Privacy Policy.
How YohWeb collects, uses, stores and protects your personal information — designed to comply with POPIA, proudly South African, and written in plain English (with the legalese underneath for the lawyers).
In plain English: We collect only what we need to run your lead machine — names, phones, emails, business info, and the visitor data your website generates. We keep it safe in Joburg at Teraco, we never sell it, and you can ask to see, fix or delete it anytime. Sharp sharp.
Introduction & Scope
Howzit! Zentrio (Pty) Ltd (registration number 2026/489361/07, tax number 9612335225), trading as YohWeb("YohWeb", "we", "us", "our") is a South African company that builds lead-generation website systems for South African businesses — websites, CRMs, AI chatbots, SEO/AEO/GEO optimisation, booking systems, follow-up automation, review automation, and analytics. We're registered and operating out of Johannesburg, Gauteng. We take your privacy seriously — like, seriously seriously.
This Privacy Policy explains how we collect, use, store, share and protect your personal information in line with the Protection of Personal Information Act 4 of 2013 (POPIA), the Constitution of the Republic of South Africa (including the right to privacy in section 14), the Electronic Communications and Transactions Act 25 of 2002 (ECT Act), and any other applicable South African laws.
This Policy applies to:
- Visitors to yohweb.co.za and any subdomains we operate;
- Prospects who complete a form, book a call, or message us on WhatsApp;
- Clients who buy our lead-generation website systems;
- Visitors to client websites that we build, host or maintain (data collected on those sites flows through our infrastructure and is governed by this Policy read with the client's own privacy policy);
- Anyone who emails, calls, or WhatsApps us.
By using our website or services, you consent to the practices described here. If you don't agree, please don't use the site — but we think you'll find we're pretty reasonable.
Information Controller (Responsible Party)
Under POPIA, the entity that determines the purpose and means of processing personal information is called the "Responsible Party". Zentrio (Pty) Ltd (trading as YohWeb) is the Responsible Party for all personal information processed in delivering our services and operating yohweb.co.za.
Where we process personal information on behalf of a client (for example, hosting their CRM or running their follow-up automations), the client is typically the Responsible Party and YohWeb acts as the "Operator"under POPIA section 1 — meaning we process that data only on the client's documented instructions and under a written agreement that meets POPIA section 21.
Our Information Officer is registered with the Information Regulator of South Africa and is your point of contact for any POPIA-related request — access, correction, deletion, objection, or complaint.
Personal Information We Collect
We collect only what we genuinely need to build, run and improve your lead-generation system — no sneaky data harvesting, no creepy shadow profiles. The categories we process are:
- Identity & contact: Name, surname, business name, job title, phone/WhatsApp number, email address, and (for invoicing) physical address.
- Business details: Industry, services offered, target market, current website (if any), business hours, team contacts, brand assets shared with us.
- Project information: Quote requests, discovery-call notes, audit findings, briefs, approvals, change requests, support tickets.
- Communications: WhatsApp messages, emails, call notes, and chat transcripts with our team and our AI assistant "Yoh Bru". We keep these to deliver and improve the service.
- Website visitor data: IP address, browser type and version, device type, operating system, referring URL, pages viewed, time on page, scroll depth, click patterns, form abandonment, geographic region (province-level), and similar technical data collected via analytics, heatmaps and split-test tools.
- Split-test behaviour data: Which variant of a page you saw, your engagement with it (clicks, form starts, conversions), used to determine which version of a client's site performs better.
- Booking data: Selected discovery-call slot, calendar invite, attendance status, follow-up notes.
- Payment metadata: Invoice numbers, amounts, payment status, payment method (e.g. "Paystack", "PayFast" or "Yoco"), transaction references, and the last 4 digits of a card if you choose to display them. We do NOT store full card numbers, CVVs, or full bank account numbers. Card processing happens entirely at Paystack, PayFast and Yoco — all PCI-DSS compliant SA payment gateways.
- Marketing preferences: Which newsletters or product updates you've opted into (and when), so we honour your choices.
- Special categories: We do not knowingly collect race, ethnicity, religion, political opinion, trade union membership, biometric data, health information, or criminal behaviour — unless you volunteer it for a specific purpose (and even then, we'd rather you didn't).
We collect this information directly from you (forms, calls, WhatsApps), from your website visitors (via cookies and analytics tools on sites we run), from your integrations (e.g. when you connect your Google Business Profile), and occasionally from public records (e.g. CIPC, your own website) where we need it to deliver the service.
How We Use Your Information
We use your personal information for legitimate business reasons only:
- Providing our services: Building, hosting, maintaining and supporting your lead-generation website system — the website itself, CRM, AI chatbot, booking calendar, follow-up automations, review automations, and analytics dashboard.
- CRM functionality: Capturing, organising and routing leads you receive through your site so your sales team can follow up sharp sharp.
- AI chatbot training & improvement: Using anonymised chat transcripts and question patterns to improve Yoh Bru's responses for your site and (in aggregate, de-identified form) across our client base. We do NOT use your personal information to train third-party AI models.
- Split-testing & conversion optimisation: Running A/B tests on your site's variants, measuring which performs better, and merging the winner. This involves processing visitor behaviour data.
- Analytics & reporting: Producing performance reports for you (traffic, leads, conversion rates, sources) and improving our own service quality.
- Follow-up communications: Sending you quotes, proposals, project updates, invoices, receipts, and responding to your support queries — via WhatsApp, email, phone, or SMS.
- Billing & accounts: Issuing tax-compliant invoices, processing payments through Paystack (a Stripe company), PayFast and Yoco, chasing overdue accounts, and keeping SARS-compliant records. Monthly fees are auto-deducted on the 1st of every month via Paystack — see our Non-Payment Policy for what happens if a payment fails.
- Security & fraud prevention: Detecting abuse, fraud, unauthorised access, and protecting our infrastructure and clients' data.
- Direct marketing: Sending you the occasional newsletter, product update, or special offer — only with your consent, and only if you haven't opted out. See Direct Marketing below.
- Legal compliance: Meeting our obligations under SA law (SARS, CIPC, POPIA, the Companies Act, the ECT Act, the Consumer Protection Act) and responding to lawful requests from authorities.
We neversell your personal information to third parties. Not to data brokers, not to marketers, not to your competitors. That's not how we roll in Mzansi.
Legal Basis for Processing
POPIA requires us to process personal information only with a lawful basis. We rely on one or more of the following for each processing activity:
- Consent (POPIA s11(1)(a)): For non-essential cookies, direct marketing, AI training on your chat transcripts, and any processing that isn't strictly necessary for delivering the service. You can withdraw consent anytime.
- Contract (POPIA s11(1)(b)): For processing needed to enter into and perform our service agreement with you — building your site, running your CRM, processing payments, delivering support.
- Legal obligation (POPIA s11(1)(c)): For processing required by SA law — keeping tax records for SARS (5 years), responding to lawful requests from authorities, complying with the Companies Act and ECT Act.
- Legitimate interests (POPIA s11(1)(f)): For processing that protects our business, clients, or the public — fraud prevention, security monitoring, network integrity, internal analytics, and recovering money owed to us. We balance our interests against your rights and only process where the impact on you is reasonable.
- Public interest / your vital interests: Rarely, where processing is necessary to protect someone's life or for the proper administration of justice.
Where we rely on consent, you have the right to withdraw it at any time by emailing howzit@yohweb.co.za. Withdrawing consent won't affect processing that's already happened or that we're required to do by law.
Data Storage & Security
Your data is hosted at Teraco— South Africa's largest tier-III data centre provider, with facilities in Johannesburg (JB1 & JB2) and Cape Town (CT1). That means your info stays on Mzansi soil, subject to SA law, not bouncing around overseas servers we can't vouch for. Teraco is ISO 27001 certified and PCI-DSS compliant at the infrastructure layer.
Teraco JB1 & JB2 (Isando, Johannesburg) · CT1 (Brackenfell, Cape Town) · ISO 27001 certified · 99.99% uptime SLA · N+1 UPS · diesel generator backup (yes, even during load-shedding — their power resilience is properly sorted).
Security measures we actually implement:
- Encryption in transit: TLS 1.3 (HTTPS) on all connections — site, API, dashboard, chat widget.
- Encryption at rest: AES-256 on databases, backups, and object storage.
- Access controls: Role-based access, least-privilege principle, mandatory two-factor authentication (2FA) on all admin and engineering accounts, single-sign-on, session timeouts.
- Network security: Web Application Firewall (WAF), DDoS protection, intrusion detection, regular vulnerability scanning, and annual third-party penetration testing.
- Backups: Daily encrypted backups with 30-day retention, stored in a separate Teraco facility. Quarterly restore drills.
- Code security: Dependency scanning, secret scanning, code review, signed deployments.
- Staff: Background checks on new hires, POPIA training on induction and annually, signed confidentiality agreements, disciplinary process for breaches.
- Physical: Teraco handles biometric access, CCTV, 24/7 on-site security, mantraps, and fire suppression.
We limit access to personal information to trained staff who actually need it to do their jobs. Despite our best efforts, no system is 100% secure — if we ever suffer a data breach, see Data Breach Response for how we handle it (no hiding, no spinning).
Data Retention
We keep your personal information only as long as we need it for the purposes set out in this Policy, or as required by SA law (especially the Tax Administration Act, which requires us to keep tax records for 5 years). After that, we securely delete or irreversibly anonymise it.
| Category | Retention period | Reason |
|---|---|---|
| Lead enquiries (non-clients) | 2 years from last contact | Reasonable window for follow-up; then deleted/anonymised |
| Active client data | Duration of service + 5 years | SARS tax record-keeping (Tax Administration Act) |
| Project files & source code | Handed to client on completion; backups kept 24 months | Recovery safety net; then deleted |
| Invoices & billing records | 5 years after the tax year ends | SARS / Companies Act compliance |
| CRM leads (on client sites) | Until client instructs deletion; client controls | Per client's own retention policy |
| Analytics & visitor data | 26 months rolling | Year-over-year comparison; older data aggregated/anonymised |
| Heatmap & session recordings | 3 months rolling | Short optimisation window; then auto-deleted |
| Split-test data | Until test concludes + 12 months | Audit trail; then aggregated |
| WhatsApp / email / chat transcripts | Duration of relationship + 12 months | Support continuity; then deleted |
| Marketing consent records | Until withdrawal + 3 years | Proof of consent under POPIA / ECT Act |
| Server logs (access, error, security) | 90 days rolling | Security & troubleshooting; then overwritten |
| Backups | 30 days | Recovery window; then overwritten |
After the retention period, your data is securely deleted or irreversibly anonymised. No zombie data hanging around forever. If you want your data deleted sooner, see Your Rights Under POPIA.
Third-Party Services
We rely on a small number of trusted SA and international services to run our business. Each is contractually bound to handle data in line with POPIA, and we share only what's strictly necessary to deliver the service.
Each provider has their own privacy policy (linked from their sites) and is treated as an "Operator" or "Responsible Party"in their own right under POPIA, depending on the service. We perform due diligence before onboarding any new processor and review them annually.
Payment Data & Card Security
We take payment security seriously — like, "would-rather-eat-braaivleis-without-chakalaka" seriously. Here's the deal in plain English:
Payment data is processed by Paystack (a Stripe company). We never store your card details — not the full card number, not the CVV, not the expiry. Paystack is PCI-DSS compliant (the global security standard for card payments), which means your card data is captured, encrypted, and tokenised entirely on Paystack's secure infrastructure. We only ever see a payment reference and a "paid / failed" status. That's it. If a breach ever happened, your card data was never on our servers in the first place — sharp sharp.
In practical terms, this means:
- We never see your card number. When you pay by card via Paystack, the card form is hosted on Paystack's PCI-DSS-certified domain. The data goes straight from your browser to Paystack's vault — it never touches our servers, our logs, or our databases.
- We never store CVVs or full bank account numbers. Even if you emailed us your card details (please don't!), we'd delete them and ask you to use the secure Paystack link instead.
- What we do keep: Invoice number, amount, payment method label (e.g. "Paystack — Card"), transaction reference, payment status, and the last 4 digits of your card (purely so you can recognise which card was used on your invoice). All of this is stored encrypted at rest on our Teraco-hosted infrastructure.
- Tokenisation: For recurring monthly billing, Paystack (a Stripe company) issues us a payment token — a random string that lets us trigger the next month's payment on the 1st of every month without ever seeing the card. The token can only be used by us, for the amount you authorised, and you can revoke it anytime via Paystack or by asking us to cancel. Automatic monthly billing data (token, last 4 digits, card brand, expiry) is stored encrypted at rest on our Teraco-hosted infrastructure.
- Alternative payment methods: EFT, PayFast and Yoco are also available (all PCI-DSS compliant SA gateways). The same principle applies — we never see or store your card data. Pick whichever method lets you sleep easiest at night.
- PCI-DSS scope: Because we never touch raw card data, our PCI-DSS scope is dramatically reduced. We complete an annual Self-Assessment Questionnaire (SAQ-A) — the lightest PCI-DSS category — confirming we don't store, process, or transmit cardholder data on our systems.
- Disputes & chargebacks: If you spot a transaction you don't recognise, contact your bank first (they'll raise a chargeback through Paystack), then email us at howzit@yohweb.co.za so we can investigate on our side too.
For Paystack's own privacy and security disclosures, see paystack.com. For PayFast and Yoco, see their respective privacy policies. We do not control their practices — but we only partner with SA gateways that take PCI-DSS seriously.
Cross-Border Transfers
Your personal information is stored primarily on South African soil at Teraco (Johannesburg & Cape Town). POPIA section 72 restricts cross-border transfers of personal information — we comply as follows:
- Default position: Personal information stays in SA. Our databases, backups, CRM and analytics data all live at Teraco.
- International tools: A few of our service providers (Google Analytics, Google Search Console, Hotjar, GitHub, Cloudflare) may process data internationally. We only use them where: (a) you've consented to the transfer; or (b) the recipient is bound by appropriate safeguards (e.g. Standard Contractual Clauses, Binding Corporate Rules, or certification under an approved framework); or (c) the transfer is necessary for the performance of our contract with you.
- WhatsApp / Meta: Messages you send via WhatsApp Business API may be processed on Meta's global infrastructure. Meta is certified under the EU-U.S. Data Privacy Framework and provides appropriate safeguards. If you'd rather not use WhatsApp, you can email us instead.
- Transparency: We maintain a register of all cross-border transfers. You can request a copy from our Information Officer.
If a future SA law or Information Regulator guidance requires us to change our transfer practices, we'll update this Policy and notify affected clients.
Your Rights Under POPIA
POPIA gives you (the "data subject") real, enforceable rights over your personal information. Here they are, in plain South African English:
- Right to be notified (s18): Know when we collect your data and what we're doing with it (this Policy does that job).
- Right of access (s23): Ask what personal info we hold about you, for free, once per year. We respond within 30 days.
- Right to correction (s24): Ask us to fix inaccurate, out-of-date or incomplete info. We'll action it sharp sharp.
- Right to deletion ("right to be forgotten"): Ask us to delete your info — subject to legal retention requirements (e.g. SARS records we have to keep).
- Right to object (s11(3) & s73): Object to processing for direct marketing (we honour this immediately) and to processing based on legitimate interests.
- Right to withdraw consent: If we're processing on consent (e.g. cookies, marketing), you can withdraw it anytime — no questions, no penalty.
- Right to restrict processing: While we verify accuracy or investigate an objection, we'll pause non-essential processing.
- Right to portability: Get your data in a structured, commonly used, machine-readable format (e.g. CSV, JSON) so you can take it elsewhere.
- Right to complain: Lodge a complaint with the Information Regulator of South Africa if you're not happy with how we handle your data. We'd rather you come to us first, but you don't have to.
To exercise any of these rights, email howzit@yohweb.co.za with the subject line "POPIA Request". Please include enough detail for us to identify you (name, email, business). We respond within 30 days— usually much faster. We don't charge for access requests made once per year; reasonable fees may apply for excessive or repeated requests (we'll tell you first).
Information Regulator of South Africa: inforegulator.org.za · Complaints: complaints@inforegulator.org.za · +27 12 406 4818
Direct Marketing
POPIA (sections 69 & 73) and the ECT Act (section 45) regulate direct marketing by electronic means. Here's how we comply:
- Consent first: We only send direct marketing (newsletters, product updates, special offers) to people who have given us explicit, opt-in consent. No pre-ticked boxes, no "by using this site you agree to marketing" tricks.
- Existing customers: We may market our own similar products to existing clients without fresh consent, but only if (a) we got your details when you bought from us, and (b) we give you an easy opt-out on every message. This is the "soft opt-in" under POPIA s69(2).
- Unsubscribe: Every marketing message includes a working, one-click unsubscribe link or WhatsApp opt-out. We honour opt-outs within 5 working days.
- No cold lists: We don't buy contact lists. We don't scrape the web for contacts. Every person we market to gave us their details directly.
- Frequency: We send marketing emails at most twice a month. WhatsApp marketing — never, unless you specifically ask.
- Time of day: We only send marketing messages during reasonable hours (Mon–Fri 08:00–17:00 SAST) per ECT Act guidance.
To opt out of marketing at any time, click "unsubscribe" in any email, reply "STOP" to any WhatsApp, or email howzit@yohweb.co.za with "Unsubscribe" in the subject. We'll action it sharp sharp. Project communications (about your actual service) aren't marketing — those we'll keep sending until the work is done.
Children's Data
Our services are designed for South African businesses and the people who run them. We do notknowingly collect personal information from anyone under 18 (POPIA defines a child as a person under 18). Our services aren't directed at children, and we don't market to them.
If you're under 18, please don't submit your details — get a parent or guardian to do it on your behalf. If we discover we've collected personal information from a child without verifiable parental consent, we'll delete it sharp sharp. If you believe this has happened, please contact our Information Officer immediately.
For clients building sites that may attract under-18 visitors (e.g. a family restaurant), we advise on age-appropriate design and can implement age-gates where needed. We don't knowingly process children's personal information for marketing or profiling.
Data Breach Response
POPIA section 22 requires us to notify the Information Regulator and affected data subjects of a security compromise ("data breach") where there are reasonable grounds to believe it has occurred. Here's our process:
- Detect & contain: Our monitoring (WAF, intrusion detection, anomaly alerts) aims to catch breaches fast. On suspicion, our incident lead isolates affected systems within 1 hour.
- Assess: Within 24 hours, we assess the scope — what data, whose data, how it happened, what's the risk to data subjects.
- Notify the Regulator: If the breach is "of significance" (POPIA s22(2)), we notify the Information Regulator as soon as reasonably possible, in writing, with the prescribed details.
- Notify you: If the breach is likely to affect your rights adversely, we notify you (in plain language) with: what happened, what data was involved, what we're doing about it, what you can do to protect yourself, and how to contact us. No hiding, no spinning.
- Remediate: We patch the vulnerability, restore from clean backups if needed, and review our controls to prevent recurrence.
- Post-incident review: Within 14 days, we complete a written post-mortem and update our security practices accordingly.
If you suspect a breach (e.g. you got a suspicious email claiming to be from us, or you see your data somewhere it shouldn't be), email howzit@yohweb.co.za with "URGENT: Possible Breach" in the subject. We treat all such reports seriously and respond within 24 hours.
Changes to This Policy
We may update this Privacy Policy from time to time as our services evolve, SA law changes, or the Information Regulator issues new guidance. When we make material changes, we'll:
- Bump the "Last updated" date at the top of this page.
- Notify active clients via email at least 14 days before changes take effect.
- Post a prominent notice on our homepage for 30 days.
- Keep previous versions archived — you can request a copy from our Information Officer.
We encourage you to review this page periodically. Continued use of our services after changes take effect means you accept the updated Policy — but where we need fresh consent (e.g. new cookies, new marketing), we'll ask for it explicitly.
Contact Our Information Officer
Zentrio (Pty) Ltd (trading as YohWeb) is the Responsible Party under POPIA. Our Information Officer is registered with the Information Regulator and is your point of contact for any POPIA request (access, correction, deletion, objection, complaint, opt-out) or any question about this Policy.
Zentrio (Pty) Ltd (Reg: 2026/489361/07) · Trading as YohWeb · Designed to comply with POPIA · Data hosted at Teraco, Johannesburg & Cape Town · Last reviewed annually
We'll explain anything in plain South African English — no legalese, we promise. Email howzit@yohweb.co.za or WhatsApp 010 880 1234 — real humans, sharp sharp.