Skip to main content
HomePrivacy Notice

Privacy Notice

Effective date: 29 June 2026  |   Last updated: 29 June 2026

Cyber Retaliator Solutions (Pty) Ltd is committed to protecting the personal information of everyone who interacts with us. This Notice explains what information we collect, why we collect it, how we protect it, and your rights under the Protection of Personal Information Act, 4 of 2013 (POPIA) and our ISO/IEC 27001:2022 Information Security Management System (ISMS).

ISO/IEC 27001:2022 Aligned — Annex A Control 5.34

1.Who We Are (Responsible Party)

The responsible party (data controller) for personal information processed in connection with our website, products, and services is:

Cyber Retaliator Solutions (Pty) Ltd

Registration No. [Company Registration Number]

Centurion, Gauteng, South Africa

privacy@cyberretaliatorsolutions.com www.cyberretaliatorsolutions.com
A.5.34Privacy and protection of PII

2.Scope of This Notice

This Notice applies to all personal information processed by CRS in connection with:

  • Our public website at retaliatornation.io and cyberretaliatorsolutions.com
  • The CRS Partner Portal (portal.retaliatornation.io)
  • Training enquiry, booking, and registration forms
  • Partner onboarding and account management
  • Vendor and supplier relationships
  • Marketing and events communications
  • Employment and recruitment processes

Where CRS processes personal information on behalf of a client or partner (as an Operator under POPIA), a separate data processing agreement governs that processing.

3.Information We Collect

We collect personal information through the following means:

3.1 Information You Provide Directly

CategoryExamples
IdentityFull name, job title, company name
ContactEmail address, telephone number, physical/postal address
Account credentialsEmail for magic-link authentication (no passwords stored)
Training & enquiriesCourse selections, preferred dates, training modality, delegate count
CommercialBudget information, purchase history, billing details
CommunicationsMessages, feedback, support tickets, survey responses
EmploymentCV, qualifications, references (recruitment only)

3.2 Information Collected Automatically

  • IP address and approximate geolocation
  • Browser type, version, and operating system
  • Pages visited, referral source, and session duration
  • Device identifiers and screen resolution
  • Authentication session tokens (stored securely, not passwords)

3.3 Information from Third Parties

  • M.com — partner and contact records maintained for account management
  • Authorized partner referrals and vendor partner programmes
  • Publicly available business directories and company registrations
A.5.34 / A.8.11Data masking and PII minimisation

4.Purposes of Processing

We process personal information for the following purposes:

Service delivery

Providing training, licensing, distribution, and cybersecurity services; managing partner accounts; processing bookings and registrations.

Customer relationship management

Managing communications, responding to enquiries, logging support interactions, and maintaining account records in our M.com CRM.

Authentication and access control

Verifying your identity via magic-link authentication; granting appropriate access to the Partner Portal and internal systems.

Marketing and communications

Sending product updates, event invitations, training announcements, and newsletters — only where you have provided consent or where we have a legitimate interest.

Security and fraud prevention

Monitoring access logs, detecting anomalous activity, and preventing unauthorised access to our systems — core to our ISO 27001 ISMS.

Legal and regulatory compliance

Retaining records required by POPIA, SARS, the Companies Act, and sector-specific regulations. Responding to lawful requests from authorities.

Improvement of services

Analysing usage patterns and feedback (in aggregate or pseudonymised form) to improve our website, portal, and training offerings.

5.Lawful Basis for Processing

Under POPIA, CRS relies on the following grounds to process personal information:

Ground (POPIA s.11)When We Rely on It
Contractual necessityProcessing required to deliver a service, training booking, or partner agreement you have entered into with us
Legitimate interestsCRM management, security monitoring, fraud prevention, and direct marketing to existing clients (subject to opt-out)
Legal obligationRetaining financial records (SARS), responding to lawful legal process, or fulfilling audit requirements
ConsentEmail marketing to prospects, cookie-based analytics, and any other processing where we ask for your explicit agreement
Vital interestsEmergency situations requiring disclosure to protect life or safety

Where processing is based on consent, you may withdraw consent at any time by contacting our Privacy Officer or clicking the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.

6.Sharing and Disclosure

CRS does not sell personal information. We share it only in the following circumstances:

  • Vendor partners (IBM, Red Hat, SUSE, CompTIA, etc.)

    To process training enrolments, certifications, and licensing on your behalf — under data processing agreements.

  • Cloud and SaaS providers

    Vercel (hosting), Supabase (database), Monday.com (CRM), Resend (email), Google (AI services) — all bound by appropriate data processing agreements and sub-processor terms.

  • Professional advisors

    Lawyers, auditors, and accountants who require access under professional duty of confidentiality.

  • Regulatory and law enforcement authorities

    Where required by law, court order, or to protect our legal rights — disclosed only to the extent necessary.

  • Business transfers

    In the event of a merger, acquisition, or sale of assets — you will be notified before information is transferred and becomes subject to a different privacy policy.

A.5.19 / A.5.20Information security in supplier relationships

7.International Transfers

CRS operates primarily in South Africa, but our cloud infrastructure providers may process data in other jurisdictions (including the European Union, United States, and United Kingdom).

When personal information is transferred outside South Africa, CRS ensures adequate protection is in place by:

  • Using providers subject to equivalent privacy protections (EU GDPR, UK DPA, US Privacy Shield successor frameworks)
  • Incorporating standard contractual clauses or data processing agreements that bind recipients to POPIA-equivalent obligations
  • Conducting transfer impact assessments for high-risk transfers as part of our ISO 27001 ISMS risk treatment
A.5.34Cross-border PII transfer controls

8.Retention Periods

We retain personal information only for as long as necessary to fulfil the purposes described in this Notice, or as required by law. Our retention schedule (maintained under ISO 27001 Annex A Control A.8.10) includes:

CategoryRetention PeriodRationale
Active partner / client recordsDuration of relationship + 5 yearsContractual and audit requirements
Training bookings and certifications7 yearsSARS and Companies Act retention obligations
Marketing contact data3 years from last interaction or until opt-outPOPIA legitimate interest / consent basis
Authentication logs12 months rollingISO 27001 ISMS audit trail (A.8.15)
Security incident records3 yearsISO 27001 A.5.24 — incident management
Recruitment records (unsuccessful)6 months post-decisionPOPIA s.13 — data minimisation
Website analytics14 monthsGoogle Analytics / Vercel Analytics default retention

On expiry, personal information is securely deleted or anonymised in line with our Data Disposal Procedure (ISO 27001 Control A.8.10).

9.Security Measures

CRS operates an ISO/IEC 27001:2022 certified Information Security Management System. The following controls are applied to protect personal information:

A.8.3

Information access restriction

Role-based access control — staff access only the data they need for their function.

A.8.5

Secure authentication

Passwordless magic-link authentication; multi-factor authentication for administrative systems.

A.8.20

Network security

Web application firewall, DDoS protection, and TLS 1.3 encryption in transit on all endpoints.

A.8.24

Encryption

Data encrypted at rest in Supabase (AES-256) and in transit via TLS. No plain-text storage of credentials.

A.8.15

Logging and monitoring

Authentication events, admin actions, and API calls logged and retained for 12 months.

A.5.24

Incident management

Formal incident response procedure — data breaches reported to the Information Regulator within 72 hours where required.

A.6.3

Staff awareness

All staff receive annual privacy and information security awareness training.

A.5.19

Supplier controls

All cloud sub-processors are subject to security assessments and contractual data protection obligations.

No system is completely immune to risk. If you believe your personal information has been compromised, please contact us immediately at privacy@cyberretaliatorsolutions.com.

10.Your Rights

Under POPIA, you have the following rights in relation to your personal information. CRS will respond to all subject requests within 30 days of receipt (extendable by a further 30 days in complex cases, with notice).

Right of access

Request confirmation of whether we hold your personal information and receive a copy of it (POPIA s.23).

How to exercise: Submit a PAIA/POPIA access request form or email our Privacy Officer.

Right to correction

Request correction or deletion of inaccurate, irrelevant, excessive, or out-of-date information (POPIA s.24).

How to exercise: Email our Privacy Officer with the specific corrections required.

Right to object (opt-out)

Object to processing based on legitimate interests, particularly direct marketing (POPIA s.11(3)).

How to exercise: Use the unsubscribe link in any email or contact our Privacy Officer.

Right to withdraw consent

Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.

How to exercise: Email our Privacy Officer referencing the specific consent you are withdrawing.

Right to complain

Lodge a complaint with the Information Regulator if you believe we have processed your information unlawfully.

How to exercise: See Section 14 for contact details of the Information Regulator.

We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee.

11.Cookies and Tracking Technologies

Our website uses the following types of cookies and similar technologies:

TypePurposeConsent Required
Strictly necessaryAuthentication session tokens, security tokens, CSRF protectionNo — essential for site function
FunctionalTheme preference (dark/light mode), language settingsNo — stores only UI preferences
AnalyticsVercel Analytics — aggregated, privacy-preserving page view dataYes — consent-based, no cross-site tracking
Third-partyNone currently. Any future addition will be disclosed and consented to.Yes — prior to implementation

You can manage cookie preferences through your browser settings. Blocking strictly necessary cookies may affect the functionality of the Partner Portal.

12.Children's Privacy

Our services are directed at businesses and professionals. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has provided personal information without appropriate parental or guardian consent, we will delete it promptly. Parents or guardians with concerns should contact our Privacy Officer immediately.

A.5.34Special categories of PII — minors

13.Changes to This Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will:

  • Post a prominent notice on our website at least 14 days before the change takes effect
  • Send an email notification to registered Partner Portal users
  • Update the 'Last updated' date at the top of this Notice

Continued use of our services after the effective date constitutes acceptance of the updated Notice.

14.Contact and Complaints

14.1 CRS Privacy Officer

Cyber Retaliator Solutions — Privacy Officer

privacy@cyberretaliatorsolutions.com

Please include your full name, contact details, and a clear description of your request or concern. We aim to respond within 5 business days of acknowledgement.

14.2 Information Regulator of South Africa

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Regulator at no charge:

Information Regulator (South Africa)

inforeg@justice.gov.za+27 12 406 4818

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

This Privacy Notice was prepared in accordance with:

  • Protection of Personal Information Act, 4 of 2013 (POPIA), Republic of South Africa
  • ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection
  • ISO/IEC 27701:2019 — Privacy Information Management
  • Promotion of Access to Information Act, 2 of 2000 (PAIA)

Version:1.0  | Effective: 29 June 2026 | Next review: June 2027

Questions about your data?

Our Privacy Officer responds within 5 business days.