Firewater Interactive CC (“Firewater”, “we”, “us”, “our”) is a digital agency based in South Africa. This Privacy Policy explains how we process personal information when you use our websites, contact us, or engage our services, and when we run campaigns for our clients that involve handling their customers’ data.

This notice is designed to align with the Protection of Personal Information Act, 2013 (POPIA). It should be read together with any client contracts and our Cookie Notice.

 

1. Who we are & contacts

Responsible party (for our own sites and business operations):
Firewater Interactive CC, 16 Fricker Road, Illovo, Johannesburg, Gauteng, 2191, South Africa.
Email: privacy@firewater.net

Information Officer: For a private body, the Information Officer is the “head” as defined under PAIA. Firewater’s head delegates day‑to‑day privacy queries to the contact above. Formal POPIA/PAIA requests may be addressed to the Information Officer at the same postal and email addresses.

2. Scope & our roles

This policy covers processing when you visit firewater.net, contact us, apply for a job, or we provide services to you. It also covers processing when we run campaigns for our clients that involve handling their customers’ personal information.

Our roles under POPIA

• Responsible party — for personal information we collect about our own prospects, website visitors, suppliers, employees, and job candidates.
• Operator — when we process personal information for our clients under a contract (for example to run campaigns, manage leads, host landing pages, or provide analytics). In those cases the client is the responsible party and we only process on documented instructions, apply appropriate security, assist with data subject rights, and ensure confidentiality.

3. What we collect

The categories of personal information we may process include:

• Identification & contact — names, email addresses, phone numbers, company, job title.
• Campaign & engagement data — form submissions, competition entries, preference centre selections, campaign interactions (opens/clicks), lead source, timestamps.
• Device/usage data — IP address, device/browser type, operating system, pages viewed, referring URLs, general location (based on IP), and similar analytics.
• Support & correspondence — enquiries, feedback and any information you choose to provide.
• Supplier & B2B details — contact details for suppliers and partners for onboarding, payments and contract administration.

We do not seek to collect special personal information (such as health, biometrics, or religious beliefs). If a campaign requires it, we will only process it where permitted by POPIA and the Information Regulator’s guidance, and as instructed by the responsible party.

4. How we collect your information

• Directly from you — when you complete a form, enter a competition, subscribe, contact us, or contract with us.
• Automatically — via cookies, pixels and similar technologies on our sites and campaign assets.
• From clients (as operator) — where our clients lawfully share their customers’ data with us to deliver a campaign or service on their behalf.

5. Purposes & lawful justifications

We process personal information only where there is a lawful justification under POPIA, including:

• Consent — e.g., you opt‑in to receive electronic marketing or enter a competition.
• Contract — to create proposals, provide and administer services, and manage client or supplier relationships.
• Legal obligation — to comply with tax, accounting and other laws.
• Legitimate interests of the responsible party — e.g., to secure our systems, prevent fraud and measure campaign performance, balanced against your rights (section 11(1)(f)).
• Vital interests / public duty — in limited situations as provided under POPIA.

Typical purposes include: running and measuring campaigns; hosting landing pages; managing leads; A/B testing and analytics; client reporting; customer service; invoicing; and protecting our rights.

6. Direct marketing & cookies

Direct marketing (section 69 POPIA)

• We only send electronic direct marketing to natural persons with your consent, or where you are an existing customer and the message relates to similar products/services and you were given a simple opt‑out at collection and with every message.
• You can opt out at any time using the link in our emails or by replying STOP to SMS.

Cookies and analytics

We use cookies and similar technologies for site functionality, security and analytics (for example, Google Analytics). You can control cookies via your browser settings and available opt‑out tools provided by analytics vendors.

7. Sharing with third parties

We use trusted operators (service providers) to host our infrastructure, deliver campaigns, send communications, and provide analytics and support. We require them to keep information confidential, use it only on our documented instructions, apply appropriate security, and assist us to meet POPIA obligations.

We may also share information where required by law, to protect our rights, during corporate transactions, or with our professional advisers (subject to confidentiality).

8. Transfers outside South Africa

Some operators or systems may be located outside South Africa. When we (as responsible party) or our clients (as responsible party) transfer personal information cross‑border, we ensure that the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection, or another condition for transfer under section 72 POPIA applies. We keep records of such arrangements.

9. Special personal information & children

Special personal information: We avoid processing special categories unless permitted by law and necessary for the campaign/service, in which case we implement additional safeguards and (where required) obtain explicit consent.

Children: We do not knowingly process children’s personal information without the consent of a competent person (such as a parent/guardian) or another lawful ground recognised by POPIA. If we learn we have collected such information unlawfully, we will delete it.

10. Security & data breaches

We implement reasonable and appropriate technical and organisational measures to secure personal information, including access controls, encryption in transit, network monitoring, and staff confidentiality undertakings.

If a security compromise occurs that creates a real risk of harm, we (or our client, where they are the responsible party) will notify affected data subjects and the Information Regulator as required by section 22 POPIA, and we will cooperate with investigations and mitigation.

11. Retention

We retain personal information only as long as necessary for the purposes described or as required by law, after which we securely delete or de‑identify it. Typical retention periods:

 

Category	Examples	Typical retention
Campaign engagement data	Email/SMS interaction logs, landing‑page analytics	up to 24–36 months
Lead records	Form submissions, competition entries	up to 24 months after last activity, unless required longer for legal claims
Client project files & finance	Statements, invoices, contracts	7 years (tax and commercial law)
Support correspondence	Tickets and email threads	up to 24 months
Recruitment	CVs, interview notes	up to 12 months unless consent obtained to keep longer

 

12. Your rights

Subject to limits in POPIA and PAIA, you have the right to:

• be notified of collection and of security compromises;
• request access to your personal information;
• request correction, deletion, or destruction of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained;
• object to processing on reasonable grounds relating to your situation, and object to direct marketing at any time;
• not be subject to decisions based solely on automated processing where that produces legal or similarly significant effects, subject to POPIA;
• lodge a complaint with the Information Regulator.

13. How to make a request or complaint

You may exercise your rights or ask questions by emailing privacy@firewater.net. We’ll verify your identity before acting and respond within timelines set by law.

If you are not satisfied, you can complain to the Information Regulator (South Africa):
General enquiries: enquiries@inforegulator.org.za
Complaints (POPIA): POPIAComplaints@inforegulator.org.za
Website: inforegulator.org.za

14. Changes to this policy

We may update this policy from time to time. Material changes will be communicated on this page and, where appropriate, directly to you.

15. Key definitions

“POPIA” means the Protection of Personal Information Act, 2013.
“Personal information” means information relating to an identifiable natural person (and, where applicable, a juristic person).
“Responsible party” means the person who determines the purpose of and means for processing personal information.
“Operator” means a person who processes personal information for a responsible party in terms of a contract or mandate.
“Special personal information” includes, for example, health, biometrics, and religious beliefs.
“Child” means a natural person under 18 years who is not legally competent without the assistance of a competent person.

 

This policy is intended to reflect POPIA requirements in a practical way for Firewater’s operations. It does not constitute legal advice.