Quicka← Back to home

Privacy Policy

How we collect, use and protect your personal information — and the rights you have under POPIA.

Last updated: 6 May 2026

1. Who we are (the Responsible Party)

The Responsible Party for the personal information processed via quicka.website is Quicka (Pty) Ltd ((Pty) Ltd, registration 2016/112724/07), trading as “Quicka”, with registered office at 57 Aries Avenue, Sundowner, Johannesburg, Gauteng, 2188, South Africa.

This Privacy Policy is issued in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”) of the Republic of South Africa.

2. Information Officer

Our Information Officer for POPIA purposes is Andre du Toit, Founder & Information Officer. You can reach the Information Officer at andre@quicka.website. The Information Officer is registered with the Information Regulator (South Africa).

3. What information we collect

We collect only what we need to provide and improve the service:

  • Account information — your email address, business name, city or area of operation, and the password you choose.
  • Business information you provide — your services or product descriptions, opening hours, WhatsApp number, social-media handles, and any photos or logo you upload.
  • Payment metadata — your name and email pass through PayFast to us. We never see or store your card details. PayFast handles all payment information directly under their PCI-DSS-compliant systems.
  • Service-related data — IP address, browser type, interactions with our site (so we can detect fraud, debug issues, and improve the service).
  • Lead messages forwarded by your generated site — when a visitor uses your contact form, we relay the message to your inbox and store a copy temporarily so you can read it in your dashboard. Visitor data is your responsibility under POPIA, not ours.

4. Why we collect it

We use your personal information to:

  • Build and host your website
  • Register and renew your .co.za domain
  • Process your subscription payments via PayFast
  • Send service emails (welcome message, payment receipts, lead notifications, incidents, billing failures)
  • Provide support and respond to questions sent to our support address
  • Detect, prevent and address fraud, abuse and security incidents
  • Comply with our legal obligations (tax, accounting, regulatory requests)

We rely on the lawful processing grounds set out in section 11 of POPIA — most commonly your consent (when you sign up), the necessary performance of our contract with you, and our legitimate interest in operating a secure service.

5. Marketing communications

We will only send you marketing emails (e.g. announcements of new features, tips for getting more customers from your site) if you opt in. Every marketing email contains an unsubscribe link. Opting out of marketing does not affect service-related emails (receipts, password resets, security alerts), which we must send to operate your account.

6. Who we share your information with (Operators)

We use the following third parties (“Operators” under POPIA) to deliver the service. Each is contractually bound to process your information only on our written instructions and to maintain appropriate security safeguards.

  • PayFast (DPO Pty Ltd, South Africa) — processes all card payments and recurring debit orders. PCI-DSS Level 1 compliant. payfast.io/privacy
  • Vercel (Vercel Inc., United States) — hosts the Quicka application platform. Servers may be located in the United States and European Union. vercel.com/legal/privacy-policy
  • Cloudflare (Cloudflare Inc., global) — delivers your generated website to visitors via a global content delivery network. cloudflare.com/privacypolicy
  • Supabase (Supabase Inc., United States — to be deployed soon) — stores account, site and lead data. We will choose the European Union (EU) region to keep data closer to South Africa. supabase.com/privacy
  • Resend (Resend Inc., United States — to be deployed soon) — delivers transactional emails (receipts, lead notifications, password resets). resend.com/legal/privacy-policy
  • Anthropic (Anthropic PBC, United States — for AI generation) — receives the textual answers from your build flow to generate site copy. Photos and personal information beyond business name and city are not sent to Anthropic. anthropic.com/legal/privacy
  • Absolute Hosting (Pty Ltd, South Africa) — registers your .co.za domain through their ZACR-accredited registrar service. absolutehosting.co.za

7. Cross-border transfers

Some of the Operators above are based outside South Africa. Where this is the case, we transfer your information under one of the lawful bases in section 72 of POPIA, typically:

  • The Operator is bound by binding corporate rules or contractual terms that provide an adequate level of protection (we use the European Standard Contractual Clauses as a reference standard); or
  • The transfer is necessary for the performance of the contract between you and us; or
  • You have consented to the transfer.

8. How long we keep your information

  • While you are a customer: for the duration of your subscription.
  • After you cancel: we retain account and billing records for 5 years, in line with the Tax Administration Act requirements. Other information is deleted within 60 days unless we have a legal reason to keep it.
  • Lead messages: retained for 90 days to allow you to recover missed enquiries; deleted thereafter.

9. Security

We protect your information with industry-standard safeguards: encrypted transmission (TLS 1.2+), encrypted storage at rest, role-based access controls, secret rotation, and audit logging. PayFast handles all card information so we never store it ourselves.

If we ever suffer a security breach involving your personal information, we will notify both you and the Information Regulator without undue delay, as required by section 22 of POPIA.

10. Your rights under POPIA

You have the right to:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct anything inaccurate or incomplete.
  • Deletion — ask us to delete your personal information (subject to our legal retention obligations above).
  • Object — to processing based on legitimate interest, and to stop direct marketing.
  • Lodge a complaint with the Information Regulator if you believe we have not complied with POPIA. Contact details: inforegulator.org.za.

To exercise these rights, email andre@quicka.website. We respond within 30 days. Most simple requests (data export, account deletion) are completed faster.

11. Children

Quicka is for businesses and is not directed at children under 18. We do not knowingly process information about children. If you believe a child has provided us with personal information, please contact our Information Officer and we will delete it.

12. Cookies & analytics

We use a small number of strictly necessary cookies to operate the site (login sessions, CSRF protection). We do not use third-party advertising cookies or cross-site tracking. If we add product analytics in future, we will update this policy and offer an opt-out.

13. Changes to this Privacy Policy

We may update this Privacy Policy as the service evolves or the law changes. Material changes will be emailed to you at least 30 days in advance. The “Last updated” date at the top of this page reflects the most recent revision.

14. Contact us

For any privacy or POPIA question, email our Information Officer at andre@quicka.website or write to Quicka (Pty) Ltd at the registered office address above.