Legal

Privacy Policy

Last updated: 24 March 2026

1. Who We Are

Grapefruit (“we”, “us”, “our”) is a digital transformation agency. We design and build digital platforms, web presences, and workflow automation solutions for businesses globally.

Our contact address for data protection matters is: info@grapefruit.africa

2. Scope of This Policy

This policy applies to personal information we collect through:

  • Our public marketing website at www.grapefruit.africa
  • Email communications initiated by you
  • The provision of professional services to our clients
  • Any digital platforms we build and operate on behalf of clients where we act as an operator

It does not apply to third-party websites linked from our site. We are not responsible for the privacy practices of those sites.

3. Information We Collect

3.1 Prospective Clients

When you contact us via email or through any intake process, we collect:

  • Your name and job title
  • Your business name and industry
  • Your email address and telephone number
  • A description of your requirements as provided by you

3.2 Existing Clients

In the course of delivering a project, we may process:

  • Business contact details of your team members
  • Operational business data necessary to design and configure your platform (e.g. workflow logic, product or service descriptions, pricing structures)
  • Integration credentials provided by you for third-party services (stored securely, never logged)

We process client business data strictly as an operator under your instruction and do not use it for any purpose beyond delivering the agreed scope of work.

3.3 Website Visitors

Our website is a static, server-rendered site. We do not operate first-party analytics, tracking pixels, or cookies. Standard server access logs may be retained by our infrastructure and content delivery providers.

4. How We Use Your Information

We use the information we collect for the following purposes:

  • To respond to your enquiry and assess whether we can assist you
  • To prepare proposals, statements of work, and project documentation
  • To deliver and support the platform or service you have engaged us to build
  • To issue invoices and manage our commercial relationship
  • To comply with applicable legal and regulatory obligations

We do not sell, rent, or trade your personal information to any third party. We do not use your information for unsolicited marketing without your express consent.

5. Legal Basis for Processing

We process personal information in accordance with POPIA and all other applicable data protection legislation relevant to the jurisdictions in which we and our clients operate. Our processing is carried out on the following grounds:

  • Contractual necessity — to perform a contract you have entered into with us, or to take steps at your request prior to entering a contract
  • Legitimate interest — to manage and develop our business, subject to your rights not being overridden
  • Legal obligation — to comply with applicable law
  • Consent — where you have given clear consent, such as when subscribing to communications from us

6. Infrastructure and Sub-processors

We use trusted third-party infrastructure providers to operate our services, including cloud hosting, content delivery, and secure asset storage. All providers are selected on the basis of their security standards and their ability to meet applicable data protection requirements.

We ensure that any cross-border transfer of personal information is subject to appropriate safeguards. We do not engage sub-processors that operate in jurisdictions with inadequate data protection without implementing suitable contractual or technical protections.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law:

  • Enquiry data — retained for 12 months from last contact if no engagement results
  • Client project data — retained for the duration of the engagement plus 5 years for audit and warranty purposes
  • Financial records — retained for 7 years in compliance with applicable tax legislation

On expiry of the applicable retention period, personal information is securely deleted or anonymised.

8. Security

We apply security measures commensurate with the sensitivity of the data we hold. These measures include:

  • Encryption in transit (TLS) on all client-facing systems
  • Strict access controls — only personnel who require access to personal data to perform their duties are granted it
  • Logical data isolation between clients on shared infrastructure
  • Regular review of third-party integrations and credentials

While we take all reasonable precautions, no method of electronic transmission or storage is 100% secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant regulator as required by law.

9. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete personal information
  • Delete your personal information, subject to our legal retention obligations
  • Object to processing carried out on the basis of legitimate interest
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with the relevant data protection supervisory authority in your jurisdiction

To exercise any of these rights, please contact us at info@grapefruit.africa. We will respond within 30 days.

10. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. The “Last updated” date at the top of this page indicates when the most recent revision was made. Continued use of our website or services after any update constitutes acceptance of the revised policy.

11. Contact

For any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact our Information Officer at:

Grapefruit

info@grapefruit.africa