GreyJones (Pty) Ltd. Privacy Policy 

Privacy Policy

GreyJones (PTY) Ltd

Effective Date: January 1, 2026

1.      Introduction

GreyJones (PTY) Ltd (“we”, “us”, or “our”) is a South African engineering consulting firm committed to ethical, fair, and responsible business practices. We respect the privacy of all individuals and entities we engage with, including clients, vendors, suppliers, partners, and other stakeholders (“you” or “data subjects”).

This Privacy Policy explains how we collect, use, store, protect, and disclose personal information in compliance with the Protection of Personal Information Act, 4 of 2013 (“POPIA”). It also outlines our approach to handling confidential and proprietary business information shared during our professional engagements.

We act as the responsible party under POPIA for the personal information we process.

2.      Types of Information We Process

Personal Information (as defined in POPIA): We collect and process limited personal information, primarily from natural persons representing clients, vendors, or other business entities. This typically includes:

  • Full name
  • Email address
  • Mobile and office telephone numbers
  • Profession/job title
  • Office location/address (business-related)

We do not typically collect special personal information (e.g., health, race, religion).

Confidential Business Information (non-personal): In the course of our services, clients and vendors share sensitive, proprietary, or confidential information with us, such as:

  • Site drawings and plans
  • Process-related data and specifications
  • Technical solutions, designs, or innovations
  • Pricing information
  • Site locations
  • Other commercial or technical data

We treat this information as strictly confidential and do not regard it as “personal information” under POPIA unless it directly identifies a natural person.

3.      How We Collect Information

We collect personal, technical and commercial information:

  • Directly from you (e.g., via email, meetings, proposals, contracts, or forms).
  • From public sources (e.g., company websites, professional directories) where lawful.
  • Indirectly through our engagements (e.g., correspondence).

We prefer to collect information directly from you and only collect what is necessary for our business relationship.

4.      Purpose of Processing

We process personal information and handle confidential business information for the following lawful purposes:

  • To engage in, perform, and manage professional consulting services (e.g., engineering design, site assessments, project collaboration).
  • To communicate with you (e.g., project updates, meetings, invoices).
  • To fulfill contractual obligations.
  • To pursue our legitimate interests (e.g., maintaining business relationships, quality assurance).
  • For internal administration, record-keeping, and compliance with legal obligations.
  • To protect the confidentiality and integrity of shared business information.

Processing is based on:

  • Consent (where required or obtained).
  • Necessity for the performance of a contract.
  • Our legitimate interests (balanced against your privacy rights).
  • Compliance with law.

5.      Sharing and Disclosure

We do not sell personal information or confidential business information. We may share it only:

  • With our employees, contractors, or service providers (e.g., cloud storage, IT support) who are bound by confidentiality, contractual and POPIA-compliant agreements.
  • Where required by law, court order, or regulatory authority.
  • With your consent or as necessary to perform our services (e.g., sub-consultants or contractors on a project).

We will never disclose your confidential business information (e.g., drawings, pricing, technical solutions) to third parties such as competitors, without your explicit consent or legal requirement. We expect the same confidentiality from you regarding our proprietary information.

6.      Security of Information

We implement reasonable technical and organisational measures, in line with POPIA Condition 7 (Security Safeguards), to protect personal and confidential information against loss, unauthorised access, disclosure, or destruction. These include secure storage, access controls, and encryption where appropriate.

Our IT System Setup and Access Controls

To ensure robust protection and minimise risks, we maintain a structured environment where data is strictly segregated:

  • Information related to each project is isolated in dedicated, separate environments.
  • Access to any project data is granted on a strict need-to-know basis, only as and when required, in accordance with our project access policy. Permissions are explicitly approved by an administrator and limited to individuals who need them for their specific role in that project.
  • Access to data in one project environment is not possible from another project environment. Granting access to one set of project information does not enable access to any other project data unless separately authorised.

In the unlikely event of a security compromise, we will notify you and the Information Regulator as required by POPIA.

7.      Guest User Access and Microsoft Consent Screen

When we invite external collaborators (such as clients or vendors) as guest users to access shared project documents or resources in our secure environment, Microsoft displays a standard consent screen during the first sign-in or access attempt. This is a required Microsoft security feature for business-to-business (B2B) collaboration and is not unique to GreyJones.

The screen requests your consent to the following permissions, which are strictly limited to our organisation only and enable secure, managed access:

  • Receive your profile data — This allows us to receive basic profile details (e.g., your name, email, and job title) from your Microsoft account for identity verification and to display your information correctly within our shared project environments.
  • Collect and log your activity — This enables us to log your interactions (e.g., sign-ins, file accesses) only within our environment for security, auditing, and compliance purposes (such as tracking who accessed which project data). These logs are protected and used solely to maintain the integrity of our collaborations.
  • Use your profile data and activity data — This permits us to use the above data only to manage your access, generate reports for project administration, and ensure proper collaboration (e.g., confirming appropriate permissions).

Important clarifications:

  • These permissions apply exclusively to our GreyJones environment and do not grant us access to your personal Microsoft account, emails, files, or activities outside of our shared resources.
  • Your activity is logged and visible only in the context of the specific projects you are invited to, in line with our segregated access controls (Section 6). No data from one project is accessible from another.
  • This setup complies with POPIA as the processing is necessary for contract performance, our legitimate interests in secure collaboration, and limited to what is required. We do not use this data for marketing or unrelated purposes.
  • You can review or revoke this consent at any time via https://myaccount.microsoft.com/organisations, or contact us to discuss alternatives.

By accepting the consent screen and engaging with us, you agree to these limited, necessary permissions as part of secure professional collaboration.

8.      Retention

We retain personal information only as long as necessary for the purposes described above, or as required by law or contract (e.g., statutory limitation periods for professional liability in engineering projects). Thereafter, we securely delete or de-identify it.

For project-related records (including personal information and confidential business information):

  • Active projects remain accessible under the strict controls described in Section 6.
  • Upon project completion, records are archived in a read-only state to preserve them for any required legal, contractual, or professional purposes (e.g., dispute resolution or future reference). Archived records continue to be stored in segregated environments with the same explicit, need-to-know access controls—no broader access is granted.

Confidential business information is retained per project/contract terms and destroyed when no longer needed.

9.      Your Rights Under POPIA

You have the right to:

  • Access your personal information we hold.
  • Request correction, deletion, or destruction (subject to legal/contractual obligations).
  • Object to processing (we will cease unless justified).
  • Withdraw consent (where processing is consent-based; this may affect our ability to provide services).
  • Lodge a complaint with the Information Regulator (details below).

To exercise these rights, contact our Information Officer (details in Section 11).

10.   Cross-Border Transfers

If we transfer personal information outside South Africa (e.g., cloud services), we ensure adequate protection through contracts or other lawful mechanisms.

11.   Contact Details

Information Officer: Blake Jones, Director

Email: admin@greyjones.co.za

Physical Address: The Workstation, Salt Rock Road, KwaDukuza, 4390

Telephone: 031 816 93 86

Information Regulator (South Africa):

Website: https://inforegulator.org.za/

Email: enquiries@inforegulator.org.za (general) / POPIAComplaints@inforegulator.org.za (complaints)

12.   Changes to This Policy

We may update this policy from time to time. The latest version will be available on our website or provided upon request.

By engaging with GreyJones (PTY) Ltd, providing information, or continuing our business relationship, you acknowledge and agree to this Privacy Policy.

We value your trust and are committed to safeguarding your privacy and confidentiality.