We use cookies

This website uses cookies to enhance your browsing experience, analyse traffic, and support essential site functionality.

  • Essential cookies are required for the site to work properly (e.g. security, page load performance).
  • Analytics cookies (Google Analytics, Vimeo) help us understand how visitors use our website so we can improve it. These are only used if you consent.

View our full Cookie Policy and Privacy Policy for more information.

AcceptRejectPreferences
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Privacy Policy

1. Introduction

At Invicomm Ltd (United Kingdom) and Invicomm (Pty) Ltd (South Africa) (together referred to as "Invicomm", “we”, “us”, or “our”), we are committed to respecting and protecting your personal data in accordance with applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you interact with us, whether through our website, in the course of delivering services, or as part of a business relationship.

We process personal data in compliance with:

  • The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, where Invicomm Ltd acts as the data controller; and
  • The Protection of Personal Information Act 4 of 2013 (POPIA), where Invicomm (Pty) Ltd acts as the responsible party.

This policy applies to all personal data collected in the course of our professional and operational activities. It outlines your rights and explains how you can exercise them. Additional policies may apply for specific services (e.g., cookie use) and will be referenced where applicable. For South African data subjects, this Privacy Policy also serves as Invicomm’s Section 18 notification in terms of the Protection of Personal Information Act, 2013

2. About Us

This Privacy Policy applies to the processing of personal data by the following entities within the Invicomm group:

2.1 Invicomm Ltd (United Kingdom)

Invicomm Ltd is a private limited company incorporated in England and Wales. For activities conducted within the United Kingdom and/or affecting UK data subjects, Invicomm Ltd acts as a Data Controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

  • Company Number: 08629536
  • Registered Office: 1-2 Paris Garden, London, SE1 8ND
  • Privacy Contact Email: dan@invicomm.com

2.2 Invicomm (Pty) Ltd (South Africa)

Invicomm (Pty) Ltd is a private company incorporated in South Africa. For activities involving South African residents or conducted within South Africa, it acts as a Responsible Party under the Protection of Personal Information Act (POPIA).

  • Company Registration Number: 2018/493514/07
  • Registered Office: Buchanan Square, Unit H101B, 1st Floor, 154 Sir Lowry Road, Woodstock, Cape Town
  • Privacy Contact Email: mj@invicomm.com
  • Information Officer: Magiel Steyn-Skinner

For all enquiries or to exercise your data protection rights, please refer to the contact details provided in ‘How to Contact Us’ section (see Section 12).

3. What Personal Data We Collect

We collect and use personal data that is necessary for our business operations and to provide our services. The types of personal data we collect depend on your relationship with us—whether you are a client, supplier, website visitor, or employee.

We do not knowingly collect special category data (e.g. health, ethnicity, religious beliefs) or data relating to children.

The types of personal data we may collect include:

  • Contact and identity details – such as your name, email address, phone number, and job title.
  • Business and transactional information – including invoicing details, payment information, and correspondence related to services we provide.
  • Employment-related data – for staff and job applicants, this may include CVs, contracts, payroll data, and relevant identification.
  • Technical data – such as your IP address, browser type, and device information when you visit our website.
  • Marketing and communication data – including your preferences and responses to marketing communications.
  • Project-related content – files or creative materials shared with us that may incidentally contain personal data.

This data is collected either directly from you or through interactions with our services, systems, or communications.

4. How We Collect Your Data

We collect personal data in the following ways:

4.1 Directly from You

  • When you contact us by phone, email, or online forms.
  • When you enter into a contract with us or request a service.
  • When you apply for a role with us or become part of our team.

4.2 Automatically through Our Website and Systems

Purposes Typical Reasons for Processing UK GDPR Legal Basis POPIA Basis
Client communication and engagement To respond to enquiries, fulfil service agreements, and manage client accounts Contract (Art. 6(1)(b)) Contractual necessity (s11(1)(b))
Marketing and business development To promote services, send updates, or invite individuals to events or surveys Consent (Art. 6(1)(a)); Legitimate Interests (Art. 6(1)(f)) Consent (s11(1)(a)); opt-out rights (s69)
Employment-related matters To recruit, onboard, and manage employees and comply with employment obligations Contract (Art. 6(1)(b)); Legal Obligation (Art. 6(1)(c)) Contract; Legal obligation (s11(1)(c))
Finance and record-keeping To issue invoices, manage payments, and comply with financial laws Legal Obligation (Art. 6(1)(c)); Contract Legal obligation (s11(1)(c))
Website and analytics operations To improve website functionality and user experience through tracking technologies Consent (Art. 6(1)(a)) Consent; s14 (for cookies and tracking)
Project and operational activities To deliver services, store deliverables, and manage day-to-day business functions Contract (Art. 6(1)(b)); Legitimate Interests (Art. 6(1)(f)) Contract or legitimate purpose

Processing is carried out in accordance with the lawful bases under the UK General Data Protection Regulation (UK GDPR) and the Protection of Personal Information Act (POPIA) in South Africa.

  • When you visit our website, we may collect technical data such as your IP address and browsing behaviour.
  • This may involve cookies and analytics tools.

4.3 From Third Parties

  • From service providers acting on our behalf (e.g., cloud platforms, payroll processors, email providers).
  • From publicly available sources (e.g., business directories or LinkedIn, where relevant for B2B outreach).

We aim to collect data in a fair, transparent, and proportionate manner, and only when we have a lawful reason to do so. Certain details (e.g. invoicing particulars we must keep for tax purposes) are required by law or by contract. If you do not supply them, we may be unable to enter into, or to continue, a business relationship with you. All other personal data is provided voluntarily and there is no detriment for choosing not to share it.

5. Purposes and Lawful Basis of Processing

We collect and process personal data for a range of legitimate business purposes. These include—but are not limited to—the purposes set out below.

We may also process data for additional compatible purposes where we have a lawful basis to do so, and we will inform individuals where legally required. Where we rely on legitimate interests (Article 6(1)(f) UK GDPR / POPIA s11(1)(f)), we have carried out and documented a Legitimate Interests Assessment to ensure that our interests are not overridden by your fundamental rights and freedoms.

Marketing messages are sent only
(i) with your opt-in consent obtained via POPIA Form 4, or
(ii) to existing customers for similar products/services, always with a one-click opt-out link, or (iii) e-mail marketing to existing UK customers in line with the PECR ‘soft-opt-in’, as permitted by reg. 22(3) PECR.

We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects.

6. Disclosures and Use of Third Parties

We do not sell or rent personal data. However, in the course of our operations, we may share personal data with trusted third parties where necessary to support our services, fulfil contractual obligations, comply with legal duties, or operate effectively as a business.

6.1 Categories of Recipients

Depending on the circumstances, we may share data with:

  • Service providers – such as IT support, cloud storage, website analytics, CRM platforms, and communication tools.
  • Professional advisers – including accountants, legal counsel, and insurers.
  • Payment processors and banks – to manage invoicing, payroll, and financial transactions.
  • Government or regulatory bodies – where legally required, such as tax authorities or data protection regulators.

Where we use external suppliers to process personal data on our behalf, we ensure that appropriate contractual safeguards (such as Data Processing Agreements or Operator Contracts) are in place to protect your rights in line with Article 28 of the UK GDPR and Section 21 of POPIA. A detailed list of our current processors and other categories of recipients is available on request via the contact details in the ‘How to Contact Us’ section (see Section 12). Every external service provider (“operator”) signs a written agreement that obliges them to keep personal data confidential, apply equivalent security safeguards and notify Invicomm immediately if a breach occurs (s 21 POPIA).

6.2 Data Sharing

As part of data sharing agreement, personal data may be shared between:

  • Invicomm Ltd (UK) and
  • Invicomm (Pty) Ltd (South Africa)

This may occur for purposes such as internal reporting, resource allocation, project delivery, or shared service arrangements. Any such sharing will be done in compliance with applicable cross-border transfer requirements.

6.3 Confidentiality and Data Minimisation

We ensure that only the minimum necessary data is shared and that recipients are bound by obligations of confidentiality and data protection.

7. International Data Transfers

As we operate in both the United Kingdom and South Africa, personal data may be transferred across borders in the course of our business activities.

  • We may move personal data between Invicomm Ltd (UK) and Invicomm (Pty) Ltd (South Africa) and, where necessary, to service providers outside those countries.
  • Transfers from the UK/EEA are protected either by an adequacy decision or by the UK International Data Transfer Agreement (IDTA) / EU Standard Contractual Clauses (SCCs).
  • Transfers from South Africa meet the “adequate protection” test in Section 72 POPIA or rely on the data subject’s explicit consent.

You can obtain a copy of, or further information about, the relevant safeguard by using the details provided in the ‘How to Contact Us’ section (see Section 12)

We review these mechanisms regularly and require all overseas recipients to sign binding contracts that uphold equivalent privacy and security standards.

8. Data Retention

We retain personal data only for as long as it is necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, contractual, or operational requirements.

The duration for which we retain data may vary depending on the nature of the data and the context in which it was collected. In general:

  • Client and transaction records may be retained for up to 6 years to meet accounting, tax, or contractual obligations.
  • Employee records are typically retained for a period following the end of employment, as required by labour and regulatory frameworks.
  • Website usage and analytics data is retained for periods aligned with industry norms and technical configurations (e.g., 13 to 26 months for analytics cookies).
  • Project files or creative deliverables may be retained for archiving, quality control, or internal documentation, where justifiable by legitimate interests or contractual terms.

Where a longer retention period is required by law or necessary for the establishment, exercise, or defence of legal claims, we may retain the data accordingly. When personal data is no longer required, it will be securely deleted or anonymised.

Where it is not possible to set a single retention period in advance, we determine how long to keep personal data by applying the following criteria: the amount, nature and sensitivity of the data; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process it and whether those purposes can be achieved by other means; any applicable legal, regulatory or contractual requirements; and relevant limitation-periods for legal claims.

9. Your Rights

You have various rights regarding your personal information under applicable data protection laws. The specific rights may differ depending on whether you are dealing with our UK or South African operations.

9.1 UK (UK GDPR)

Under the UK General Data Protection Regulation, you may have the following rights:

  • Access – to obtain a copy of your personal data.
  • Rectification – to correct inaccurate or incomplete data.
  • Erasure – to request deletion where data is no longer necessary or processed unlawfully.
  • Restriction – to limit the processing of your data under certain conditions.
  • Objection – to processing based on legitimate interests or for direct marketing.
  • Data Portability – to receive your data in a machine-readable format and transmit it elsewhere.
  • Withdraw consent – to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to complain – You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or, for South African matters, the Information Regulator.

9.2 South Africa (POPIA)

Under the Protection of Personal Information Act, you may have rights to:

  • Access your personal information.
  • Correction or deletion of inaccurate, outdated, or excessive information.
  • Object to processing for specific reasons, including direct marketing.
  • Lodge a complaint with the Information Regulator.
  • Withdraw consent – to withdraw consent at any time.

You may make an access or correction request on the Information Regulator’s prescribed Form 2 (downloadable at inforegulator.org.za); we will respond as soon as reasonably practicable.

9.3 How to Exercise These Rights

You may exercise your rights by contacting us using the details provided in the ‘How to Contact Us’ section (see Section 12). To ensure your request is handled securely, we may require verification of your identity.

We aim to respond within one month (UK) or as soon as reasonably practicable (SA), depending on the applicable law and the nature of your request.

10. Security Measures

We take the security of your personal information seriously and implement appropriate technical and organisational measures to safeguard it against unauthorised access, loss, misuse, alteration, or disclosure.

These measures may include, but are not limited to:

  • Access controls and user authentication,
  • Data encryption and secure storage,
  • Network and system monitoring,
  • Backup procedures and disaster recovery planning,
  • Role-based access to sensitive data.

While no system can guarantee absolute security, we continuously assess and improve our safeguards to protect the integrity and confidentiality of the data we handle.

Breach Notification Protocol

In the event of a data breach involving personal information:

  • We will notify the UK Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours, as required by the UK GDPR.
  • In South Africa we will notify the Information Regulator and the affected individuals as soon as reasonably possible, using the Section 22 form prescribed under POPIA.

We also maintain internal policies and procedures for identifying, managing, and documenting personal data incidents to ensure timely responses and compliance with our legal obligations.

11. Links to Other Websites

Our website or communications may contain links to third-party websites or services that are not operated by us. Please be aware that we have no control over the content, policies, or practices of these external sites and cannot accept responsibility for how your personal data is handled by them.

We encourage you to review the privacy notices of any third-party websites you visit before providing them with your personal information.

12. How to Contact Us

If you have any questions about this Privacy Policy, how your personal data is handled, or if you would like to exercise any of your rights under applicable data protection laws, you may contact us using the details below:

For the United Kingdom (UK GDPR)

  • Email: dan@invicomm.com
  • Supervisory Authority:
    Information Commissioner’s Office (ICO)
    Website: https://ico.org.uk
    Tel: +44 (0)303 123 1113

For South Africa (POPIA)

  • Email: mj@invicomm.com
  • Information Officer: Magiel Steyn-Skinner
  • Supervisory Authority:
    Information Regulator (South Africa)
    Website: https://inforegulator.org.za
    Email: complaints.IR@justice.gov.za
13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we do, we will revise the “last updated” date at the end of this notice.

We encourage you to review this Policy periodically to stay informed about how we protect your personal data. If we make significant changes that affect your rights or how we process your data, we will provide a prominent notice—such as by email or on our website.

Last updated: 28.07.2025

London

1-2 Paris Garden
SE1 8ND

Cape Town

Office 101b
Buchanan Square
154 Sir Lowry Road
Woodstock, 7925

Johannesburg

155 West Street
Sandown
Sandton, 2031

LinkedIn
Instagram
YouTube
Privacy Policy
©2025 Invicomm Limited.