Privacy Policy
How ITRS collects, processes, and protects your personal information — across every jurisdiction we operate in.
Last updated: 27 February 2026 | Effective: 27 February 2026
Contents
1. Who We Are
ITRS — IT & Risk Services (Pty) Ltd ("ITRS", "we", "our", "us") is a boutique cyber risk management firm headquartered in Cape Town, South Africa. We operate as a Managed Security Service Provider (MSSP) serving small and medium businesses across seven countries.
We act as the responsible party (under POPIA), data controller (under GDPR), or equivalent role under applicable privacy legislation in each jurisdiction where we operate. Our registered details are provided in Section 15 of this policy.
As a cybersecurity firm, we hold ourselves to the highest standard of data protection. Safeguarding personal information is not merely a compliance obligation — it is fundamental to our purpose and reputation.
2. Information We Collect
We collect only the minimum personal information necessary to deliver our services and operate our business. The categories include:
Identity & Contact Information
Full name, job title, business email address, business telephone number, company name, and industry sector — collected when you contact us, request an assessment, or engage our services.
Technical & Usage Data
IP address (anonymised where possible), browser type, device information, pages visited, and interaction data — collected automatically through cookies and analytics tools when you visit our website.
Geolocation Data
Approximate geographic region derived from your IP address — used exclusively to display locally relevant compliance frameworks, threat intelligence, and currency formatting. This data is processed client-side and is not stored on our servers.
Service Delivery Data
For clients under active engagement: network configuration details, vulnerability assessment findings, risk quantification data, compliance status, and security incident records. This data is processed under a separate Data Processing Agreement (DPA) specific to each client engagement.
Communication Records
Correspondence via email, phone, or our website chatbot — retained for service continuity, quality assurance, and dispute resolution.
3. How We Collect Information
Directly from you — when you complete our contact form, request a risk assessment, subscribe to communications, or engage us for services.
Automatically — through cookies, server logs, and analytics tools when you interact with our website. You may manage cookie preferences via the banner presented on your first visit.
From third parties — in limited circumstances, we may receive information from referral partners, professional networks, or publicly available business directories, always in compliance with applicable law.
4. Why We Process Your Information
We process personal information for the following purposes: responding to enquiries and consultation requests; delivering our AEGIS cyber risk management services; conducting risk assessments and producing risk quantification reports; fulfilling contractual obligations to clients; maintaining and improving our website and digital services; sending service-related communications (never unsolicited marketing without consent); complying with legal and regulatory obligations; and protecting the security and integrity of our systems and those of our clients.
5. Legal Basis for Processing
Depending on your jurisdiction and the nature of processing, we rely on one or more of the following lawful bases:
Consent — where you have given clear, informed, and voluntary consent (e.g., subscribing to communications or accepting cookies). You may withdraw consent at any time.
Contractual necessity — processing required to perform a contract with you or to take pre-contractual steps at your request (e.g., conducting a risk assessment).
Legitimate interest — processing necessary for our legitimate business interests (e.g., improving our services, ensuring network security, preventing fraud), provided these interests do not override your fundamental rights.
Legal obligation — processing required to comply with applicable laws, regulations, or lawful government requests.
6. Data Sharing & Third Parties
We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:
Technology partners — trusted security vendors whose platforms are integral to service delivery (e.g., endpoint protection, SIEM, vulnerability scanning). Each operates under a Data Processing Agreement with confidentiality obligations at least as stringent as our own.
Infrastructure providers — cloud hosting (Amazon Web Services), email delivery, and analytics services. We select providers with demonstrated compliance certifications (SOC 2, ISO 27001, or equivalent).
Professional advisors — legal counsel, auditors, or insurers where necessary for business operations.
Legal requirements — where we are compelled to disclose information by law, regulation, court order, or lawful government request. We will notify affected individuals where legally permitted to do so.
7. International Data Transfers
As a firm operating across seven countries — South Africa, the United States, the United Kingdom, Australia, New Zealand, the United Arab Emirates, and India — personal data may be transferred between jurisdictions. We ensure all cross-border transfers comply with applicable data protection laws by implementing appropriate safeguards, including Standard Contractual Clauses (SCCs), binding corporate rules, or reliance on adequacy decisions where available.
Our primary data processing infrastructure is hosted in the AWS Cape Town (af-south-1) region. Where data must be processed in other regions for service delivery, we apply equivalent technical and organisational safeguards.
8. Data Retention
We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Our retention periods are as follows:
Website enquiries: 24 months from last interaction, then securely deleted.
Client service data: Duration of the engagement plus 5 years, to satisfy regulatory and audit requirements.
Risk assessment reports: Duration of the engagement plus 3 years, unless the client requests earlier deletion.
Financial and billing records: 7 years, as required by tax legislation in our operating jurisdictions.
Cookie and analytics data: Maximum 13 months from collection, in line with privacy best practices.
9. How We Protect Your Data
As a cybersecurity firm, data protection is both our obligation and our expertise. We implement technical and organisational measures aligned to industry-leading frameworks including NIST CSF, CIS Controls v8, and ISO 27001. These measures include:
Encryption of all data in transit (TLS 1.2+) and at rest (AES-256). Multi-factor authentication on all internal systems and client-facing portals. Endpoint detection and response across all company devices. Role-based access controls enforcing the principle of least privilege. Continuous vulnerability management and penetration testing. 24/7 security monitoring through our own AEGIS platform. Documented incident response procedures with defined escalation paths. Regular security awareness training for all personnel. Secure development practices for all web properties and APIs.
No system is entirely immune to risk — we are transparent about this because honesty is a professional obligation. Should a security incident affect your personal data, we will notify you and the relevant supervisory authorities in accordance with Section 13 of this policy.
10. Your Rights
Depending on your jurisdiction, you have some or all of the following rights regarding your personal information:
Right of access — request confirmation of whether we hold your personal data and obtain a copy of it.
Right to rectification — request correction of inaccurate or incomplete personal data.
Right to erasure — request deletion of your personal data where there is no compelling reason for continued processing.
Right to restrict processing — request limitation on how we use your data in certain circumstances.
Right to data portability — receive your personal data in a structured, commonly used, machine-readable format.
Right to object — object to processing based on legitimate interests or direct marketing.
Right to withdraw consent — withdraw previously given consent at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at info@itrs-za.com. We will respond within 30 days (or sooner where required by local law). We may need to verify your identity before processing your request. There is no fee for exercising your rights, unless a request is manifestly unfounded or excessive.
11. Cookies & Analytics
Our website uses cookies — small text files stored on your device — to ensure basic functionality and, with your consent, to analyse how visitors interact with our site.
Strictly Necessary Cookies
Essential for website operation (e.g., cookie consent preference, session management). These cannot be disabled. No personal data is collected.
Analytics Cookies
Loaded only after you accept cookies via our consent banner. Used to understand visitor behaviour (pages visited, time on site, navigation patterns) through privacy-respecting analytics. IP addresses are anonymised. No data is shared with advertising networks.
We do not use advertising cookies, tracking pixels, or retargeting technologies. You may manage or revoke your cookie preferences at any time by clearing your browser cookies; you will be prompted again on your next visit.
12. Children's Privacy
Our services are designed for business professionals and are not directed at individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at info@itrs-za.com.
13. Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within the timeframe required by applicable law — 72 hours under POPIA and GDPR, or as otherwise mandated by local regulation.
Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, providing a clear description of the breach, its likely consequences, and the measures we have taken or propose to take in response.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on our website. We encourage you to review this policy periodically.
15. Contact Us & Complaints
For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:
ITRS — IT & Risk Services (Pty) Ltd
Data Protection Enquiries
Email: info@itrs-za.com
General: info@itrs-za.com
Web: itrs-za.com/contact
If you are dissatisfied with our response to a privacy concern, you have the right to lodge a complaint with the supervisory authority in your jurisdiction. In South Africa, this is the Information Regulator (inforegulator.org.za). In the EU/EEA, contact your local Data Protection Authority. In the UK, contact the Information Commissioner's Office (ico.org.uk).
16. Jurisdiction-Specific Provisions
🇿🇦 South Africa — POPIA
We process personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA). ITRS is registered as a responsible party. You may lodge complaints with the Information Regulator at inforegulator.org.za or via info@itrs-za.com.
🇪🇺 European Union / 🇬🇧 United Kingdom — GDPR / UK GDPR
Where we process personal data of individuals in the EU/EEA or UK, we comply with the General Data Protection Regulation (EU 2016/679) and UK GDPR respectively. Cross-border transfers are safeguarded through Standard Contractual Clauses or adequacy decisions. You may contact your local Data Protection Authority to exercise your rights or lodge a complaint.
🇺🇸 United States — State Privacy Laws
For residents of states with comprehensive privacy legislation (including California under the CCPA/CPRA), you have the right to know what personal information we collect, request its deletion, and opt out of any sale of personal information. We do not sell personal information. To make a request, email info@itrs-za.com. We will verify your identity and respond within the statutory timeframe.
🇦🇺 Australia — Privacy Act 1988
We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988. Australian individuals may access and correct their personal information and lodge complaints with the Office of the Australian Information Commissioner (oaic.gov.au).
🇳🇿 New Zealand — Privacy Act 2020
We comply with the Information Privacy Principles under New Zealand's Privacy Act 2020. Individuals may contact the Office of the Privacy Commissioner (privacy.org.nz) for guidance or to lodge complaints.
🇦🇪 United Arab Emirates — PDPL
We comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). Data subjects may exercise their rights under PDPL by contacting us at info@itrs-za.com.
🇮🇳 India — DPDP Act 2023
We process personal data of individuals in India in accordance with the Digital Personal Data Protection Act, 2023. Data principals may exercise their rights including the right to access, correction, erasure, and grievance redressal by contacting info@itrs-za.com.
This Privacy Policy was last reviewed on 27 February 2026.
ITRS — IT & Risk Services (Pty) Ltd. All rights reserved.