Privacy Policy

Effective date: 1 April 2026  ·  Last updated: 26 March 2026

Lohki is committed to protecting your personal information. This policy explains what we collect, how we use it, who we share it with, and your rights under the Protection of Personal Information Act 4 of 2013 (POPIA).

1. Who We Are

Responsible Party: Eric Lohler trading as Lohki

Information Officer: Eric Lohler

Email: [email protected]

Location: Johannesburg, Gauteng, South Africa

Lohki is a web design and development agency that builds and hosts websites for individuals, clubs and communities, and businesses across South Africa. This policy applies to personal information collected through our website at portal.lohki.co.za and through the services we provide.

2. What Personal Information We Collect

Account and registration data

When you create an account, we collect: your first name, last name, email address, and phone number.

Intake and project data

When you complete the intake form to start a website project, we collect: business or personal details, brand assets (logo, images), contact information, social media links, and any other content you provide for inclusion on your website. This information is necessary to build your website.

Payment data

We do not store your payment card details. All payment processing is handled exclusively by Payfast. We retain only a Payfast subscription token for billing reconciliation purposes.

Session data

When you log in to the portal, we store a session token in our database to keep you authenticated. Sessions expire after 2 hours of inactivity.

Website usage and analytics

We use Google Analytics 4 (GA4) on our public marketing pages (home, pricing, about, etc.) to understand how visitors interact with our website. GA4 collects:

  • Pages visited and time spent on each page
  • General geographic location (country and city level — not precise location)
  • Device type and browser
  • Referring website or traffic source

This data is anonymised and aggregated. We do not use GA4 to identify individual visitors. GA4 data is processed by Google and subject to Google's Privacy Policy.

Communications

If you contact us via email or the contact form, we retain a copy of that communication to respond to your enquiry and maintain a record of our interaction.

3. How We Use Your Information

We use your personal information only for the following purposes:

  • Delivering the Service — to build your website, manage your subscription, and provide access to the client portal and CMS.
  • Communication — to send transactional emails such as email verification, payment confirmation, build status updates, and billing notifications. We do not send unsolicited marketing emails.
  • Account management — to authenticate you, manage your account, and process billing.
  • Service improvement — anonymised analytics data (via GA4) helps us improve the website and understand what information is most useful to visitors.
  • Legal compliance — to comply with applicable South African laws, including POPIA and financial record-keeping requirements.

4. Cookies

Public pages (marketing site): Google Analytics 4 places cookies on public pages to collect anonymised usage statistics. These are analytics cookies only — no advertising or tracking cookies are used.

Authenticated portal pages: A single session cookie is used to keep you logged in. This cookie contains no personal data — it stores only a session token that expires after 2 hours.

Managing cookies: You may disable or clear cookies in your browser settings at any time. Disabling cookies will not affect your ability to use the portal, though GA4 analytics will not function on public pages.

5. Who We Share Your Information With

We do not sell, rent, or trade your personal information. We share it only with the third-party service providers listed below, strictly to deliver our Service:

Provider Purpose Location
Payfast Payment processing and subscription management South Africa
Cloudflare Website hosting (Cloudflare Pages) and CDN United States
Google (GA4) Anonymised website analytics United States
Railway Application and database hosting infrastructure United States

Where personal data is transferred outside of South Africa, we take reasonable steps to ensure it is protected at a standard comparable to POPIA, by relying on the privacy policies and data processing agreements of the providers listed above.

6. POPIA Compliance and Your Rights

Under the Protection of Personal Information Act 4 of 2013, you have the following rights in relation to your personal information held by Lohki:

  • Right of access: You may request a copy of the personal information we hold about you.
  • Right to correction: You may request that we correct inaccurate or incomplete information.
  • Right to deletion: You may request that we delete your personal information, subject to our legal retention obligations.
  • Right to object: You may object to the processing of your personal information for any purpose not required to deliver the Service or comply with a legal obligation.
  • Right to complain: If you believe we have handled your personal information unlawfully, you may lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.

To exercise any of these rights, email our Information Officer at [email protected]. We will respond within a reasonable period, and in any event within the timeframes required by POPIA.

7. Data Retention

Data Type Retention Period
Account profile (name, email, phone) Retained while the account is active. Deleted on request after account closure.
Website files (HTML, images, assets) 90 days after subscription cancellation, then permanently deleted.
Intake and project data Retained for the duration of the project and for 90 days post-cancellation.
Billing and payment records 5 years, as required by South African financial record-keeping law.
Session data Active session expires after 2 hours. Stored session records are cleared periodically.
GA4 analytics data Up to 14 months, per Google's standard data retention settings. Data is anonymised.

8. Security

Lohki takes reasonable technical and organisational measures to protect your personal information, including:

  • All data in transit is encrypted via HTTPS (TLS).
  • Passwords are stored using one-way bcrypt hashing — we cannot retrieve your password.
  • Sensitive settings (API keys, credentials) are encrypted at rest in our database.
  • Access to production systems is restricted to authorised personnel only.

No method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in harm to data subjects, we will notify affected individuals and the Information Regulator as required by POPIA.

9. Your Obligations as a Website Owner

If your Lohki-built website includes a contact form, booking form, or any other mechanism that collects personal information from your website visitors, you are a Responsible Party under POPIA. You are responsible for:

  • Publishing a privacy policy on your own website that explains how you collect and use visitor data.
  • Processing your visitors' personal information lawfully and only for stated purposes.
  • Securing any personal data you collect.

Lohki acts as your Operator for this data — we store and transmit it on your behalf but do not use it independently. Lohki's involvement does not substitute for your own POPIA obligations as a Responsible Party.

10. Children's Privacy

The Lohki platform is intended for use by persons aged 18 and over. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, please contact us at [email protected] and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered clients by email at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact and Complaints

For any questions, concerns, or requests relating to this Privacy Policy or your personal information, contact our Information Officer:

Eric Lohler
Lohki — Information Officer
[email protected]
Johannesburg, Gauteng, South Africa

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:

inforegulator.org.za
[email protected]
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Also see our Terms of Service for the full service agreement, including our cancellation and refund policy.