Skip to content
WeShiftAI

Privacy notice

Last updated 3 June 2026 · POPIA compliant

Who we are

This website is operated by WeShift AI (Pty) Ltd(“WeShift”, “we”, “us”), a private company based in Pretoria, South Africa (registration number 2026/341581/07). This notice describes how we collect, use, store, and protect personal information in line with the Protection of Personal Information Act, 2013 (POPIA).

Our Information Officer is William Nicol, registered with the Information Regulator (South Africa) under registration number 2026-023131. You can reach the Information Officer at [email protected].

What we collect

  • Contact-form submissions: your name, email address, company, role, indicative budget and timeline, and the description you choose to share.
  • Booking details (via cal.com):when you book a call, you submit your name, email, and any details directly to our scheduling provider cal.com, which processes them on our behalf; we don’t store them in our own systems.
  • Newsletter subscription:your email address, on a double opt-in basis — we only add you to the list once you confirm via a link we email you. You can unsubscribe at any time using the link in every newsletter.
  • Anti-spam metadata:when you submit the contact form we also store a salted, one-way hash of your IP address, your browser’s user-agent string, and the page that referred you, which we use for spam detection, rate-limiting, and security.
  • Usage data:standard server logs (IP, timestamp, page), our own lightweight first-party analytics, and — once you accept cookies — Google Analytics. Both are described below.

Why we collect it

We collect the information above strictly to respond to your enquiry, schedule and conduct meetings, deliver projects we’ve been engaged for, send our newsletter to people who have asked for it, protect the site against spam and abuse, and maintain reasonable security and uptime of this website. We don’t use it for profile building or onward sale.

Providing this information is voluntary — but without it we can’t respond to your enquiry, schedule a call, or send you the newsletter.

Our lawful basis under POPIA

  • Analytics & advertising cookies:your consent, given through the cookie-consent banner. Nothing is stored by Google’s tags until you accept.
  • Our own first-party analytics, server logs, and anti-spam: legitimate interest in operating, securing, and improving the website (s11(1)(d)).
  • Newsletter: your consent, captured on a double opt-in basis and withdrawable at any time.
  • Enquiries and bookings: taking steps at your request and our legitimate interest in conducting our business.

Who sees it

Within WeShift, access to contact-form messages and the newsletter list is limited to our two founders. We also use the following third-party operators, who process this information on our behalf under appropriate data-protection terms: Resend (email delivery), Vercel (hosting), Supabase (database, where contact enquiries, the newsletter list, and our first-party analytics are stored), cal.com (booking and scheduling), and Google LLC (Google Tag Manager and Google Analytics). Some of these operators — including Google, and our hosting (Vercel) and database (Supabase) — may store or process data on servers outside South Africa. Where that happens we rely on the transfer conditions permitted under section 72 of POPIA, including the operator’s binding data-protection commitments.

Cookies & Google Analytics

We use Google Tag Manager and Google Analytics (provided by Google LLC) to understand how the site is used. These services set cookies and may use online identifiers, and the data may be processed by Google on servers outside South Africa under appropriate safeguards.

We operate Google Consent Mode v2. By default, before you make any choice, analytics and advertising storage are set to denied— so Google’s tags do not store analytics or advertising cookies until you tell us otherwise. A cookie-consent banner lets you Accept or Decline. If you accept, analytics and advertising storage are switched on; if you decline, they stay denied and the site continues to work normally. You can change your mind at any time using the “Cookie preferences” link in the footer of every page.

Because Google’s tags can use identifiers, accepting cookies may allow Google to associate activity with your device. Declining keeps that identification turned off.

Our own analytics

Separately from Google, we run our own lightweight, genuinely cookieless first-party analytics so we can see which pages help people and where our traffic comes from. For each page view we record the page path, the referring site’s hostname (not the full URL), any UTM tags you arrived with, a coarse device type and browser family, and the country derived from your IP address. This system does not set or read cookies and does not store your IP address.

To group the page views from a single visit, we generate a session identifier by hashing your IP and user-agent together with a salt that changes daily. The identifier cannot be linked across days and there is no path back to your IP. This data is stored in our own database on Supabase. Our lawful basis under POPIA for this operational analytics is legitimate interest in running and improving the website (s11(1)(d)). Because it sets no cookies, this first-party measurement is not gated by the consent banner above.

How we protect it

We apply reasonable technical and organisational measures to safeguard personal information against loss, damage, and unauthorised access or use, as required by section 19 of POPIA. These include limiting access to our two founders, authentication on the services we use, encrypted transport (HTTPS), input validation, and storing identifiers as one-way salted hashes rather than raw values. If a security compromise affects your personal information, we will notify the Information Regulator and you as soon as reasonably possible, as required by section 22.

How long we keep it

Enquiry messages are retained for as long as we have an active or recently concluded engagement, and for up to three years thereafter to honour any follow-up requests. Analytics events are retained for up to 12 months and then deleted. Newsletter subscriptions are retained until you unsubscribe or ask us to remove you, after which we keep only a minimal suppression record so we don’t email you again by mistake. You can ask us to delete personal information about you at any time.

Children and automated decisions

This is a business website aimed at organisations, not children. We do not knowingly collect personal information from children under 18; if you believe a child has given us information, contact us and we will delete it. We also do not make decisions about you based solely on automated processing that have legal or similarly significant effects on you (section 71 of POPIA).

Your rights under POPIA

You have the right to:

  • ask what personal information we hold about you and request a copy;
  • ask us to correct or delete information that is inaccurate, irrelevant, excessive, out of date, or no longer needed;
  • object, on reasonable grounds, to our processing of your personal information (section 11(3));
  • withdraw any consent you have given — for the newsletter or for analytics and advertising cookies — at any time, without affecting processing already carried out;
  • object at any time to the use of your information for direct marketing.

To exercise any of these rights, email our Information Officer at [email protected] and we’ll respond within 30 days. You can also make a formal request to access records we hold through our PAIA manual.

If you believe we have not handled your personal information lawfully, you have the right to lodge a complaint with the Information Regulator (South Africa): [email protected], [email protected], or inforegulator.org.za.

Updates

If we materially change this notice, we’ll update the date above and describe the change. This page is the canonical version.