Privacy Policy

Effective date: 30 June 2026
Last updated: 30 June 2026

1. Who we are

This Privacy Policy explains how Red And White Agency (Pty) Ltd, trading as “red&white” (“red&white”, “we”, “us” or “our”), collects, uses, shares and protects your personal information when you visit redandwhite.agency (the “Website”), contact us, or engage us for our services.

For the purposes of POPIA, red&white is the “responsible party” in respect of the personal information described in this Policy.

Responsible party: Red And White Agency (Pty) Ltd
Registration number: 2018/071718/07
VAT number: 4650317276
Registered address: 39 Van Riebeek Street, Bothasig, Cape Town, Western Cape, 7441
Information Officer: Jéan Botha
Information Officer email: info@redandwhite.agency

Note for completion: POPIA requires the responsible party’s Information Officer (and any deputy Information Officers) to be registered with the Information Regulator before they take up their duties.

This Policy applies to data subjects in the Republic of South Africa.

2. Key definitions (POPIA)

“Personal information” means information relating to an identifiable, living natural person and, where applicable, an identifiable, existing juristic person (such as a company).
“Special personal information” means personal information concerning a person’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour.
“Processing” means any operation concerning personal information, including its collection, recording, storage, use, dissemination or destruction.
“Data subject” means the person to whom personal information relates.
“Operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that responsible party.

3. The information we collect

We collect personal information in the following ways:

(a) Information you give us — for example when you complete a contact or enquiry form, request a proposal, subscribe to updates, or correspond with us. This may include:

name and surname;
email address and telephone number;
company name, role and website;
the content of your message and any information you choose to provide; and
marketing preferences.

(b) Information we collect automatically — when you use the Website we may collect:

IP address, approximate location, browser type and device information;
pages visited, referring URLs, and dates/times of access; and
cookie and similar-technology identifiers (see section 11).

(c) Information from third parties — for example analytics providers, advertising platforms, and publicly available professional sources (such as a company website or LinkedIn).

We do not intentionally collect special personal information through the Website and ask that you do not submit it to us unless we specifically request it for a lawful purpose with your consent.

4. The eight conditions for lawful processing

We process personal information in accordance with the eight conditions for the lawful processing of personal information set out in POPIA, namely: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation.

5. Why we process your personal information, and our lawful basis

We process personal information only where POPIA permits — that is, where you have consented, where processing is necessary to conclude or perform a contract with you, to comply with a legal obligation, to protect a legitimate interest of yours, or for the legitimate interests of red&white or a third party. We use your information to:

Purpose	Justification under POPIA
Respond to your enquiries and provide requested information	Performance of a contract / our legitimate interests
Provide, manage and improve our services to clients	Performance of a contract / legitimate interests
Send service communications (e.g. proposals, invoices, account notices)	Performance of a contract / legal obligation
Send marketing communications where permitted (see section 7)	Consent / legitimate interests
Operate, secure and improve the Website and analyse usage	Legitimate interests
Comply with legal, tax and regulatory obligations	Legal obligation
Establish, exercise or defend legal claims	Legitimate interests

6. Further processing

If we wish to use your personal information for a purpose other than that for which it was collected, we will only do so where the new purpose is compatible with the original purpose, or where you have consented, or where the further processing is otherwise permitted by POPIA.

7. Direct marketing

In line with section 69 of POPIA, we will only send you electronic direct marketing (such as email) where:

you are an existing customer, we obtained your contact details in the context of a sale, the marketing relates to our own similar products or services, and you were given the opportunity to opt out at the time of collection; or
you have given your consent to receive marketing.

You may withdraw your consent or opt out of marketing at any time, free of charge, by using the unsubscribe link in any message or by contacting our Information Officer. We will not use your details for marketing where you have objected.

We do not sell your personal information. We may share it with:

Operators (service providers) who process personal information on our behalf — for example hosting, email, analytics, advertising, CRM and form providers. These operators process personal information only on our instructions and under a written contract that requires appropriate security safeguards;
Clients, where you have interacted with us in connection with a project we are delivering for that client;
Professional advisers, such as lawyers, accountants and auditors;
Authorities and regulators, where required by law or to protect our rights; and
A successor entity, in connection with a merger, acquisition or sale of assets.

9. Cross-border transfers of personal information

Some of our operators (for example cloud hosting, analytics or advertising platforms) may store or process personal information outside South Africa. In accordance with section 72 of POPIA, we will only transfer personal information to a third party in a foreign country where:

the recipient is subject to a law, binding corporate rules or binding agreement that provides an adequate level of protection comparable to POPIA;
you have consented to the transfer;
the transfer is necessary for the performance of a contract with you (or at your request); or
the transfer is for your benefit and it is not reasonably practicable to obtain your consent, but you would likely give it.

10. How long we keep your information

We keep personal information only for as long as necessary for the purposes set out in this Policy, including to satisfy any legal, accounting, tax or reporting requirements, and to establish or defend legal claims. When personal information is no longer required, we will securely delete, destroy or de-identify it. Retention periods vary by record type; details are available on request from our Information Officer.

11. Cookies and similar technologies

The Website uses cookies and similar technologies to function, to remember your preferences, to measure traffic, and (where permitted) to support advertising. Cookies fall broadly into the following categories:

Strictly necessary — required for the Website to operate;
Analytics/performance — help us understand how the Website is used;
Functionality — remember your choices; and
Advertising/targeting — used to deliver and measure relevant advertising.

Where required, we ask for your consent before placing non-essential cookies. You can manage non-essential cookies through our cookie banner (where available) and through your browser settings. Blocking some cookies may affect how the Website works.

12. Security safeguards

In line with section 19 of POPIA, we maintain appropriate, reasonable technical and organisational measures to protect personal information against loss, damage, unauthorised destruction, and unlawful access or processing. These include access controls, encryption in transit where appropriate, and contractual safeguards with our operators. Where an operator processes personal information on our behalf, we require them to maintain comparable safeguards and to notify us of any compromise.

If we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will notify you and the Information Regulator as soon as reasonably possible, in accordance with section 22 of POPIA.

13. Your rights as a data subject

Subject to POPIA, you have the right to:

be notified that we are collecting your personal information, and where it has been accessed without authorisation;
request access to the personal information we hold about you, and to be told the identity of third parties who have or have had access to it (POPIA section 23);
request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully (POPIA section 24);
object, on reasonable grounds, to the processing of your personal information (POPIA section 11(3));
withdraw your consent where processing is based on consent (this does not affect processing carried out before withdrawal);
not be subject to a decision based solely on the automated processing of your information that has legal or similarly significant effects, except as permitted by law; and
submit a complaint to the Information Regulator.

To exercise any of these rights, contact our Information Officer (section 1). POPIA prescribes specific forms for certain requests (for example Form 2 for access to information and Form 1 for objecting to processing); we will help you use the correct process. We may need to verify your identity before acting on a request.

14. Requests for information (PAIA)

You may also request access to records we hold under the Promotion of Access to Information Act, 2000 (“PAIA”). Our PAIA Manual is available on request from our Information Officer.

15. Complaints to the Information Regulator

If you are unhappy with how we have handled your personal information, you may lodge a complaint with the Information Regulator:

The Information Regulator (South Africa) JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 PO Box 31533, Braamfontein, Johannesburg, 2017 General enquiries: enquiries@inforegulator.org.za POPIA complaints: POPIAComplaints@inforegulator.org.za Website: https://inforegulator.org.za

We would, however, appreciate the opportunity to address your concerns before you approach the Regulator, so please contact our Information Officer first.

16. Children’s personal information

The Website is not directed at children, and we do not knowingly process the personal information of a child (a person under 18) without the consent of a competent person (such as a parent or guardian), except as permitted by POPIA. If you believe we hold a child’s personal information without the required consent, please contact us so we can delete it.

17. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date above shows when the latest changes took effect. Material changes will be brought to your attention where appropriate.

18. Contact us

For any privacy question or request:

red&white — Information Officer Email: info@redandwhite.agency Post: 39 Van Riebeek Street, Bothasig, Cape Town, Western Cape, 7441