Cobble Road Labs: Built to Last. Designed to Lead.

This Privacy Notice is provided in accordance with the Protection of Personal Information Act, No. 4 of 2013 (POPIA), which requires us to inform you, our Data Subject, about how we process your Personal Information.

1. Responsible Party and Contact Details

Cobble Road Labs (Pty) Ltd acts as the Responsible Party (the entity determining the purpose and means of processing personal information).

Entity Name (Responsible Party): Cobble Road Labs (Pty) Ltd
Registration Number: 2025/870024/07
Information Officer (IO): Marais Roos (Director)
Physical Contact Address: Vaalpark, Sasolburg, Free State, 1947
IO Contact (PAIA/POPIA Queries): marais@cobbleroadlabs.com
General Contact: info@cobbleroadlabs.com

2. Information Collection and Purpose Specification

Cobble Road Labs (Pty) Ltd collects and processes Personal Information via the website and for core business functions. We outline the types of data collected and the legally defined purpose for processing:

A. Data Collected from Website Visitors

Website Visitor Data:
- Information Collected: IP Address, Geo-location (city/region), Browser type, pages visited, date/time stamp.
- Source: Automatically collected via server logs and analytics (e.g., Google Analytics).
- Purpose: To maintain website security, diagnose problems, and analyse performance (Legitimate Interest).
Contact Form User Data:
- Information Collected: First/Last Name, Email, Phone, Company Name, Company URL, Industry, Company Size, Service Interest, and Message content.
- Source: Directly provided by you via the website contact form.
- Purpose: To respond to specific inquiries, qualify leads for sales, and perform business segmentation and marketing (Consent / Legitimate Interest).

B. Data Collected for Core Business Operations

Client/Supplier Data:
- Information Collected: Financial information, Physical Address, VAT/Registration number, Banking details.
- Source: Direct onboarding via email/Xero; required for legal transactions.
- Purpose: To comply with legal duties (SARS/FICA) and fulfill contractual services (Legal Obligation).
Director/Employee Data:
- Information Collected: ID number, residential address, medical/payroll data.
- Source: Directly provided by the individual for employment/statutory purposes.
- Purpose: To administer the employment relationship and comply with the Labour Relations Act and tax law (Legal Obligation).

3. Data Processing Infrastructure

Data collected via the website contact form is managed by the following infrastructure:

Front-End Hosting (Vercel): Your website's operational data and contact form submissions are processed via Vercel (operating on AWS/GCP infrastructure). This constitutes a Transborder Flow of data to the Vercel/AWS hosting region (likely US/EU).
Sanity CMS: The submitted data is then stored in the self-hosted Sanity CMS instance.
Processing Responsibility: COBBLE ROAD LABS is the Responsible Party and retains full responsibility for the data security, access control, backups, and maintenance of the Sanity CMS server environment.

4. Lawful Basis for Processing

We only process your Personal Information when a lawful basis exists:

Necessity for a Contract: Processing is required to perform a contract with you (e.g., fulfilling a service agreement, responding to a sales query).
Legal Obligation: Processing is mandatory to comply with South African laws (e.g., SARS tax compliance, CIPC corporate governance).
Consent: We may rely on your express consent when you submit the contact form, particularly for marketing follow-up.
Legitimate Interest: Processing is necessary for the company’s normal business operations (e.g., maintaining website security, qualifying sales leads), provided your rights are not overridden.

5. Security Safeguards (Technical & Organisational Measures)

We are committed to securing the data we hold. The technical and organisational measures implemented include:

Access Control: Access to Personal Information is restricted to the Information Officer (Marais Roos) and relevant operational staff on a strict "need-to-know" basis.
Technical Controls: We use Multi-Factor Authentication (MFA) on all financial and system access points (including Xero and banking).
Encryption: Data is secured using industry-standard encryption, both when in transit and at rest (stored on cloud servers, including the Sanity CMS).
Operator Security: We are the Responsible Party for the Sanity CMS infrastructure security.

6. Planned Transborder Flows of Personal Information (Section 72)

All contact form data and financial accounting data are transferred outside of South Africa.

A. Financial Data (Xero)

Recipient Country: New Zealand (Hosting location for Xero, our accounting software Operator).
Basis for Transfer: The transfer is necessary for the performance of our contract and accounting compliance. New Zealand is recognised by the Information Regulator as providing an adequate level of protection for Personal Information (Proclamation No. R. 85 of 2021).

B. Website Data (Vercel/AWS)

Recipient Country: Likely USA or EU (Vercel/AWS default regions).
Information Transferred: Contact Form data (Name, Email, Phone, Company details, Message).
Basis for Transfer: The transfer is based on the Consent you provide when submitting the form and the Necessity for Contractual/Pre-Contractual Steps (to process your inquiry and potentially enter into a business relationship). We rely on Vercel's/AWS's commitment to robust security measures (ISO/SOC compliance) to ensure the data is protected.

7. Your Rights as a Data Subject (POPIA)

As a Data Subject, you have the right to:

Access: Request confirmation of whether we hold your Personal Information and request access to that record.
- How to Exercise: Use PAIA Form 2 (available via the Information Regulator) and submit it to the IO.
Correction/Deletion: Request that we correct, destroy, or delete Personal Information that is inaccurate, irrelevant, excessive, outdated, incomplete, misleading, or obtained unlawfully.
- How to Exercise: Submit a request directly to the Information Officer via email.
Objection: Object to the processing of your Personal Information, unless processing is required by law.
- How to Exercise: Submit a written objection to the Information Officer.
Complaints: Lodge a complaint with the Information Regulator if you believe your rights have been infringed.
- See Section 8 below.

8. Complaints and the Information Regulator

If you believe Cobble Road Labs has breached POPIA, you have the right to lodge a complaint with the Information Regulator (South Africa).

IR Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
IR Postal Address: P.O Box 31533, Braamfontein, Johannesburg, 2017
IR Website: https://inforegulator.org.za/
IR Complaints Email: complaints.IR@justice.gov.za

Privacy Policy