Privacy Policy

Last updated: 8 June 2025

1 · Who We Are

This Is 42 (Pty) Ltd
Company Reg. 2018/042042/07
Pretoria, South Africa

Any reference to “we,” “us,” or “our” means This Is 42.
Questions? E-mail privacy@thisis42.com.

2 · Scope

This policy explains how we collect, use, store, share and secure personal information obtained when you:

  • visit proto42.vercel.app or any sub-domain;
  • submit forms (e.g., “Let’s Talk”, “Careers”, newsletter);
  • become a client, partner, vendor or job candidate;
  • interact with our products, APIs or support channels.

It covers requirements of:

  • GDPR (EU/EEA & UK)
  • POPIA (South Africa)
  • CCPA/CPRA (California)

3 · What We Collect & Why

CategoryExamplesPurposeLawful Basis*
Contact DataName, email, phone, companyRespond to enquiries, schedule callsLegitimate interest / Consent
Client Account DataBilling address, VAT/Tax ID, signed agreementsContract execution & invoicingContract
Usage & Device DataIP, browser UA, pages viewed, session durationImprove site, detect abuseLegitimate interest
Cookies & AnalyticsFirst-party cookies, Plausible analytics (cookieless)Visitor metrics, UX optimisationLegitimate interest
Career DataCV, LinkedIn, portfolio, salary expectationsRecruitment decision & commsLegitimate interest / Consent
Support & Incident LogsChat transcripts, error logs, Sentry reportsDebug issues, fulfil SLAContract
Marketing PreferencesNewsletter opt-in status, event RSVPsSend content you asked forConsent

*Art. 6 GDPR equivalents used for POPIA & CCPA mapping.

4 · How We Collect Data

  • Directly from you - forms, e-mails, calls, contracts.
  • Automatically - cookies, log files, telemetry scripts.
  • Third parties - LinkedIn (if you apply), channel partners (deal registration).

We never buy marketing lists.

5 · Cookies & Similar Tech

Cookie TypeDurationPurpose
_proto42_session12 hMaintains your logged-in session (clients only).
_cookie_consent6 moRecords your cookie preference.
Plausible (cookieless)n/aAnonymous page-view statistics.

We do not use third-party advertising cookies (no Google Ads, Meta Pixel).

6 · How We Use Data

  • Answer you – quotes, demos, support tickets.
  • Run our contracts – deliver software, invoices, SLAs.
  • Improve services – debug, analytics, A/B tests.
  • Legal & compliance – tax records, security audits.
  • Marketing (opt-in) – newsletter, event invites.

We do not use automated decision-making or profiling that produces legal effects.

7 · Sharing & Disclosure

We share data only when necessary:

RecipientReasonSafeguard
Infrastructure providers (Fly.io, AWS, GCP)Hosting, backupDPA & SCCs
Telemetry & error tracking (Datadog, Sentry)Performance & incident logsPseudonymised IDs
CRM & email (HubSpot, Zoho Mail)Client comms & pipelineDPA & ISO 27001
Payment processors (PayFast, Stripe)Invoice paymentsPCI DSS
Sub-contractors/freelancersDeliver project workNDA + least-privileged access
AuthoritiesLawful request, fraud preventionVerified legal order

We never sell personal data.

8 · International Transfers

Servers are in Fly.io global edge + AWS eu-central-1.
When we transfer EU/UK or ZA data outside adequate jurisdictions we rely on:

  • Standard Contractual Clauses (2021)
  • Supplementary technical measures (encryption in transit & at rest)

9 · Data Retention

Data TypeRetention Rule
Sales & marketing leads24 months of last interaction
Client project artefacts5 years post-contract (tax & audit)
Telemetry & logs30 days hot, 365 days cold
Job applications12 months unless you consent to keep longer
Cookie consent logs6 years (GDPR accountability)

We purge or anonymise after retention lapses.

10 · Security Practices

  • TLS 1.3 for all traffic; HSTS pre-loaded.
  • AES-256 at rest; KMS-rotated keys.
  • MFA on all admin accounts.
  • Continuous vulnerability scans (Snyk, CodeQL).
  • Independent pen-tests at least annually.
  • ISO 27001-aligned policies; SOC-2 report underway.

11 · Your Rights

Depending on jurisdiction you may:

  • Access – know what data we hold.
  • Rectify – correct incomplete or inaccurate data.
  • Erase – “right to be forgotten.”
  • Restrict / object – limit processing or direct marketing.
  • Data portability – receive data in structured format.
  • Lodge a complaint
    • EU/EEA: Supervisory Authority in your country
    • UK: ICO
    • South Africa: Information Regulator

How: e-mail privacy@thisis42.com.
We respond within 30 days (or 15 business days for POPIA).

12 · Children

Our site and services are not directed to children under 16. We do not knowingly process such data.

13 · Changes to This Policy

We’ll post any changes on this page and update the “Last updated” date.
Material changes → we’ll notify via e-mail or in-app banner.

14 · Contact

Data Protection Officer (interim):
Marnus van Staden
📧 dpo@thisis42.com
📞 +27 82 555 4242

(Plain-language summary: we collect only what we need, keep it safe, and you stay in control.)