Privacy policy.

1About this policy

This Privacy Policy explains how Global Web Studio ("we", "us", "our") collects, uses, shares, and protects your personal information when you interact with our website, use our dashboard, or receive our services.

We are the responsible party (data controller) for the personal information we process. We comply with the Protection of Personal Information Act 4 of 2013 ("POPIA"), which governs how personal information is handled in South Africa.

2Who is responsible

3Information we collect

3.1 You provide it to us

• Account details: name, email, password (hashed), company name, role
• Billing details: last 4 digits of card, card brand, expiry month/year, billing address (where applicable). We never see or store full card numbers — only a token from our payment processor
• Project information: brief answers, reference URLs, content drops, feedback
• Communications: emails, dashboard messages, SMS (where used)
• Contact information: business phone, social handles, domain preferences — anything you share in the onboarding flow

3.2 We collect automatically

• Session data: authentication cookies that keep you signed in; CSRF tokens
• Access logs: IP address, browser type, operating system, and request timestamps — held by our hosting provider (Vercel) for troubleshooting and security
• Project activity: milestone progress, brief submissions, billing events — stored on our backend (Convex)
• Analytics:not currently loaded. When we add GA4 or similar, we'll update this policy and trigger explicit consent via our cookie banner

4Why we collect it

We process your personal information on the lawful bases set out in POPIA, primarily:

• Contract:to provide the service you're paying us for (project delivery, billing, support, communication)
• Legitimate interest:to run and improve our business (security monitoring, fraud prevention, product development) in a manner that doesn't unduly prejudice your rights
• Legal obligation: to comply with accounting, tax, and reporting requirements (e.g. SARS record-keeping)
• Consent: for optional things like marketing-oriented analytics or direct marketing via email. You can withdraw consent at any time

5Who we share with (sub-processors)

We use third parties to deliver the service. Each has been chosen because they meet acceptable security standards and have clear privacy policies of their own. We share only the minimum necessary information.

We may add or change sub-processors over time. Material changes will be reflected in an update to this policy with the date at the top revised.

6Cross-border transfers

Some of our sub-processors store or process your data outside South Africa (notably in the US and EU). In each case the transfer happens under one of the bases allowed by s.72 of POPIA: the third party is subject to a law / binding corporate rules / contractual terms that provide an adequate level of protection, or you have consented to the transfer by agreeing to this policy.

7How long we keep your information

• Active subscription data: for the life of your subscription and 90 days after cancellation to allow for reactivation and handover
• Billing records: 5 years after the last invoice, to meet the record-keeping requirements of the Tax Administration Act
• Access logs: typically 30 days, retained by our hosting providers
• Marketing consent: until you withdraw it
• Support correspondence: 2 years from the last exchange

At the end of the applicable period, information is securely deleted or anonymised.

8How we keep it safe

We take reasonable technical and organisational measures to protect your personal information, including:

• HTTPS / TLS 1.3 on every page and API endpoint
• Password hashing with industry-standard algorithms (our auth provider never stores passwords in plaintext)
• Card details held only by our PCI-DSS compliant payment processor — we see only a tokenised reference
• Access to the admin panel is role-gated and logged
• Regular dependency updates and security patches
• Backup snapshots taken at the infrastructure level by our database provider

No system is perfectly secure. In the event of a data breach that is likely to prejudice your rights, we will notify you and the Information Regulator as required under s.22 of POPIA.

9Your rights

Under POPIA you have the right to:

• Access: confirm whether we hold information about you and receive a copy of it
• Correction: request that we correct or update inaccurate information
• Deletion: request that we delete information we no longer have a lawful reason to hold
• Objection: object to processing based on legitimate interest or for direct marketing
• Withdraw consent: withdraw consent for any processing based on it, going forward
• Complain:lodge a complaint with the Information Regulator if you believe we've handled your information unlawfully

To exercise any of these rights, email privacy@globalweb.studio and we'll respond within a reasonable time — typically 30 days, never more than 60.

10Children

Our services are intended for business use and are not directed at children under 18. We don't knowingly collect personal information from children. If we learn that we have, we will delete it promptly.

11Direct marketing

We only send direct marketing emails (e.g. newsletters, case studies) to people who have opted in. Every such email includes a one-click unsubscribe link. Transactional emails tied to your subscription (welcome, receipts, payment failures, project updates) are not marketing — you'll keep receiving those as long as you have an active subscription.

12Changes to this policy

We may update this policy as our services evolve. Material changes will be notified via your registered email address or an announcement on your dashboard. The date at the top of this page reflects the last substantive revision.

13Contact