Leroy

Privacy Policy

Last updated: May 2026

1. Who We Are

This website (leroy.africa) is operated by Leroy, based in South Africa. We are the responsible party (data controller) for any personal information you provide through this site. We are committed to protecting your privacy in accordance with South Africa's Protection of Personal Information Act (POPIA), the EU General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018.

This policy explains what personal information we collect, how we use it, the legal basis for processing, how we protect it, and your rights under applicable data protection laws.

2. What Information We Collect

We collect the minimum amount of personal information necessary. We do not use analytics, tracking pixels, advertising cookies, or third-party data brokers.

2.1 Information You Provide

When you submit the contact form on this website, we collect:

  • First name and last name
  • Email address
  • Phone number (optional)
  • Your message content
  • Submission timestamp

2.2 Technical Information (Not Stored)

Our web server may record standard access logs. We do not link these logs to your identity. We also use:

  • A single functional cookie (lang) to remember your language preference - not used for tracking
  • An anonymised IP hash (SHA-256) for rate limiting and abuse prevention - the hash cannot be reversed to reveal your IP address
  • No Google Analytics, Facebook Pixel, social media trackers, fingerprinting, or advertising cookies

3. Legal Basis for Processing

We process your personal information only on the following legal grounds:

  • Consent - By submitting the contact form, you consent to us processing your information for the purpose of responding to your enquiry.
  • Legitimate Interest - We use anonymised IP hashes for rate limiting and spam prevention, which is a legitimate security interest that does not override your rights.

4. How We Use Your Information

We use the information you provide through the contact form solely for:

  • Responding to your enquiry or message
  • Preventing spam and abuse through rate limiting and honeypot detection
  • Maintaining a record of communications for our own reference

We do not use your information for marketing, profiling, automated decision-making, or any form of profiling. We do not sell, rent, or share your personal information with any third party.

5. International Data Transfers

Your data is stored on servers located in South Africa. If you are visiting from outside South Africa, be aware that your information may be transferred to and processed in South Africa, where data protection laws may differ from those of your country. We ensure that:

  • POPIA provides adequate protection for personal information (recognised by the EU under adequacy discussions)
  • GDPR's Standard Contractual Clauses (SCCs) apply where relevant for EU/EEA visitors
  • We implement appropriate technical and organisational measures to protect your data regardless of where it is processed

6. Data Retention

Contact form submissions are retained indefinitely unless you request deletion. We retain your information so we can maintain a record of our communications. If you would like your data deleted, please contact us using the details below.

7. Data Security

We take the security of your personal information seriously and have implemented the following measures:

  • All data is stored in a database that is not publicly accessible - the database file sits outside the web root and cannot be accessed via the internet
  • All database writes use parameterised queries to prevent SQL injection
  • Form submissions are protected against cross-site request forgery (CSRF), spam bots (honeypot fields and timing checks), and brute-force attacks (rate limiting)
  • Your IP address is stored only as an irreversible SHA-256 hash, meaning we cannot identify you from the stored hash alone

8. Your Rights Under POPIA, GDPR, and UK DPA

Depending on your location, you have the following rights regarding your personal information:

8.1 Rights Summary

You have the right to:

  • Access - Request a copy of the personal information we hold about you
  • Correction - Request that we correct or update inaccurate information
  • Deletion - Request that we delete your personal information (right to be forgotten under GDPR / right to request destruction under POPIA)
  • Objection - Object to the processing of your personal information, or withdraw consent at any time

9. Contact Us

If you have any questions about this privacy policy, wish to exercise any of your rights, or want to lodge a complaint, you can contact us at:

Email: [email protected]