Privacy Policy

Last updated 16 February 2024


What is this?

When you interact with us, you share Personal Information that we use to make available and improve our services to you.  We respect your privacy and are committed to protecting your Personal Information. We want to be transparent with you about how we collect and use your Personal  Information in making available (i) our website at (the Site) and (ii) any related services as described in any agreement we have with you (collectively, the Services).

This Privacy Policy aims to tell you more about: (i) your privacy rights (ii) how the law protects you and (iii) what information we collect about you, why we collect it, and how you can update, manage, export, and delete any information that you may provide through the Services.

The Privacy Policy is also intended to meet our regulatory duties in terms of the  Protection of Personal Information Act, 2013 (POPIA).  The POPIA definition of Personal Information includes: information about an individual or business (data subject), from which the data subject is either directly identified or can be identified.  Some examples of Personal Information are a data subject’s name, contact details, identity number and IP address.

We review this Privacy Policy regularly. Occasionally, we may need to make changes or additions to this policy that may affect how we handle your data. We will indicate on this page when the policy has last changed. For the latest version, please refer to


Who we are and how to contact us

Who we are

The Services are provided by Lumico (Pty) Ltd, a company incorporated in South Africa under registration number 2014/083100/07.  Any mention of “we”, “us” or “our” in this Privacy Policy, refers to this registered company.  We are the responsible party that controls the processing of your Personal Information when you use the Services.


How to contact us

You can contact us by emailing if you have any questions, comments or concerns regarding our use of your Personal Information.


Your rights relating to your Personal Information

Under certain circumstances, by law, you have the right to:

  • Request access to, and receive a copy of, your Personal Information and check if we are lawfully processing it.
  • Report incomplete or inaccurate information, and request the correction of the Personal Information that we hold about you.
  • Object to the processing of your Personal Information.
  • Request that any or all of your Personal Information is deleted or removed if there is no longer a lawful reason for us to process it.
  • Request the transfer of your Personal Information that you initially provided consent for us to use or where we have used this information to perform a contract with you.
  • Withdraw your consent for us to process your Personal Information.

If you want to exercise any of the rights described above, please contact us by sending an email to

You will not have to pay a fee to request whether or not we hold personal information about you. However, if you require a record or a description of the Personal Information that we hold, including information about any third parties that we have shared or who have access to your Personal Information, we may charge a reasonable fee before we are able to comply with your request.  We will communicate the exact fee before complying with your request.

We may need to request specific information from you to help us confirm your identity and your right to access your Personal Information (or to exercise any of your other rights). This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it.


Marketing and communications preferences

We would like to send you information about our products and services, and those of our clients, which may be of interest to you.  We will only send you marketing messages if you are a customer of ours, or a customer of our clients, or when you opt in to receiving these messages.


Information collected by us

Why do we collect your Personal Information?

We will only use your Personal Information for the purposes for which we collected it, as listed below, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose that you provided the Personal Information to us, or to our clients.

In respect of each of the purposes for which we use your Personal Information, POPIA requires that we have a legal basis for that use. Most commonly, we will rely on one of the following legal bases:

  • Where we have your specific consent to carry out the processing for the Purpose in question (Consent).
  • Where we need to perform a contract we are about to enter into or have entered into with you (Contractual Necessity).
  • Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (Legitimate Interests).
  • Where we need to comply with a legal or regulatory obligation (Compliance with Law).


What Personal Information we collect and how we use it

In the course of providing the Services, we collect the following personal information, either when it is provided to us by you, where we derive it from your use of the Services, or when it is provided to us through a third party

  • Identity Data (First name, surname, company name, trading name): We use this to authenticate you as a customer and to keep a record of the Personal Information that we process.
  • Contact details (telephone number, email address, physical address): We use this to communicate with you.
  • Summaries of conversations: We use this data that you provide to us when you report a problem or ask a question in respect of our Services or when you request further services from us. If you contact us, we may keep a record of that correspondence. We use this to provide more information about the Services or help resolve issues experienced using the Services.
  • Marketing preferences: We use this to determine whether and how we communicate with you to promote our Services or those of our clients.



We only collect Personal Information, on the terms set out in this policy, of children under the age of 18 with the explicit consent from their parent or guardian. If you are a parent or guardian of a child under the age of 18 who has provided consent for our collection of their Personal Information, you can at any time request us to tell you what we have about the minor child and also ask us to delete it at any time. We will ask you to prove your relationship to the child and, if you do so, you may (subject to applicable law) request access to and deletion of that child’s personal data.


Personal Information About Other Individuals



What happens if you do not provide necessary Personal Information?

Where we need to process your Personal Information either to comply with law, or to perform the terms of a contract we have with you, and you fail to provide that data when requested, it may affect the quality and level of service that we can provide to you. This may range from a lack of personalisation, and simple convenience, all the way to not technically being able to provide a service. In this case, we may have to stop you using our Services.  We will notify you if this is the case at the time.


Information we collect automatically

Cookies are small data files stored on the hard drive of your computer or mobile device by a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them). Other than through our Site, our Services do not use cookies.

You can typically remove or reject cookies through your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the settings, help tools or edit facility). Many browsers are set to accept cookies until you change your settings.

We also use Google Analytics to see how visitors to our Site interact with us. You can find out more information about how Google Analytics uses cookies here.  We also use advertising services provided by both Google and Facebook.


With whom do we share your Person Information

The table below describes who we share your Personal Information with, what we share and why we share it.

Why we share it
Service Providers We use a range of partners in order to provide our Services to you. These partners include those that:

●  enable us to manage our workflows;

Professional advisers Our lawyers, bankers, auditors, BEE advisors, and insurers, provide consultancy, banking, legal, insurance and accounting services.
Regulators and other authorities Authorities may require reporting of processing activities in certain circumstances
Analytics Providers Our analytics providers will use this information for the purpose of evaluating your use of our Site, compiling reports on Site activity and providing other services relating to Site activity and internet usage. Our analytics providers may also transfer this information to third parties where required to do so by law, or where such third parties process the information on our analytics providers’ behalf.


Data transfers

We use all reasonable efforts to ensure that people who we share or transfer your Personal Information to hold it subject to appropriate safeguards and controls. Whenever we transfer your Personal Information out of South Africa to third parties, we ensure that a similar degree of protection is afforded to it by those third parties, either through our agreements with them, or through the laws relating to the protection of personal information in the country where the respective service provider is located.


How we keep your Personal Information secure

We take your privacy seriously and as such we have policies and technical measures in place to safeguard and protect your personal information against unauthorised access, accidental loss, improper use and disclosure. We will also take all reasonable precautions to ensure that our staff, employees, and contractors who have access to information about you, have received adequate training,  and that any third parties who have access to your personal information are required to be fully compliant with any applicable privacy laws.  We also limit access to your information only to people in our company, and to any third parties, who need to have access to the relevant information for the purposes set out in this Privacy Policy.

We have put in place procedures to deal with any actual or suspected Personal Information breach.  We will notify you and help guide you through steps to mitigate any damage and stay better protected. In the event of any such breach, we have systems in place to work with the Information Regulator. In addition, in certain circumstances (e.g., where we are legally required to do so) we may notify you of breaches affecting your Personal Information.

We do our best to protect your personal data through various security measures .  If you would like more information about the security measures we adopt, please email us at

While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the Internet is not entirely secure.  For this reason, we cannot guarantee the security or integrity of any Personal Information that is transferred from you or to you via the Internet.


How long we store your Personal Information.

We will only retain your Personal Information for as long as we reasonably need to use it for the purposes set out above, that is, for as long as you remain a customer of ours, unless a longer retention period is required by law (for example for regulatory purposes).

We keep all of your personal information only as long as we need it for the purpose for which you gave us consent and as long as it is legally required if the latter requires us to keep it longer. We have policies in place which we review regularly to ensure that we do not hold on to unnecessary personal information.



If you have any questions or would like to make a complaint regarding this Privacy Policy, or our practices in relation to your Personal Information, please send an email to us at  We will reply to your complaint as soon as we can.

If you feel that your complaint has not been adequately resolved, POPIA  gives you the right to contact the Information Regulator.  You can contact the Information Regulator at


something like your contracts with clients could fit in here.


Added this in for good measure


This is especially NB for clients to be aware of.  I.e. they are ultimately responsible for collecting personal information from their end customers in an appropriate way.


FB and Google do technically count as sharing, but the most important thing to consider is whether they have the same or a higher standard of protection or the data subject is providing consent.


As I understand it, you are not sharing the information with them, but actually getting the information from them.  And the assumption is that they have consent to process and share that information with you because the actual data subject has accepted FB/Google’s Ts&Cs.


This is the likes of Mailchimp.  I’ve added the more generic ones (like we use e.g. Sage for accounting, Google Drive for storage, Payfast for online payments etc) but you can delete or add anything else.


I’ve pre-empted this, but delete if this doesn’t happen before you make the policy available.


TBC. Can you expand on “password protected” as a security measure.  Does this relate to the computers employees use? Or are the additional security measures in terms of which cloud provider you use/where the data is stored?


TBC.  This is where a data retention register is NB and also an internal decision as to how long you want to keep information that you no longer need e.g. 1/3/5 years?