Privacy Policy
Last Updated: May 2026
1. Introduction and Definitions
As part of the xneelo Group of Companies, which includes xneelo (Pty) Ltd and xneelo Limited, we strive to give you clear insight into how your data is handled, whether you are visiting our website, signing up for services, applying for a role, or working with us as a business partner.
If you have any questions about this policy or how we handle your Personal data, we are here to help:
- For any questions related to data protection, please contact our registered Information Officer at information.officer@xneelo.com
- For general support: support@xneelo.com
Key Definitions
To make this policy easier to understand, here are a few key terms:
- GDPR: The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- Personal data: Any information that can identify you, directly or indirectly.
- Controller: The party that determines how and why Personal data is processed (similar to the Responsible Party under POPIA).
- POPIA: The Protection of Personal Information Act 4 of 2013.
- Processor: The party that processes Personal data on behalf of the Controller (similar to Operator under POPIA).
- Services: The products, services, and support we provide at xneelo.
Understanding Our Role and How This Policy Applies
Depending on the context, we manage Personal data in two key ways:
- As a Data Controller:
We act as a Controller when we collect and use data for our own purposes, such as account setup, billing, and customer support. This Privacy Policy applies to this processing.
- As a Data Processor:
When you use our hosting services to collect or store data about your customers, you are the Controller, and we are the Processor. In this case, our Data Processing Agreement applies.
See Section 3 below for detailed information on our role as a Processor.
Who This Policy Covers
This Privacy Policy applies to the following groups:
- Website visitors and prospective customers
- Current customers and service users
- Job applicants and employees
- Business partners and contractors
Why This Matters
By clearly defining our role, we aim to help you understand when we make decisions about how your data is processed and when we simply act on your instructions. This transparency is part of our commitment to earning and maintaining your trust.
2. Your Personal Data
We collect Personal data from various sources to deliver our services, enhance your experience, and fulfil our legal and contractual obligations. This includes information you share with us directly, data collected automatically when you interact with our services, and information received from trusted third parties, such as payment processors, fraud-prevention providers, and background-check services.
We only collect the data necessary for the purposes outlined in this policy and handle it with care, transparency, and respect for your privacy.
2.1. What Personal Data We Collect
Data You Provide Directly
| Data Type | Examples | Legal Basis | Why We Need It |
| Identity & Contact | Name, email, phone, postal address | Contract | Account setup, communication, service delivery |
| Account Information | Username, password, preferences | Contract | Secure account management |
| Payment Data | Billing address, VAT number, payment details | Contract & Legal Obligation | Payment processing, tax compliance |
| Support Communications | Messages, tickets, call recordings | Contract & Legitimate Interest | Customer support, service improvement |
| Job Applications | CV, references, qualifications | Consent | Recruitment and hiring decisions |
Data We Collect Automatically
| Data Type | Examples | Legal Basis | Purpose |
| Technical Data | IP address, browser type, device info | Legitimate Interest | Service provision, security, and troubleshooting |
| Usage Data | Pages visited, time spent, clicks, downloads | Consent & Legitimate Interest | Service improvement, analytics |
| Security Data | Login attempts, access logs, security events | Legitimate Interest | Fraud prevention, account security |
| Cookies & Trackers | Session, analytics, preference cookies | Consent & Legitimate Interest | See Section 4 below. |
Data from Third Parties
| Source | Data Type | Legal Basis | Purpose |
| Payment Processors | Transaction status, payment verification | Contract | Payment processing |
| Fraud Prevention Providers | Risk scores, device fingerprints, behavioural patterns | Legitimate Interest | Fraud detection and prevention |
| Analytics Providers | Aggregated usage patterns, demographics | Legitimate Interest | Service improvement |
| Background Check Providers | Employment verification, qualifications | Consent | Recruitment screening |
Note for Job Applicants: If you apply for a position at xneelo, we may conduct background verification checks for specific roles (particularly those involving access to customer data or financial systems). We will always inform you before conducting these checks and obtain your explicit consent. You have the right to withdraw consent at any time, though this may affect your application.
2.2. Why We Use Your Data
Our Legal Basis for Processing Data
We rely on the following legal grounds:
- Contractual: To provide services and manage your account.
- Legal Obligation: To comply with laws and regulations.
- Legitimate Interest: To improve services and protect against risks, where this does not override your privacy rights. Please see below for more details.
- Consent: For marketing and non-essential cookies (you can withdraw consent at any time).
Legitimate Interest
When we process data based on legitimate interests, we’ve carefully balanced our needs against your privacy rights. Here’s how:
- Fraud Prevention & Security
Our interest is in protecting our systems, customers, and business against fraud, abuse, and security threats. At the same time, we respect your right to privacy and data minimisation. To balance these interests, we rely on automated systems that use only the minimum data necessary, apply strict access controls, and provide human review where decisions have a meaningful impact on you.
- Service Improvement & Analytics
We use analytics to understand how our services are used so we can improve performance and user experience. Your privacy and control over your data remain important to us. Wherever possible, we work with aggregated or pseudonymised data, offer opt-out mechanisms, and limit the retention of analytics data.
- Customer Support & Dispute Resolution
To resolve issues, maintain service quality, and manage disputes effectively, we may retain customer support communications. We do so with due regard for privacy and data minimisation principles. Support records are retained for three years, in line with industry standards for dispute resolution, with sensitive data encrypted and access restricted to authorised personnel only.
How We Use Your Data
| Purpose | Legal Basis | How we process your data | |
| Service Delivery | Contractual | Account creation, service provisioning, billing, and communication. | |
| Legal Compliance | Legal Obligations | Tax reporting, regulatory compliance, and lawful requests from authorities. | |
| Security and Fraud Prevention | Legitimate Interest | Detecting and preventing fraud, monitoring threats, protecting against unauthorised access, and automating risk assessment. | |
| Business Operations | Legitimate Interest | Service improvement, analytics and employee and contractor management. | |
| Automated Decision-Making | Legitimate Interest | We may use automated systems for fraud detection and risk scoring to assess the likelihood of fraudulent activity. This may result in automatic declines or restrictions on account creation or transactions. | |
| Website Analytics and Advertising | Consent or Legitimate Interest | We use tools to analyse user interactions through behavioural metrics, including session replays and heatmaps. This helps us understand website usage, improve functionality, enhance user experience, support security and fraud prevention, and inform marketing and advertising activities. | |
| Marketing Communications | Consent or Legitimate Interest | New customers: We only send marketing emails to customers who have opted in during signup or via our newsletter subscription. Existing customers: We may send service updates and relevant product information based on your legitimate interest, but you can opt out at any time. We never share your data with third parties for their marketing. | |
2.3. Who We Share Your Data With and Why
In limited circumstances, we may share your data with trusted third parties to help us deliver our services, meet legal or regulatory obligations, protect our systems and customers, or support essential business operations. When we do share data, we apply strict safeguards to ensure it is handled securely, used only for its intended purpose, and protected in line with legal and ethical standards.
xneelo Group Companies
We may share your Personal data with other companies within the xneelo Group (xneelo (Pty) Ltd and xneelo Limited) to deliver services seamlessly and provide consolidated customer support. Access to your data is strictly limited to what’s necessary, and all group entities follow the same privacy and security standards to ensure your information remains protected.
Essential Service Providers
These are carefully selected partners who support our services:
| Provider Type | Purpose | Data Shared | Safeguards |
| Payment Processors | Process payments | Payment details, transaction data | PCI-DSS compliance, DPAs, SCCs, where applicable |
| Fraud Prevention Providers | Detect suspicious activity | Transaction patterns, device data, IP addresses | SCCs, encryption, data minimisation, DPAs |
| Analytics Providers | Service performance and usage trends | Aggregated usage data | Pseudonymisation, contractual safeguards, DPAs |
| Communication and AI-powered communication tools | Deliver emails, SMS, notifications | Contact details, messages | Encryption, access controls, DPAs |
| Infrastructure Providers | Hosting and system operations | Technical and operational data | Adequacy decisions, SCCs, encryption, DPAs |
For a complete list of all the subprocessors we use, data security measures, your rights and more, please see our detailed Data Processing Agreement.
Legal Disclosure
We may disclose Personal data when required to comply with a legal obligation and where reasonably practicable. This can include responding to valid court orders or investigations, cooperating with authorised law enforcement requests, fulfilling tax or financial reporting requirements and complying with POPIA or GDPR regulatory investigations.
We will notify you of such disclosures unless legally prohibited from doing so.
Advertising Conversion Measurement Providers
We use Google’s enhanced conversion and lookalike targeting features to better understand the effectiveness of our advertising and to reach audiences who may be interested in our services.
In this context:
- Third-party providers, including Google, may display our advertisements on websites and platforms across the internet.
- These providers use cookies and similar technologies, such as device identifiers, to deliver ads based on your prior interactions with our website or services.
- This allows advertisements to be tailored to your interests based on browsing activity.
You can manage or opt out of interest-based advertising by adjusting your preferences via Google’s Ads Settings or through your device settings, where applicable. For further information on how Google processes Personal data in the context of advertising, please refer to Google’s Privacy Policy.
3. If You Use Our Hosting Services
This section is crucial if you host websites or applications, or store customer data, using xneelo services.
3.1. Understanding Roles and Responsibilities
Your Role and Ours
When you use our hosting services (web hosting, email hosting, cloud servers, etc.), there’s an important distinction:
- You are the Data Controller: You determine what data is collected from your website visitors, customers, or users.
- We are the Data Processor: We process the data you collect in accordance with your instructions and our customer Data Processing Agreement (DPA).
Your Responsibilities as a Controller
When you collect data through services hosted with us, you must:
- Include a privacy policy on your website/application that explains what data you collect and how you use it.
- Ensure you have a legal basis (consent, contract, legitimate interest) for collecting and processing data.
- Handle access, deletion, and other rights requests from your users.
- Ensure your data collection practices comply with GDPR, POPIA, and other applicable laws.
- Implement appropriate security measures for your applications and databases.
Please note that we are unable to respond directly to data requests from your end-users. They must contact you as the data controller.
Our Responsibilities as a Processor
When processing data on your behalf:
- We don’t access, use, or share your customer data except as necessary to provide services or as required by law.
- We implement technical and organisational measures to protect data stored on our infrastructure (see Section 6 below).
- We maintain a list of sub-processors; see our Data Processing Agreement (DPA) for more details.
- We will notify you if we become aware of a breach affecting your customer data.
3.2. Our Data Processing Agreement (“DPA”)
Our Data Processing Agreement (DPA) outlines how we manage Personal data on your behalf. It includes details on how we govern international data transfers, our security commitments, and your audit rights. Additionally, it regulates the use of sub-processors and defines our procedures for notifying and responding to data breaches.
3.3. International Data Transfers
Some of our service providers may operate outside of South Africa or the EU/EEA. Where Personal data is transferred internationally, xneelo ensures that such transfers comply with section 72 of POPIA and other applicable data protection laws. We rely on one or more of the following bases for such transfers:
- The recipient country or organisation ensures an adequate level of protection substantially similar to POPIA.
- The transfer is necessary for the performance of a contract with you, or for the implementation of pre-contractual measures at your request.
- Appropriate contractual safeguards are in place, including Data Processing Agreements (DPAs) with our service providers.
Where transfers involve EU/EEA data subjects, these agreements incorporate the European Commission-approved Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs), as required under the GDPR.
In addition, we implement appropriate technical and organisational measures, such as encryption and pseudonymisation, to safeguard your Personal data during transfer and storage.
4. Cookies
We use cookies and similar tracking technologies to ensure our website and services function correctly, improve performance, and provide you with a better experience.
How We Obtain Cookie Consent
When you first visit our website, you’ll see a cookie banner that allows you to:
- Accept all cookies
- Reject non-essential cookies
- Customise your preferences by category
Your choices are saved, and you can change them at any time by clicking “manage my cookies” within our Cookie Policy.
Types of Cookies We Use
| Cookie Type | Purpose | Consent Required | Examples of Use |
| Essential (Necessary) Cookies | Essential for our website and services to operate correctly. These include login and navigation cookies, as well as cookies used for fraud prevention and security monitoring. | No – these are strictly necessary. | Session management, authentication, load balancing and security monitoring. |
| Functional Cookies | Allow us to remember your settings and preferences to enhance your experience. | Yes | Language preferences, region settings, accessibility options |
| Analytics (Performance and Behavioural) Cookies | Help us understand how visitors interact with our website, identify performance issues, and improve our services. | Yes | Page views, click patterns, time on site, mouse movements, browser and device information (pseudonymised) |
| Marketing (Advertisement) Cookies | Used to display relevant advertising, measure campaign effectiveness, and support social media integrations. | Yes | Ad delivery, campaign tracking, social media sharing and remarketing |
Full Cookie Policy
For a complete list of all cookies we use, including third-party cookies, please see our detailed Cookie Policy.
5. Data Retention and Deletion
We retain Personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting, tax, and regulatory obligations. Once these purposes have been met, we securely delete or anonymise Personal data so that it can no longer be linked to an individual.
You may request the deletion of your Personal data at any time, and we will comply unless we are legally required to retain certain information for a prescribed period.
| Data Type | Retention Period | Basis | Rationale |
| Active Customer Data | Duration of relationship + 6 months | Contractual and Legitimate Interest. | Retained to manage disputes, prevent fraud, and support service recovery. Data is deleted or anonymised after this period. You may request earlier deletion, unless retention is required to meet legal obligations. |
| Billing and Payment Records | 10 years after the final transaction | Legal Obligation. | Required for tax reporting (SARS), financial audits, and compliance with the Companies Act and Tax Administration Act. |
| Support Records | 3 years after resolution | Service improvement and Legitimate Interest | Retained for dispute resolution, service history, and improving customer experience. |
| Marketing Data | Until consent is withdrawn | Consent and Legitimate Interest | Ensures compliance with opt-out rights and minimises unnecessary processing. Consent can be withdrawn at any time via unsubscribe links or by contacting us. |
| Security Logs | 12 months or less | Security monitoring and Legitimate Interest. | Short retention for detecting abuse, troubleshooting, and security monitoring. Extended only when investigating specific incidents. |
| Job Applications | Until consent is withdrawn | Consent can be withdrawn at any time | We retain applications in case suitable positions arise, unless you request earlier deletion. |
| Website Analytics | 14 months | Service improvement and Legitimate Interest | Automatically anonymised after this period. |
| Hosted Customer Data | Per your instructions as the Data Controller | Processing on your behalf | Data you store on our servers is retained in accordance with your instructions and our DPA. You control retention and deletion. |
Requesting Data Deletion
To request deletion of your data, email our support team at support@xneelo.com with:
- Your full name and account details
- Specific data you want deleted
- Confirmation that you understand this may affect services
We aim to complete deletion requests within 10 business days, though backup removal may take up to 90 days.
6. How We Keep Your Data Safe
We use robust technical and organisational measures to protect your Personal data.
This includes encrypting data both in transit and at rest, maintaining secure infrastructure with firewalls and intrusion detection systems, and conducting regular audits and vulnerability testing. We also use multi-factor authentication to prevent unauthorised access and provide ongoing staff training, supported by clear incident response plans to address potential security issues quickly and effectively.
Data Breach
If we experience a data breach that could affect your Personal data, we will act promptly and responsibly. This includes measures in place to identify, contain the breach, and investigate its cause. For the purposes of this Policy, a Personal data breach means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to your Personal data.
If a breach occurs that poses a risk to your Personal data, we will notify you and the relevant authorities without undue delay and, where applicable, within the statutory timelines set out in POPIA and the GDPR. Our notification will include information about the nature of the breach, its potential impact, and any steps you may need to take to protect yourself.
Any notification provided by xneelo in relation to a Personal data breach will not be construed as an admission of fault or liability by xneelo or any third party involved in the processing of Personal data.
Your Security Responsibilities
You also play an important role in keeping your data secure. We encourage you to use strong, unique passwords, enable multi-factor authentication, keep your contact details up to date, and report any suspicious activity to support@xneelo.com. Please do not share your login credentials with anyone.
7. Your Rights
We respect your privacy and are committed to giving you control over your Personal data.
Your Rights Under GDPR and POPIA
- Access: Request a copy of the Personal data we hold about you.
- Correction: Ask us to update or correct any inaccurate or incomplete information.
- Erasure (Right to be Forgotten): Request that we delete your Personal data where there is no legal or contractual reason for us to keep it.
- Restriction: Request that we temporarily limit our use of your data in specific situations, such as during dispute resolution.
- Objection: Object to processing based on our legitimate interests, including direct marketing.
- Withdraw Consent: If we rely on your consent to process your data, you have the right to withdraw it at any time. This will not affect processing that took place before your withdrawal.
- Automated Decision–making: You have the right to be informed about any automated decision-making involving your Personal data, including the logic, significance, and consequences, and to request human intervention where applicable.
How to Exercise Your Rights
You may exercise any of these rights in relation to your Personal data by submitting a request to our Information Officer, registered with the Information Regulator, or our EU Representative at information.officer@xneelo.com and including the following:
- Your full name
- Account details (if you are a customer)
- A clear description of your request
- Proof of identity (for verification purposes).
We will respond within 30 days of receiving your request. If the request is complex or involves multiple records, the timeframe may be extended to 60 days; however, we will notify you if this occurs.
Verification Process
For your own privacy and security, we may require you to verify your identity before providing the requested information. This may include:
- Confirming details from your account
- Providing a copy of your ID document
- Answering security questions
Right to Lodge Complaint
If you believe that we are not complying with applicable data protection laws when processing Personal data, you have the right to lodge a complaint with the relevant supervisory authority. However, we encourage you to contact our data protection officer first. We are committed to addressing any concerns promptly and constructively.
South Africa (POPIA):
- Information Regulator (South Africa)
- Website: Complaints
Please note that to access this service, the user must first register a user profile on the eService Portal and submit the complaint through the Portal.
European Union/EEA (GDPR):
- Your local Data Protection Authority
- EU DPA directory: European Data Protection Board
8. Other Important Information
8.1. Children’s Privacy
We apply an 18-year age threshold across all jurisdictions. While GDPR member states may permit digital consent from the age of 16, we apply the South African standard uniformly.
If we become aware that we have collected Personal data from an individual under 18 without appropriate consent, we will take immediate action. This includes suspending the account, deleting all associated Personal data within 30 days, and, where contact details are available, contacting the individual or their parent or guardian.
If you believe that a child has provided us with Personal data, please contact us immediately at abuse@xneelo.com so that we can address the matter promptly.
8.2. Third Party Links and Services
Our website and services may include links to, or allow you to interact with, third-party websites, applications, or services. These third parties operate independently from xneelo and have their own privacy and data protection practices. If you choose to share your Personal data with them, that information will be handled in accordance with their privacy policies, not ours. We encourage you to review their policies so you understand how your data will be used.
While we take care in selecting the partners we work with, xneelo is not responsible for the privacy practices, security, or content of these third-party sites or services. We cannot accept liability for how they handle your information.
8.3. Updates to This Policy
We may modify this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Any updates will be published on this page with a revised “Last Updated” date.
By continuing to use our website after changes take effect, you accept the updated Privacy Policy. If you disagree with changes, you may close your account by contacting support@xneelo.com. We encourage you to review this policy periodically to stay informed about how we strive to give you clear insight into how your data is handled, whether you are visiting our website, signing up for services, applying for a role, or working with us as a business partner.
Back to top
