Skip to main content
The Design Hammock
POPIA · GDPR · CCPA

Privacy Policy

Effective: 20 June 2025 · Last Updated: 20 June 2025

TL;DR — Your Privacy at a Glance

The Design Hammock collects only the data needed to deliver our web development services and improve your browsing experience. We never sell your personal information. Analytics are collected only with your consent. You can access, correct, or delete your data at any time via WhatsApp, email, or in person. We comply with POPIA, GDPR, and CCPA.

Responsible Party

Under the Protection of Personal Information Act, 2013 (POPIA), the responsible party (equivalent to "data controller" under GDPR) for this website is:

Registered Entity

The Design Hammock PTY (Ltd)

Information Officer (POPIA §55)

Graeme Ford

Physical Address

159 Maria Bronkhorst Road, Ashlea Gardens,
Pretoria, 0081, South Africa

What We Collect

Information You Provide Directly

  • Contact information: name, work email address, phone number, company/project name
  • Project details: company size, current tech stack, budget range, timeline, project description
  • Communication records: messages sent via WhatsApp, email, or the Start a Project form

Information Collected Automatically

  • Device and browser data: IP address (anonymised), browser type and version, operating system, screen resolution
  • Usage data: pages visited, session duration, click interactions, scroll depth, referral source
  • Session replay data: anonymised recordings of user sessions (collected only with analytics consent)
  • Cookies and similar technologies: see our Cookie Policy for a full inventory

Purpose of Collection

Under POPIA §13, we process personal information only for specific, explicitly defined, and lawful purposes. Our lawful bases for processing under POPIA, GDPR, and CCPA are:

PurposeLawful Basis (POPIA)GDPR Basis
Respond to enquiries and deliver servicesContract (§11(1)(b))Art. 6(1)(b) — Contractual necessity
Process payments and invoicesContract (§11(1)(b))Art. 6(1)(b) — Contractual necessity
Website analytics and session replayConsent (§11(1)(a))Art. 6(1)(a) — Consent
Advertising conversion trackingConsent (§11(1)(a))Art. 6(1)(a) — Consent
Improve website performance and UXLegitimate interest (§11(1)(f))Art. 6(1)(f) — Legitimate interest
Legal compliance (tax, regulatory)Legal obligation (§11(1)(c))Art. 6(1)(c) — Legal obligation

Voluntary vs Mandatory Information

In line with POPIA §18(1)(c), we distinguish between information you must provide and information that is optional:

Required Fields

Work email and company/project name are required to process your enquiry via the Start a Project form.

Consequence of non-provision: If you do not provide these fields, we will be unable to respond to your enquiry or deliver our services.

Optional Fields

Company size, current tech stack, budget range, and timeline are optional. Providing them helps us tailor a more accurate proposal, but they are not required.

How We Use Your Data

  • Service delivery: to scope your project, generate proposals, onboard you as a client, and deliver agreed-upon web development services.
  • Communication: to respond to enquiries via WhatsApp, email, or the contact form, and to provide project updates.
  • Website improvement: to analyse anonymous usage patterns (with consent), identify UX bottlenecks, and optimise page performance.
  • Advertising measurement: to measure the effectiveness of Google Ads campaigns and attribute conversions (with consent).
  • Legal and regulatory: to comply with South African tax law, Companies Act requirements, and respond to lawful requests from regulatory bodies.

We never sell your personal information to third parties.

Third-Party Processors

We share personal information with the following sub-processors (referred to as "operators" under POPIA §1). Each operates under a data processing agreement and implements appropriate safeguards:

Google (Consent Mode v2 & Google Ads)

Purpose

Consent signal management, advertising conversion measurement

Location

United States

Safeguards

EU-U.S. Data Privacy Framework, Standard Contractual Clauses

Google Firebase

Purpose

Performance monitoring, A/B testing (future planned integration)

Location

United States

Safeguards

EU-U.S. Data Privacy Framework, ISO 27001, SOC 2 certified

Cross-Border Transfers

The Design Hammock is based in South Africa. Some of our third-party processors operate servers in the United States, meaning your personal information may be transferred outside of the Republic of South Africa.

Under POPIA §72, cross-border transfers are permitted where the recipient country has adequate data protection laws, or where appropriate safeguards exist. We ensure compliance through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all sub-processors
  • Encryption in transit (TLS 1.2+) and at rest where applicable
  • Regular review of processor compliance certifications (SOC 2, ISO 27001)

Data Retention

We retain personal information only as long as necessary to fulfil the purposes outlined in this policy, or as required by law (POPIA §14):

Data CategoryRetention Period
Form submissions and enquiriesDuration of business relationship + 2 years
Client project records and invoices5 years (SA Tax Administration Act requirement)
Analytics data90 days (auto-purged)
Session replays30 days (auto-purged)
Cookie consent preferences12 months (re-consent then required)

When data is no longer required, it is securely deleted or anonymised so it can no longer be linked to you.

Your Rights

Under POPIA (All South African Data Subjects)

POPIA §23–25 grant every data subject the following rights:

  • Access (§23): request confirmation of whether we hold your data and obtain a copy
  • Correction (§24): request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained information
  • Deletion (§24): request destruction of personal information that is no longer needed
  • Objection (§11(3)): object to processing based on legitimate interest or for direct marketing purposes

Additional Rights Under GDPR (EEA/UK Residents)

If you are located in the European Economic Area or United Kingdom, you additionally have the right to:

  • Data portability (Art. 20): receive your data in a structured, commonly-used, machine-readable format
  • Restriction of processing (Art. 18): request that we limit how we use your data while a dispute is being resolved
  • Withdraw consent (Art. 7(3)): withdraw consent at any time without affecting the lawfulness of prior processing
  • Lodge a complaint: file a complaint with your local supervisory authority

California Residents (CCPA/CPRA)

If you are a California resident, the CCPA and CPRA grant you the following rights:

  • Right to know: request disclosure of the categories and specific pieces of personal information we have collected
  • Right to delete: request deletion of personal information we have collected from you
  • Right to opt out of sale: we do not sell personal information — this right is already satisfied
  • Right to non-discrimination: we will not discriminate against you for exercising any CCPA rights

How to Exercise Your Rights

In accordance with POPIA's 2025 multi-channel compliance guidelines, you may exercise any of the rights listed above via the following channels:

WhatsApp (Preferred)

Send a message to our Information Officer via WhatsApp. This is the fastest channel — typical response within 24 hours.

Email

Send a written request to privacy@thedesignhammock.co.za. We will respond within 30 days as required by POPIA.

In Person

Visit our office at 159 Maria Bronkhorst Road, Ashlea Gardens, Pretoria, 0081 during business hours (Monday–Friday, 08:00–17:00 SAST).

Contact via WhatsApp

We may require proof of identity before processing your request to protect the security of your personal information.

Cookies

Our website uses cookies and similar tracking technologies to provide essential functionality and, with your consent, to measure website performance and advertising effectiveness. We implement Google Consent Mode v2 to ensure that no optional cookies are set before you provide explicit consent.

For a detailed breakdown of all cookies used, their purposes, and retention periods, please refer to our Cookie Policy.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • We will update the "Last Updated" date at the top of this page
  • For significant changes affecting your rights, we will notify you via email (if we have your address) or through a prominent notice on our website
  • Where required by law, we will obtain fresh consent before applying new processing activities

We encourage you to review this policy periodically. Continued use of our website after changes are posted constitutes your awareness of those changes.

Complaints

If you believe we have violated your privacy rights, we encourage you to first contact our Information Officer (details above) so we can attempt to resolve the issue directly. If you are not satisfied with our response, you have the right to lodge a complaint with:

The Information Regulator (South Africa)

Email: enquiries@inforegulator.org.za
Tel: +27 (0)10 023 5207

EEA/UK residents may also lodge a complaint with their local supervisory authority. California residents may contact the California Attorney General's office.

Related Pages

Cookie Policy

Full cookie inventory and opt-out instructions

Read policy

Terms of Service

Engagement terms, IP ownership, and liability

Read terms

Start a Project

Ready to work together? Let's discuss your project

Get started

This policy was last updated on 20 June 2025. The content has been prepared to meet POPIA, GDPR, and CCPA requirements but does not constitute legal advice. We recommend consulting a qualified legal professional for specific compliance guidance.