Privacy Policy.

Effective: 2026-05-01 · Version 1.0

1. Who we are (the Controller)

"DataPortal" is the trading name shared by two affiliated private companies. Each is a separate legal person with its own assets, liabilities, and contractual obligations. They share the DataPortal brand and operational standards, and the relevant entity for any specific engagement is identified in the signed contract:

• DataPortal (Pty) Ltd — a South African private company (Registration No. 2018/482671/07), registered office at Building A, Lower Floor, Jigsaw Park, 7 Einstein Street, Highveld Techno Park, Centurion 0157. Operating entity for African market engagements.
• DataPortal Ltd — a Hong Kong private company (Business Registration No. 80278829-000-04-26-8), registered office at Unit 2406, 24/F, Low Block, Grand Millennium Plaza, 181 Queen's Road Central, Sheung Wan, Hong Kong. Operating entity for international engagements outside Africa.

The relevant entity for any specific engagement is identified in the contract or order signed with that customer. For the marketing website itself, the entity in your jurisdiction is the Data Controller. For data processed inside customer portals on behalf of customers, we act as a Data Processor (see §10).

Privacy contact: info@dataportal.live

2. Scope of this policy

This policy covers personal data collected through the public marketing site web.dataportal.live, including contact form submissions, server logs, and analytics. Data processed inside individual customer portals is governed by the contract and Data Processing Agreement (DPA) signed with each customer, not by this policy.

3. Personal data we collect

We collect only what we need to operate the site and respond to enquiries:

• Contact form data — name, email address, optional company, optional phone, and the content of your message. Provided voluntarily by you.
• Technical / server log data — IP address, user agent string, requested URL, referrer, and timestamp. Logged automatically by Cloudflare and our edge.
• Aggregate analytics — anonymised page-view counts and country-level visitor data, processed at the edge by Cloudflare. No third-party trackers, no advertising cookies, no fingerprinting.

We do not knowingly collect data from children under 16. If you believe a minor has submitted personal data, contact us and we will delete it.

4. Lawful basis for processing (GDPR Art. 6)

Where the EU/UK GDPR applies, we rely on the following lawful bases:

• Consent (Art. 6(1)(a)) — when you submit the contact form, you consent to us using your details to reply.
• Legitimate interests (Art. 6(1)(f)) — server logs and aggregate analytics, used for security, debugging, and improving the site. Our interest is balanced against your privacy rights.
• Contract (Art. 6(1)(b)) — where pre-contractual steps follow your enquiry.
• Legal obligation (Art. 6(1)(c)) — where retention or disclosure is required by law.

Where POPIA applies, processing is conducted in line with §11 of the Protection of Personal Information Act (consent, contract, legitimate interest of the responsible party).

5. How we use your data

• To respond to your enquiry and follow up on commercial discussions.
• To detect, prevent, and investigate abuse, fraud, or attacks against the site.
• To improve the structure, content, and performance of the site (in aggregate).
• To comply with legal obligations.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

6. How we share data

We share personal data only with the following categories of recipient, and only as needed:

• Cloudflare, Inc. — hosting, edge security, DDoS mitigation, anti-abuse. Acts as our processor under a DPA with Standard Contractual Clauses.
• Email infrastructure provider — to deliver replies to your enquiry.
• Group / sister entities (GotYou Telematics, Fuel Portal, MapsForDevs) — only where your enquiry is clearly relevant to one of them, and only with your consent.
• Legal and regulatory bodies — where required by law, court order, or to protect our rights.

We do not sell, rent, trade, or otherwise commercialise personal data.

7. International transfers

DataPortal operates from Hong Kong and South Africa, with infrastructure on Cloudflare's global edge network. Personal data may therefore be transferred across borders. Where we transfer personal data out of the EU/EEA, UK, or South Africa, we rely on:

• European Commission adequacy decisions where available.
• Standard Contractual Clauses (EU 2021/914) and the UK International Data Transfer Addendum.
• POPIA §72 protections for cross-border transfers from South Africa.

You may request a copy of the relevant transfer mechanism by emailing info@dataportal.live.

8. Retention

We keep personal data only as long as necessary:

• Contact form submissions — up to 24 months from last contact, then deleted or anonymised.
• Server logs — up to 30 days, longer only where required for security investigation.
• Aggregate analytics — kept indefinitely in fully anonymised form.
• Records required by law (tax, contract, regulatory) — kept for the period required by the applicable jurisdiction.

9. Your rights

Subject to the applicable law in your jurisdiction, you have the right to:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion subject to retention obligations.
• Restriction — limit how we process your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — at any time, without affecting prior lawful processing.
• Lodge a complaint — with your local data protection authority (see §13).
• POPIA-specific — request access, correction, deletion, or destruction of personal information under §23–§25.
• California residents (CCPA / CPRA) — right to know, delete, correct, opt-out of sale (we do not sell), and non-discrimination.

To exercise any right, email info@dataportal.live. We respond within 30 calendar days (extendable by a further 60 days for complex requests, with notice). We may need to verify your identity before fulfilling the request.

10. Customer portal data (Processor role)

When DataPortal handles personal data inside customer portals — for example vehicle telemetry, driver records, fuel transactions, camera footage — we act as a Data Processor, and our customer (the operator) is the Data Controller. The terms of our processing are governed by the signed contract and DPA between DataPortal and that customer, not by this site policy.

If you are a driver, employee, or other data subject within a customer's deployment, please direct privacy requests to your operator first. We will support them in fulfilling the request.

11. Security

We implement organisational and technical measures appropriate to the risk, including: TLS 1.3 in transit, encryption at rest for production stores, access control, audit logging, principle-of-least-privilege, multi-factor authentication for staff, regular dependency and vulnerability scanning, and Cloudflare-level DDoS and bot mitigation. No system is perfectly secure; we maintain a documented incident response procedure.

12. Data breach notification

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (where required by GDPR), and affected individuals without undue delay (where required by GDPR, POPIA, or other applicable law).

13. Complaints

If you are not satisfied with our response, you may complain to:

• South Africa — Information Regulator (inforegulator.org.za)
• EU — your local Data Protection Authority (full list: edpb.europa.eu)
• UK — Information Commissioner's Office (ico.org.uk)
• Hong Kong — Office of the Privacy Commissioner for Personal Data (pcpd.org.hk)
• UAE — UAE Data Office
• Other jurisdictions — your local data protection authority

14. Cookies & tracking

This marketing site does not set tracking cookies, advertising pixels, or third-party analytics scripts. Cloudflare may set short-lived security cookies (e.g. __cf_bm) for bot detection, which expire within 30 minutes of inactivity. No cookie banner is required because no consent-requiring cookies are set.

15. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by a new "Effective" date and version number at the top of this page. Where you have an active relationship with us, we will notify you of material changes through your normal point of contact.

16. Contact

All enquiries (privacy, data protection, general): info@dataportal.live
WhatsApp: +27 81 341 8258

Hong Kong office:
Unit 2406, 24/F, Low Block, Grand Millennium Plaza,
181 Queen's Road Central, Sheung Wan, Hong Kong

South Africa office:
Building A, Lower Floor, Jigsaw Park,
7 Einstein Street, Highveld Techno Park, Centurion 0157

This policy is provided in good faith. It supplements, but does not replace, the contract and Data Processing Agreement that governs each customer engagement. If a conflict arises between this policy and a signed agreement, the signed agreement prevails for that customer's data.