

 
9. Cookies
Our website uses cookies (small text files stored in your browser when you visit). On your first visit, you will be presented with a cookie consent banner. You may accept all cookies, decline non-essential cookies, or manage your preferences by category.
9.1 Essential cookies (no consent required)
These cookies are strictly necessary for the website to function and cannot be switched off:

• Session management cookie — keeps you authenticated during an active session. Expires when you close the browser.

• CSRF token — protects form submissions against cross-site request forgery. Expires when you close the browser.

• Cookie preference — stores your cookie consent choice so we do not ask you again. Expires after 12 months.

9.2 Analytics cookies (consent required)

• _ga (Google Analytics 4) — distinguishes unique users. Expires after 2 years.

• _gid (Google Analytics 4) — distinguishes unique users. Expires after 24 hours.

• ga[container-id] (Google Analytics 4) — maintains session state. Expires after 2 years.

All Google Analytics data is collected with IP anonymisation enabled. We do not share Analytics data with Google for advertising purposes. We do not use remarketing or advertising features in our Analytics configuration.
9.3 Managing cookies
You can withdraw cookie consent at any time by clicking "Cookie Settings" in the footer of any page. You can also control cookies through your browser settings, most browsers allow you to view, block, and delete cookies. Please note that disabling essential cookies will affect the functionality of the website.

 
10. Security
We apply the security standards to our own data that we recommend to clients and implement for them professionally. Our measures include:

• TLS 1.2/1.3 encryption for all data transmitted between your browser and our servers

• AES-256 encryption for sensitive data stored at rest, including credentials and confidential client documents

• Role-based access controls — staff access only the personal information necessary for their specific responsibilities

• Multi-factor authentication enforced for all internal systems that hold or process personal information

• Automated vulnerability scanning of our own infrastructure on a monthly basis, with a manual penetration test annually

• All staff trained on data handling responsibilities, phishing awareness, and incident response procedures annually

• Physical security measures at our office premises controlling access to workstations and paper records

No method of transmission over the internet or method of electronic storage is 100% secure. While we implement robust measures, we cannot guarantee absolute security. In the event of a security breach that poses a risk to your rights and freedoms, we will notify the Information Regulator of South Africa and affected individuals within 72 hours of becoming aware of the breach, as required by Section 22 of POPIA.

 
11. Third-Party Links
Our website contains links to external websites, including industry publications, certification bodies, and partner organisations. This Privacy Policy applies only to www.themokingbrdcollective.com. The Mokingbrd Collective is not responsible for the privacy practices, content, or security of any external websites. We recommend reviewing the privacy policy of any website you visit via a link from our pages before providing any personal information.

 
12. Children's Privacy
Our services are directed at businesses and their employees. We do not knowingly collect, process, or retain personal information from individuals under the age of 18. Our website is not directed at children. If you believe we have inadvertently collected personal information about a child, please contact us immediately at psoonderjee@themokingbrdcollective.com and we will delete it promptly and completely.


 
13. International Data Transfers
Our primary operations and data storage are based in South Africa and Calgary, Canada. Where we use third-party service providers who process data outside South Africa and Canada — including Google (United States) and Mailchimp (United States) — we ensure that appropriate safeguards are in place as required by Section 72 of POPIA, PIPEDA, and PIPA. These safeguards include binding contractual clauses requiring the recipient to apply equivalent data protection standards.

 
14. Changes to This Policy
We review this policy at least annually and whenever there is a material change to how we process personal information. The "Last Updated" date at the top of this document reflects the most recent revision.
When we make significant changes, we will notify active newsletter subscribers by email at least 14 days before the changes take effect, and display a prominent notice on our website for 30 days. Minor changes (such as clarifications that do not alter the substance of our processing activities) will be updated without specific notification.
Continued use of our website or services after the effective date of a policy update constitutes acceptance of the revised policy. If you do not agree with the changes, you may request deletion of your personal information at any time.