Privacy Policy

Last updated: 26 April 2026

1. Who we are

This Privacy Policy applies to the website at https://hydroworks.co.za (the “Site”), operated by SA Atlantic Group (Pty) Ltd, trading as Hydro Works.

Registered address: 28 Smartt Road, Goodwood, Cape Town, Western Cape, 7460, South Africa
Company registration number: 2020/069154/07
Contact email: admin@hydroworks.co.za
Phone: 079 321 5597

For purposes of the Protection of Personal Information Act, 2013 (“POPIA”), SA Atlantic Group (Pty) Ltd is the responsible party for personal information processed through the Site.

The Information Officer is Shamiel Simons, contactable at admin@hydroworks.co.za. The Information Officer is the person legally responsible for ensuring compliance with POPIA and is your point of contact for any questions about this policy or how your information is handled.

2. What this policy covers

This Privacy Policy explains how Hydro Works collects, uses, shares, and protects personal information when you:

Visit or browse the Site
Add products to your cart
Submit a quote request
Contact us via the contact form, email, phone, or WhatsApp Business
Receive deliveries from our courier partners
Interact with us in any other way through the Site

This policy does not cover third-party websites we link to (such as our social media pages on Facebook, Instagram, and X). Those are governed by their own privacy policies.

If you do not agree with this policy, please do not use the Site or submit information to us through it.

3. Information we collect

We collect personal information in three ways: information you give us directly, information collected automatically when you use the Site, and information from third parties who help us operate.

3.1 Information you provide directly

When you submit a quote request through the Site, we collect:

Your name
Email address
Phone number
Delivery address (if applicable)
Business name and details (if you indicate you’re purchasing for a business)
The products and quantities you’ve requested
Any notes or specifications you add to your request

When you submit the contact form, we collect:

Your name
Email address
Phone number (if provided)
The subject and content of your message
The inquiry type you select

When you contact us by email or WhatsApp Business, we receive whatever information you choose to share, including the contents of your messages.

3.2 Information collected automatically

When you visit the Site, certain information is collected automatically through cookies and similar technologies:

Device and browser information: the type of device you’re using, your operating system, browser type and version, screen resolution
Usage information: pages you visit, time spent on each page, links you click, the page that referred you to ours, the date and time of your visit
Approximate location: city or region level, derived from your IP address — not your precise location
Performance data: how quickly pages load on your device, used to identify and fix performance issues

Section 6 explains what cookies we use and how to control them.

3.3 Information from third parties

We do not buy personal information from data brokers or marketing list providers. The only third-party information we receive is from:

Our courier partners (BobGo and TAC Delivery) — delivery confirmation status, including signature receipts where applicable, after they fulfil orders on our behalf
Payment confirmations — when you pay by EFT, we see incoming payment notifications via our bank, including the reference you used (typically your order number)

4. How we use your information

We process personal information only for specific purposes, each with a lawful basis under POPIA. The table below sets out what we do with your information and why we’re entitled to do it.

Purpose	What this involves	Lawful basis
Processing your quote request	Reviewing the products you’ve requested, checking stock with suppliers, preparing a written quote, and sending it to you	Performance of a contract (or steps taken at your request to enter into one)
Fulfilling orders	Coordinating delivery with our couriers, confirming receipt of payment, communicating delivery updates	Performance of a contract
Responding to enquiries	Replying to messages submitted via the contact form, email, phone, or WhatsApp Business	Legitimate interest in supporting customers and prospective customers
Customer service and follow-up	Reaching out to discuss your quote, suggesting alternatives if items are out of stock, providing growing advice on products you’ve purchased	Legitimate interest in providing the level of service we describe to customers
Site analytics and improvement	Understanding how visitors use the Site, which pages perform well, where users encounter friction — used to improve the Site over time	Consent (you may withdraw consent at any time — see Section 6)
Performance monitoring	Detecting slow pages, server errors, and technical issues that affect your experience	Legitimate interest in maintaining a functional Site
Record-keeping	Retaining quote submissions, contact form messages, and order records for our internal records and audit purposes	Compliance with legal obligations (tax, consumer protection) and legitimate interest
Fraud prevention and Site security	Detecting and blocking abusive use of the Site, including spam submissions, scraping, and unauthorised access attempts	Legitimate interest in protecting the Site and our customers
Complying with legal requests	Responding to lawful requests from courts, regulators, or law enforcement	Compliance with a legal obligation

We do not currently use your personal information for direct marketing purposes. If we add a newsletter or marketing communications feature in future, we will only send marketing to you with your specific consent, and you will be able to opt out at any time.

We do not make automated decisions that have significant legal effects on you (for example, we do not use algorithms to decide whether to accept an order). All quote decisions involve human review.

5. Who we share your information with

We share your personal information only with parties who help us operate the Site or fulfil your orders. We do not sell your personal information to anyone.

The third parties we share information with fall into four categories: operational service providers (the technical infrastructure that runs the Site), fulfilment partners (delivery and communications), professional advisors (when needed), and legal recipients (when legally required).

5.1 Operational service providers

These are the technology providers that make the Site work. Each of them only receives the minimum information necessary to provide their service.

Provider	What they receive	Why	Location
Vercel Inc.	All Site traffic data: IP addresses, page requests, server logs, basic device information	Hosts the Site and serves pages to visitors	United States (with global edge locations)
Vercel Analytics	Page views, anonymised visitor identifiers, referrer URLs, approximate location	Aggregated traffic analytics	United States
Vercel Speed Insights	Performance metrics tied to anonymised page loads	Measuring and improving page performance	United States
Supabase Inc.	All form submissions (quote requests, contact form), product data	Database and file storage backing the Site	United States / European Union (depending on region)
Google LLC (Google Analytics 4)	Anonymised visitor identifiers, page views, events (such as quote form submissions and contact form submissions), approximate location, device and browser information	Understanding Site usage in aggregate to improve the Site	United States
Resend	Email content for quote confirmations sent to our team and customers, including names, email addresses, and quote details	Transactional email delivery	United States
Zoho Books (Zoho Corporation)	Customer name, billing and delivery address, email address, phone number, VAT number (for businesses), quote and order details, payment information	Accounting, invoicing, and financial record-keeping. Data is currently entered manually rather than imported automatically.	United States

5.2 Fulfilment partners

These are the parties that help us complete orders and communicate with customers.

Provider	What they receive	Why	Location
BobGo (uAfrica)	Recipient name, delivery address, phone number, parcel details	Courier service for orders shipped outside our direct delivery area	South Africa
TAC Delivery	Recipient name, delivery address, phone number, parcel details	Our in-house courier service for major Western Cape areas	South Africa
WhatsApp Business (operated by Meta Platforms, Inc.)	The contents of any messages you choose to send us via WhatsApp	Customer enquiries and support	United States (Meta servers); messages are end-to-end encrypted in transit
Our bank (Capitec Business)	Payment reference (typically your order number), payment amount	Receiving and reconciling EFT payments	South Africa

5.3 Professional advisors

We may share information with our professional advisors (lawyers, accountants, auditors, insurers) when their assistance requires it, and only on terms that protect your privacy. We do not routinely share customer data with these advisors — only when there’s a specific need (for example, in the event of a dispute or audit).

5.4 Legal recipients

We may share personal information with courts, regulators, law enforcement, or other authorities if we are legally compelled to do so, or if we reasonably believe sharing is necessary to:

Comply with applicable law
Protect our legal rights or those of our customers
Prevent or investigate possible wrongdoing in connection with the Site
Protect the personal safety of users or members of the public

5.5 International transfers

Several of our service providers are located outside South Africa, primarily in the United States and European Union. Under POPIA section 72, we are permitted to transfer personal information across borders where the recipient is subject to laws or binding agreements that uphold protection principles substantially similar to POPIA.

For each of the international recipients listed above, we rely on one or more of the following safeguards:

Contractual data protection commitments in the provider’s terms of service or data processing agreement
The provider’s compliance with recognised international privacy frameworks (such as the EU-US Data Privacy Framework, where applicable)
The provider’s published privacy and security commitments under their own jurisdictional privacy laws (such as GDPR for EU operations)

You can request more information about the specific safeguards in place for any particular transfer by contacting us at admin@hydroworks.co.za.

6. Cookies and similar technologies

A cookie is a small text file that a website places on your device when you visit. Cookies allow websites to remember information about your visit, like your preferences and how you use the site. Some cookies are essential for the Site to work; others help us understand how visitors use it.

6.1 Cookies set by Hydro Works

Cookie name	Purpose	Duration
`hydroworks-consent`	Records whether you have accepted the cookie notice. Without this cookie, the notice would reappear on every visit.	150 days

6.2 Cookies set by third parties

The following cookies are set by service providers we use. We do not control these cookies directly — they are set by the third party when their scripts run on the Site.

Cookie name	Set by	Purpose	Duration
`_ga`	Google Analytics 4	Distinguishes individual visitors so we can understand how the Site is used in aggregate	2 years
`_ga_YN9ZC8WM7B`	Google Analytics 4	Maintains session state and tracks page interactions during your visit	2 years

6.3 Other tracking technologies

Some of our service providers use techniques other than cookies to understand how the Site is used:

Vercel Analytics and Vercel Speed Insights do not set cookies on your device. Instead, they collect anonymised, aggregated data about page visits and performance directly from our servers, without storing identifiers in your browser.

6.4 How to control cookies

You have several options for controlling cookies:

Accept the cookie notice on the Site to allow analytics cookies. We will be adding a more granular consent management option in a future update, allowing you to choose which categories of cookies to accept.
Adjust your browser settings to block or delete cookies. Most browsers let you control cookies through their settings menu — search your browser’s help for “manage cookies” for instructions.
Use Google’s opt-out tool to specifically prevent Google Analytics tracking across all websites: https://tools.google.com/dlpage/gaoptout
Use private/incognito browsing to prevent cookies from persisting between sessions.

If you block essential cookies, parts of the Site may not work properly. Blocking analytics cookies will not affect your ability to browse, request quotes, or contact us.

We are currently improving our cookie consent management. The next iteration of our consent system will let you accept or reject specific categories of cookies (essential, analytics, marketing) rather than offering a single accept option.

7. How long we keep your information

We keep personal information only for as long as necessary for the purpose it was collected, and no longer than legally required. The retention periods below describe how long different categories of information are kept by default. We may keep information longer in specific cases — for example, while a dispute is ongoing or where required by a court order.

7.1 Retention periods

Category	How long we keep it	Why
Quote submissions that converted to orders	5 years from the end of the tax year in which the order was placed	Tax law requires us to keep transaction records for 5 years (Tax Administration Act); also useful for warranty and product support
Quote submissions that did not convert to an order	12 months from submission	Customers sometimes return months later to revisit a quote; beyond a year, the quote is unlikely to be relevant
Order and payment records	5 years from the end of the relevant tax year	SARS retention requirement; held in our accounting system (Zoho Books)
Invoices and accounting records	5 years from the end of the relevant tax year	Tax Administration Act
Contact form submissions that resulted in a relationship (quote, order, ongoing conversation)	Treated as part of the customer record above
Contact form submissions with no follow-up	6 months from submission	After 6 months, an unanswered enquiry is unlikely to be revisited
Email correspondence	Retained alongside the related quote, order, or customer record	So we have full context for any future conversation
WhatsApp Business message history	Retained for the duration of our customer relationship	Customer service continuity
Website analytics data (Google Analytics 4)	14 months	Allows year-over-year comparison while limiting how long anonymised visitor data is held
Vercel Analytics and Speed Insights	According to Vercel’s default retention (typically 30–90 days for detailed data, longer for aggregated metrics)	Operational performance monitoring
Server logs and error logs	Up to 90 days	Diagnosing technical issues
Cookie consent records	150 days, or until you change your consent	So we can demonstrate you accepted the cookie notice if asked

7.2 What happens after the retention period

When the retention period ends, we either:

Delete the information, or
Anonymise it so that it can no longer be linked to you (for example, removing names and contact details from old quote records while keeping aggregated data for our own business analysis)

You can request deletion of your information at any time, subject to our legal obligations to retain certain records. See Section 8 for how to make such a request.

8. Your rights under POPIA

POPIA gives you specific rights over your personal information. This section explains what those rights are and how to use them.

8.1 Your rights

You have the right to:

Be told what information we hold about you. You can ask us for a summary of the personal information we have about you, where we got it from, and what we’re doing with it.
Access your information. You can request a copy of the personal information we hold about you.
Correct your information. If something we hold about you is wrong, out of date, or incomplete, you can ask us to fix it.
Have your information deleted. You can ask us to delete your personal information. We will do so unless we are legally required to keep it (for example, tax records that we must retain for 5 years).
Object to how we use your information. You can object to specific uses of your information — particularly direct marketing, if we ever start sending it.
Withdraw consent. Where we rely on your consent to process your information (such as for analytics), you can withdraw that consent at any time. Withdrawing consent doesn’t affect the lawfulness of processing we did before you withdrew it.
Lodge a complaint. If you believe we have mishandled your information, you can complain to the Information Regulator (contact details in Section 8.3).

8.2 How to exercise your rights

To exercise any of these rights, contact us at admin@hydroworks.co.za with:

A description of which right you want to exercise (for example, “I want a copy of my information” or “Please delete my information”)
Your name and the email address or phone number you used when you contacted us, so we can find your records
Enough information for us to identify you with confidence — we may ask for additional verification before we act on a request, to make sure we don’t disclose your information to someone else

We will respond to your request within 30 days. If your request is complex or we need more time, we will let you know and explain why.

There is no fee for most requests. In rare cases — for example, if a request is repetitive or unreasonable — we may charge a reasonable fee or decline to act. If we decline, we will explain why and tell you how to complain.

8.3 Lodging a complaint

If you are not satisfied with how we have handled your personal information or your request, you can complain to:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email: complaints.IR@justice.gov.za
Website: https://inforegulator.org.za

We would prefer to resolve any concerns directly with you first, so please consider contacting us before lodging a complaint.

9. Security

We take reasonable steps to protect your personal information against unauthorised access, loss, alteration, or disclosure. The measures below describe what we do today.

9.1 Technical measures

Encrypted connections. All traffic between your browser and the Site is encrypted using HTTPS. Information you submit through forms cannot be read by third parties intercepting network traffic.
Encrypted storage. Customer data submitted through the Site is stored in our database (operated by Supabase) which encrypts data at rest.
Access controls. Database credentials and service account keys are stored as server-side environment variables and are not exposed to visitors or to the browser. Sensitive credentials are never committed to source code.
Hosting infrastructure. The Site is hosted on Vercel, which provides enterprise-grade infrastructure security including protection against common web attacks (such as DDoS and injection attacks) at the network edge.
Regular updates. We keep our software dependencies and security-relevant code up to date to address known vulnerabilities.

9.2 Organisational measures

Limited administrative access. Administrative access to customer data is limited to the directors of SA Atlantic Group (Pty) Ltd. We do not share administrative credentials with contractors or third parties.
Multi-factor authentication. Two-factor authentication is enabled on all administrative accounts (hosting, database, email, accounting, source code).
Encrypted credential storage. Account credentials are stored using device-level encryption with strong device passwords.
Principle of least privilege. We only collect personal information that is necessary for the purposes described in this policy, and only retain it for as long as those purposes require (see Section 7).

9.3 Backups and continuity

We maintain backups of the Site’s database to allow recovery from technical failures. The frequency and retention of these backups depend on the database service tier we are subscribed to.

9.4 Honest limits

No security measure is perfect. Despite the steps we take, we cannot guarantee that your information will never be compromised by determined attackers, software vulnerabilities we are unaware of, or events outside our reasonable control.

If we ever discover a security incident that affects your personal information, we will:

Investigate to determine what happened and what information was affected
Take steps to contain the incident and prevent further harm
Notify the Information Regulator and affected individuals as required by POPIA section 22 (which requires notification “as soon as reasonably possible” after discovery)
Provide guidance on what you can do to protect yourself

9.5 What you can do

You also play a role in keeping your information safe:

Use a strong, unique password for any account you create on websites that send you notifications about Hydro Works orders
Be cautious of phishing attempts — we will never ask you for your password by email or phone, and we will never ask you to make payments to a different bank account than the one listed on your invoice
If you suspect your information has been compromised — for example, if you receive an unexpected payment request claiming to be from Hydro Works — contact us immediately at admin@hydroworks.co.za

10. Children

The Site is intended for adults aged 18 and over.

We do not knowingly collect personal information from children. We do not market to children, and we do not target our services at anyone under 18.

If you are under 18, please do not use this Site or submit any information to us through it.

If you are a parent or guardian and you believe your child has provided personal information to us through the Site, please contact us at admin@hydroworks.co.za. We will delete the information promptly.

This age requirement reflects both the nature of our products (some of which are marketed for use in licensed adult horticultural industries) and our obligations under POPIA section 35, which requires special protections for personal information about children.

11. Changes to this policy

We may update this Privacy Policy from time to time — for example, when we introduce new features, change service providers, or respond to changes in the law.

When we update this policy:

We will change the “Last updated” date at the top of this page
For material changes that affect how we collect, use, or share your personal information, we will give you reasonable notice before the changes take effect — for example, by displaying a notice on the Site or, where appropriate, sending you an email
For minor changes (clarifications, typos, formatting), the updated policy will simply appear here without a separate notice

We encourage you to review this policy periodically. By continuing to use the Site after a change has taken effect, you accept the updated policy. If you do not agree with a change, please stop using the Site.

A history of material changes is maintained internally and is available on request.

12. Contact details

If you have questions about this Privacy Policy, want to exercise any of your rights under POPIA, or have concerns about how we have handled your personal information, please contact us:

SA Atlantic Group (Pty) Ltd, trading as Hydro Works
28 Smartt Road, Goodwood, Cape Town, Western Cape, 7460, South Africa

Information Officer: Shamiel Simons
Email: admin@hydroworks.co.za
Phone: 079 321 5597
Website: https://hydroworks.co.za

For complaints to the Information Regulator, see Section 8.3.

Hydro Works — providing smart horticultural solutions while respecting your right to privacy.