1.Who We Are (Responsible Party)
The responsible party (data controller) for personal information processed in connection with our website, products, and services is:
Cyber Retaliator Solutions (Pty) Ltd
Registration No. [Company Registration Number]
Centurion, Gauteng, South Africa
privacy@cyberretaliatorsolutions.com www.cyberretaliatorsolutions.com2.Scope of This Notice
This Notice applies to all personal information processed by CRS in connection with:
- ›Our public website at retaliatornation.io and cyberretaliatorsolutions.com
- ›The CRS Partner Portal (portal.retaliatornation.io)
- ›Training enquiry, booking, and registration forms
- ›Partner onboarding and account management
- ›Vendor and supplier relationships
- ›Marketing and events communications
- ›Employment and recruitment processes
Where CRS processes personal information on behalf of a client or partner (as an Operator under POPIA), a separate data processing agreement governs that processing.
3.Information We Collect
We collect personal information through the following means:
3.1 Information You Provide Directly
| Category | Examples |
|---|---|
| Identity | Full name, job title, company name |
| Contact | Email address, telephone number, physical/postal address |
| Account credentials | Email for magic-link authentication (no passwords stored) |
| Training & enquiries | Course selections, preferred dates, training modality, delegate count |
| Commercial | Budget information, purchase history, billing details |
| Communications | Messages, feedback, support tickets, survey responses |
| Employment | CV, qualifications, references (recruitment only) |
3.2 Information Collected Automatically
- ›IP address and approximate geolocation
- ›Browser type, version, and operating system
- ›Pages visited, referral source, and session duration
- ›Device identifiers and screen resolution
- ›Authentication session tokens (stored securely, not passwords)
3.3 Information from Third Parties
- ›M.com — partner and contact records maintained for account management
- ›Authorized partner referrals and vendor partner programmes
- ›Publicly available business directories and company registrations
4.Purposes of Processing
We process personal information for the following purposes:
Service delivery
Providing training, licensing, distribution, and cybersecurity services; managing partner accounts; processing bookings and registrations.
Customer relationship management
Managing communications, responding to enquiries, logging support interactions, and maintaining account records in our M.com CRM.
Authentication and access control
Verifying your identity via magic-link authentication; granting appropriate access to the Partner Portal and internal systems.
Marketing and communications
Sending product updates, event invitations, training announcements, and newsletters — only where you have provided consent or where we have a legitimate interest.
Security and fraud prevention
Monitoring access logs, detecting anomalous activity, and preventing unauthorised access to our systems — core to our ISO 27001 ISMS.
Legal and regulatory compliance
Retaining records required by POPIA, SARS, the Companies Act, and sector-specific regulations. Responding to lawful requests from authorities.
Improvement of services
Analysing usage patterns and feedback (in aggregate or pseudonymised form) to improve our website, portal, and training offerings.
5.Lawful Basis for Processing
Under POPIA, CRS relies on the following grounds to process personal information:
| Ground (POPIA s.11) | When We Rely on It |
|---|---|
| Contractual necessity | Processing required to deliver a service, training booking, or partner agreement you have entered into with us |
| Legitimate interests | CRM management, security monitoring, fraud prevention, and direct marketing to existing clients (subject to opt-out) |
| Legal obligation | Retaining financial records (SARS), responding to lawful legal process, or fulfilling audit requirements |
| Consent | Email marketing to prospects, cookie-based analytics, and any other processing where we ask for your explicit agreement |
| Vital interests | Emergency situations requiring disclosure to protect life or safety |
Where processing is based on consent, you may withdraw consent at any time by contacting our Privacy Officer or clicking the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.
7.International Transfers
CRS operates primarily in South Africa, but our cloud infrastructure providers may process data in other jurisdictions (including the European Union, United States, and United Kingdom).
When personal information is transferred outside South Africa, CRS ensures adequate protection is in place by:
- ›Using providers subject to equivalent privacy protections (EU GDPR, UK DPA, US Privacy Shield successor frameworks)
- ›Incorporating standard contractual clauses or data processing agreements that bind recipients to POPIA-equivalent obligations
- ›Conducting transfer impact assessments for high-risk transfers as part of our ISO 27001 ISMS risk treatment
8.Retention Periods
We retain personal information only for as long as necessary to fulfil the purposes described in this Notice, or as required by law. Our retention schedule (maintained under ISO 27001 Annex A Control A.8.10) includes:
| Category | Retention Period | Rationale |
|---|---|---|
| Active partner / client records | Duration of relationship + 5 years | Contractual and audit requirements |
| Training bookings and certifications | 7 years | SARS and Companies Act retention obligations |
| Marketing contact data | 3 years from last interaction or until opt-out | POPIA legitimate interest / consent basis |
| Authentication logs | 12 months rolling | ISO 27001 ISMS audit trail (A.8.15) |
| Security incident records | 3 years | ISO 27001 A.5.24 — incident management |
| Recruitment records (unsuccessful) | 6 months post-decision | POPIA s.13 — data minimisation |
| Website analytics | 14 months | Google Analytics / Vercel Analytics default retention |
On expiry, personal information is securely deleted or anonymised in line with our Data Disposal Procedure (ISO 27001 Control A.8.10).
9.Security Measures
CRS operates an ISO/IEC 27001:2022 certified Information Security Management System. The following controls are applied to protect personal information:
Information access restriction
Role-based access control — staff access only the data they need for their function.
Secure authentication
Passwordless magic-link authentication; multi-factor authentication for administrative systems.
Network security
Web application firewall, DDoS protection, and TLS 1.3 encryption in transit on all endpoints.
Encryption
Data encrypted at rest in Supabase (AES-256) and in transit via TLS. No plain-text storage of credentials.
Logging and monitoring
Authentication events, admin actions, and API calls logged and retained for 12 months.
Incident management
Formal incident response procedure — data breaches reported to the Information Regulator within 72 hours where required.
Staff awareness
All staff receive annual privacy and information security awareness training.
Supplier controls
All cloud sub-processors are subject to security assessments and contractual data protection obligations.
No system is completely immune to risk. If you believe your personal information has been compromised, please contact us immediately at privacy@cyberretaliatorsolutions.com.
10.Your Rights
Under POPIA, you have the following rights in relation to your personal information. CRS will respond to all subject requests within 30 days of receipt (extendable by a further 30 days in complex cases, with notice).
Right of access
Request confirmation of whether we hold your personal information and receive a copy of it (POPIA s.23).
How to exercise: Submit a PAIA/POPIA access request form or email our Privacy Officer.
Right to correction
Request correction or deletion of inaccurate, irrelevant, excessive, or out-of-date information (POPIA s.24).
How to exercise: Email our Privacy Officer with the specific corrections required.
Right to object (opt-out)
Object to processing based on legitimate interests, particularly direct marketing (POPIA s.11(3)).
How to exercise: Use the unsubscribe link in any email or contact our Privacy Officer.
Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
How to exercise: Email our Privacy Officer referencing the specific consent you are withdrawing.
Right to complain
Lodge a complaint with the Information Regulator if you believe we have processed your information unlawfully.
How to exercise: See Section 14 for contact details of the Information Regulator.
We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee.
12.Children's Privacy
Our services are directed at businesses and professionals. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has provided personal information without appropriate parental or guardian consent, we will delete it promptly. Parents or guardians with concerns should contact our Privacy Officer immediately.
13.Changes to This Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will:
- ›Post a prominent notice on our website at least 14 days before the change takes effect
- ›Send an email notification to registered Partner Portal users
- ›Update the 'Last updated' date at the top of this Notice
Continued use of our services after the effective date constitutes acceptance of the updated Notice.
14.Contact and Complaints
14.1 CRS Privacy Officer
Cyber Retaliator Solutions — Privacy Officer
privacy@cyberretaliatorsolutions.comPlease include your full name, contact details, and a clear description of your request or concern. We aim to respond within 5 business days of acknowledgement.
14.2 Information Regulator of South Africa
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Regulator at no charge:
Information Regulator (South Africa)
inforeg@justice.gov.za+27 12 406 4818JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
This Privacy Notice was prepared in accordance with:
- Protection of Personal Information Act, 4 of 2013 (POPIA), Republic of South Africa
- ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection
- ISO/IEC 27701:2019 — Privacy Information Management
- Promotion of Access to Information Act, 2 of 2000 (PAIA)
Version:1.0 | Effective: 29 June 2026 | Next review: June 2027