Privacy Policy
Herbst Group of Companies
Document Reference: HG-PRIVACY-POLICY-WEB
Policy Design: © STEYN IP [M00003830_LC/CS/lm]
Effective Date: 25 November 2025
Last Updated: 23 January 2026
Version: 1.0
Document Control
| Action | Name | Date |
|---|---|---|
| Board Resolution | Board of Directors | 11 November 2025 |
| Reviewed | Zelna Symms | November 2025 |
| Approved | Dieter Herbst | November 2025 |
| Validated | Dieter Herbst | 23 January 2026 |
Introduction
Herbst Group (Pty) Ltd and its associated entities ("Herbst Group of Companies", "we", "us", or "our") are committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA).
This policy applies to all interactions with herbstgroup.io and covers all five entities operating under our shared governance framework:
- Herbst Group (Pty) Ltd - Registration No. 2024/255350/07
- Herbst Alliance (Pty) Ltd - Registration No. 2024/568485/07
- Herbst Team (Pty) Ltd - Registration No. 2024/711522/07
- Herbst Intelligence - AI and automation division
- Herbst Commercial - Consumer products division
All entities share a unified compliance framework, meaning your rights are protected consistently regardless of which entity you engage with.
Our Commitment
We process your personal information fairly and responsibly. We collect only what we need, use it only for stated purposes, keep it secure, and respect your rights over your own data.
Information Officer Designation
By board resolution dated 11 November 2025, the Company has designated and registered the following officers in accordance with section 55 of POPIA read with section 1 of the Promotion of Access to Information Act 2 of 2000 (PAIA):
Information Officer
Willem Hendrik du Toit
Chief Technical Officer
Email: wimpie@herbstteam.com
Deputy Information Officer
Gesina Wilhelmina Symms
Chief Operations Officer
Email: zelna@herbstteam.com
The Information Officer and Deputy Information Officer have been registered with the Information Regulator as required by section 55(2) of POPIA. Registration No. 2026-001668, issued 8 February 2026.
What Personal Information We Collect
Information You Provide Directly
Contact Form Submissions
- Full name
- Email address
- Company name (optional)
- Your message or enquiry
Newsletter Subscriptions
- Full name
- Email address
Consultation Requests
- Full name
- Email address
- Company name
- Phone number
- Details of your requirements
Information Collected Automatically
Analytics Data (Aggregated and Anonymous)
We use Plausible Analytics, a privacy-focused analytics service that does not use cookies or collect personally identifiable information. We collect only aggregated, anonymous data including:
- Page views and unique visitors (aggregated counts only)
- Referral sources (which website or search engine referred you)
- Device type and browser (general categories only)
- Geographic region (country level only, derived from anonymised IP)
- Pages visited and time spent (aggregated trends)
This data cannot be used to identify you personally. Plausible does not store your IP address, does not use cookies, and does not track you across websites.
Technical Data Processed by Our Infrastructure
When you visit our website, our hosting and security infrastructure necessarily processes certain technical data to deliver our services:
- IP address (processed by Vercel for security and routing; not stored by us)
- Browser user agent (for page rendering)
- Request timestamps (for security monitoring)
This technical data is processed in transit and is not stored in a manner that identifies you personally.
How We Use Your Information
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Respond to your enquiries | Consent | Contact form data |
| Send marketing communications | Explicit consent | Newsletter subscription data |
| Schedule consultations | Consent | Consultation request data |
| Improve our website | Legitimate interest | Aggregated analytics |
| Protect against security threats | Legitimate interest | Technical traffic data |
| Comply with legal obligations | Legal requirement | As required |
We do not sell, rent, or trade your personal information to third parties.
Consent
Where we rely on consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing conducted before withdrawal.
Newsletter subscriptions use double opt-in confirmation:
- You submit your email address
- We send a confirmation email via Resend
- You click the confirmation link
- Your subscription activates
You can unsubscribe at any time using the link in any newsletter.
How Long We Keep Your Information
| Data Type | Retention Period | Reason |
|---|---|---|
| Contact form submissions | 24 months | To respond to and follow up on enquiries |
| Newsletter subscriptions | Until you unsubscribe | To send requested communications |
| Consultation requests | 36 months | To maintain client relationship records |
| Analytics data | 24 months | To understand website performance trends |
After these periods, we securely delete or anonymise your information. If you request deletion earlier, we will process your request within 30 days.
Third-Party Processors
We work with carefully selected service providers who process data on our behalf. We are transparent about every service that interacts with data on our website:
Current Third-Party Processors
| Provider | Service | Data Processed | Location |
|---|---|---|---|
| Vercel | Website hosting | Traffic data, IP addresses (transient) | Global with Cape Town PoP |
| Squarespace | Domain registration | Domain records only (no personal data) | USA |
| Plausible | Website analytics | Aggregated anonymous data only | European Union |
| Formspree | Contact form handling | Form submissions (name, email, message) | USA |
| Resend | Email and newsletter delivery | Subscriber data (name, email) | USA |
| GitHub | Version control and deployment | Source code only (no personal data) | USA |
| Anthropic | AI content assistance (Claude) | Content generation (no PII processed) | USA |
| API integration | Public post content only | USA | |
| Google Fonts | Typography delivery | IP address (transient, for font delivery) | USA |
Planned and Potential Future Processors
The following services may be integrated in future. We will update this policy when any new processor is implemented:
| Provider | Service | Intended Location | Status |
|---|---|---|---|
| Turso | Database | South Africa (pending confirmation) | SA data residency requested |
| Microsoft Azure | Cloud storage and processing | Global (SA region available) | GDPR compliant, ISO 27001 |
| Microsoft 365 | Productivity and collaboration | Global | POPIA-aligned DPA available |
| Notion | Form integration and data management | USA | Privacy policy reviewed |
All processors are contractually required to:
- Process data only on our instructions
- Implement appropriate security measures
- Not share data with other parties without authorisation
- Delete data when the processing relationship ends
- Notify us of any data breaches affecting our data
Cross-Border Transfers
Your data may be stored, transferred, or processed outside the borders of South Africa.
Specifically, the following services process data in locations outside South Africa:
| Service | Data Centre Locations | Safeguards |
|---|---|---|
| Vercel | Global (including USA, EU); Cape Town PoP | GDPR compliant, Standard Contractual Clauses |
| Squarespace | USA | Privacy policy reviewed |
| Formspree | USA | Privacy policy reviewed |
| Resend | USA | Privacy policy reviewed |
| GitHub | USA | SOC 2 Type II certified |
| Anthropic | USA | Enterprise security practices |
| USA | Platform terms and privacy policy | |
| Google Fonts | USA | Google Privacy Policy |
| Plausible | European Union | GDPR by design |
For South African data residency: We have submitted a request to Turso for South African data residency. Microsoft Azure also offers South African data centre regions (Johannesburg and Cape Town). Should a client portal or cloud storage be implemented, we intend to utilise South African data centres where available to ensure POPIA-compliant data residency for personal information requiring local storage. This policy will be updated when these capabilities are confirmed and implemented.
Where we transfer personal information to other countries, we ensure appropriate safeguards are in place:
- Adequacy decisions (EU countries)
- Standard Contractual Clauses where applicable
- Vendor security certifications (SOC 2, ISO 27001, GDPR compliance)
- Your explicit consent where required
Security Measures
We implement appropriate technical and organisational measures to protect your personal information:
Technical Measures
- HTTPS encryption on all pages (TLS 1.3)
- Comprehensive security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
- Cookieless analytics (no client-side tracking)
- Environment variable protection for all API keys (encrypted storage)
- DDoS protection via hosting provider
- Quarterly API key rotation
Organisational Measures
- Access limited to authorised personnel with role-based permissions
- Multi-factor authentication required for all administrative access
- Staff training on data protection
- Documented security and incident response procedures
- Regular compliance audits
- Version control with complete audit trail
No method of transmission over the internet is completely secure. While we strive to protect your information using industry-standard practices, we cannot guarantee absolute security.
Your Rights
Under POPIA, you have the following rights:
- Right to Access - Request a copy of the personal information we hold about you.
- Right to Correction - Request correction of inaccurate or incomplete information.
- Right to Deletion - Request deletion of your personal information where there is no compelling reason for continued processing.
- Right to Object - Object to processing of your personal information in certain circumstances.
- Right to Data Portability - Request your data in a structured, machine-readable format.
- Right to Withdraw Consent - Withdraw consent at any time for processing based on consent.
How to Exercise Your Rights
Submit your request to our Information Officer:
Information Officer: Wimpie du Toit
Email: wimpie@herbstteam.com
Subject Line: POPIA Request - [Your
Request Type]
Deputy Information Officer: Zelna
Symms
Email: zelna@herbstteam.com
Postal Address:
Information Officer
Herbst Group (Pty) Ltd
Suite E106, Midlands Office Park East
1 Mount Quray Street, Midlands Estate
Olifantsfontein, 1682
South Africa
We will:
- Verify your identity
- Process your request within 30 days
- Inform you of any actions taken or reasons for refusal
We do not charge a fee for legitimate requests.
Cookies and Tracking
We do not use cookies for tracking purposes.
Our analytics solution (Plausible) is cookieless by design. We do not use:
- Tracking cookies
- Third-party advertising cookies
- Social media tracking pixels
- Fingerprinting technologies
- Cross-site tracking of any kind
Essential technical processes may involve transient data processing for functionality such as form submission handling and font delivery (via Google Fonts). None of these create persistent tracking identifiers on your device.
Children's Information
Our services are directed at businesses and professionals. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a child without appropriate consent from a competent person (such as a parent or legal guardian), we will delete that information promptly.
Direct Marketing
We only send marketing communications if you have given explicit consent, typically through newsletter subscription with double opt-in via Resend.
You can opt out of marketing communications at any time by:
- Clicking "unsubscribe" in any email
- Emailing info@herbstteam.com with "Unsubscribe" in the subject line
Opting out of marketing does not affect communications necessary to respond to your enquiries or provide requested services.
Data Breaches
In the event of a security compromise that may affect your personal information, we will:
- Notify the Information Regulator as required by POPIA
- Notify you as soon as reasonably possible
- Provide details of the breach and steps we are taking
- Offer guidance on protective measures you can take
Our incident response procedures categorise breaches by severity (P1-P4) with response times ranging from 1 hour for critical incidents to 72 hours for low-severity issues.
Complaints
If you believe we have not handled your personal information properly, you have the right to lodge a complaint with:
Information Regulator (South Africa)
Physical Address:
JD House, 27 Stiemens Street
Braamfontein, Johannesburg, 2001
Postal Address:
P.O Box 31533
Braamfontein, Johannesburg, 2017
Email: inforeg@justice.gov.za
Website: https://inforegulator.org.za
Complaints Email: complaints.IR@justice.gov.za
We encourage you to contact us first so we can try to resolve your concerns directly.
Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- We will update the "Last Updated" date at the top of this page
- For significant changes, we may notify you by email or prominent website notice
- Continued use of our website after changes constitutes acceptance of the updated policy
We recommend reviewing this policy periodically. This policy is reviewed annually by our compliance team.
Contact Us
For any questions about this Privacy Policy or how we handle your personal information:
General Enquiries
Email: info@herbstteam.com
Phone: +27 10 158 4336
Information Officer (POPIA Requests)
Name: Wimpie du Toit
Email: wimpie@herbstteam.com
Deputy Information Officer
Name: Zelna Symms
Email: zelna@herbstteam.com
Postal Address:
Herbst Group (Pty) Ltd
Suite E106, Midlands Office Park East
1 Mount Quray Street, Midlands Estate
Olifantsfontein, 1682
South Africa
Shared Governance Statement
This Privacy Policy applies across all Herbst Group of Companies entities. Our shared governance model ensures consistent data protection standards whether you engage with Herbst Group, Herbst Alliance, Herbst Team, Herbst Intelligence, or Herbst Commercial.
The responsible party for POPIA purposes is Herbst Group (Pty) Ltd, which maintains centralised compliance oversight for the group.
Legal Authority
This Privacy Policy was adopted pursuant to a resolution of the Board of Directors of Herbst Group (Pty) Ltd dated 11 November 2025, whereby the Board resolved to:
- Commence the process towards obtaining POPIA compliance
- Designate Willem Hendrik du Toit as Information Officer
- Appoint Gesina Wilhelmina Symms as Deputy Information Officer
- Register the Information Officer and Deputy Information Officer with the Information Regulator
The resolution was signed by Willem Dieter Herbst in his capacity as director of the Company and Chair of the Board.
Version History
| Version | Date | Description | Reviewer | Approver |
|---|---|---|---|---|
| 1.0 | 25 November 2025 | Initial publication | Zelna Symms | Dieter Herbst |