CloudMonkey — Privacy Policy

Version 1.0 · Effective date: 1 May 2026 · CloudMonkey (Pty) Ltd, South Africa

              Your rights under POPIA. The Protection of Personal Information Act 4 of 2013 ("POPIA") gives you the right to know what personal information we hold about you, to request access, correction, or deletion of that information, and to object to its processing. See Section 9 for how to exercise these rights.
            

1. Who We Are

Responsible Party: CloudMonkey (Pty) Ltd ("CloudMonkey", "we", "our", "us"), a company registered in South Africa.

Information Officer: Our Information Officer can be reached at privacy@cloudmonkey.co.za. The Information Officer is responsible for ensuring CloudMonkey's compliance with POPIA.

2. Information We Collect

We collect personal information only for a specific, defined purpose and only to the extent necessary for that purpose ("data minimality" under POPIA).

2.1 Information You Provide Directly

Category	Examples	Why We Collect It
Identity	Full name, company name	Account creation, billing, support
Contact	Email address, phone number	Service delivery, notifications, support
Billing	Payment method type, EFT reference	Processing subscription payments
Technical onboarding	Domain name, application type, hosting provider, WhatsApp number	Environment provisioning
Support	Ticket content, attachments	Resolving technical issues
Credentials	Domain login credentials (if provided)	Infrastructure management on your behalf

We do not store full card numbers. Card payments are processed by Paystack, which is responsible for PCI-DSS compliance. We only store the payment status and reference provided by Paystack.

2.2 Information Collected Automatically

IP address and browser/device information (for security logging and fraud prevention)
Log data from your use of the CloudMonkey platform (pages visited, actions taken)
Session cookies and authentication tokens

2.3 Information from Third Parties

If you sign in via Google or Microsoft OAuth, we receive your name, email address, and profile picture from that provider.
Payment status information from Paystack (our payment processor).

3. How We Use Your Information

We process personal information only for lawful purposes and to the extent necessary to deliver, improve, and support our Services. Specifically:

Service delivery: provisioning infrastructure, configuring environments, and managing your subscription.
Billing: processing payments, issuing invoices, and managing recurring billing.
Communication: sending service updates, billing notifications, and support responses.
Security: detecting and preventing unauthorised access, fraud, and abuse.
Legal compliance: meeting our obligations under POPIA, ECTA, and other applicable laws.
Service improvement: understanding how Customers use our platform to improve features (using aggregated, anonymised data).

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Legal Basis for Processing

Under POPIA, we process your personal information on the following grounds:

Contract performance: processing necessary to deliver the Services you have subscribed to.
Consent: where we have obtained your explicit consent (e.g., marketing communications).
Legitimate interest: security monitoring and fraud prevention, balanced against your rights.
Legal obligation: compliance with South African law.

5. Sharing Your Information

We share personal information only with trusted third parties ("operators" under POPIA) who assist us in delivering Services, and only under written data processing agreements that require them to maintain appropriate security measures.

Third Party	Purpose	Data Shared
Paystack	Payment processing	Name, email, amount
SMTP email provider	Transactional email	Name, email, message content
Cloud infrastructure providers (e.g., Hetzner)	Hosting customer environments	Technical configuration data
Google / Microsoft (OAuth)	Sign-in only	Name, email (received from provider)

We may disclose personal information if required by law, court order, or to protect the rights and safety of CloudMonkey or others.

6. Data Retention

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:

Active account data: retained for the duration of the subscription.
Billing records: retained for 5 years to meet tax and accounting requirements.
Support ticket history: retained for 3 years.
Security logs: retained for 12 months.

After termination of your account, we provide a 14-day window for you to export your data. After this window, personal information is securely deleted or anonymised, unless retention is required by law.

7. Security

CloudMonkey implements appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or alteration. These measures include:

Encryption of data in transit (TLS/HTTPS).
Hashed password storage (bcrypt).
Role-based access controls limiting internal access to personal data.
Regular security reviews of our infrastructure and codebase.

No security system is impenetrable. In the event of a data breach that is likely to result in serious harm, we will notify the Information Regulator and affected data subjects as required by POPIA Section 22.

8. Cookies

We use strictly necessary session cookies to maintain your authenticated session. We do not use third-party advertising or tracking cookies. You may disable cookies in your browser settings, but this will prevent you from logging in to the platform.

9. Your Rights Under POPIA

As a data subject under POPIA, you have the right to:

Access: request a copy of the personal information we hold about you.
Correction: request correction of inaccurate or incomplete personal information.
Deletion: request deletion of your personal information ("right to be forgotten"), subject to our legal retention obligations.
Object: object to the processing of your personal information on grounds relating to your particular situation.
Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Complain: lodge a complaint with the Information Regulator of South Africa if you believe your rights under POPIA have been violated.

To exercise any of these rights, email our Information Officer at privacy@cloudmonkey.co.za. We will respond within 30 days.

Information Regulator contact: www.justice.gov.za/inforeg | inforeg@justice.gov.za

10. Children's Privacy

Our Services are not directed at persons under the age of 18. We do not knowingly collect personal information from minors. If you become aware that a minor has provided us with personal information without appropriate consent, please contact us immediately.

11. Cross-Border Transfers

Where CloudMonkey uses infrastructure providers or service operators outside South Africa, we ensure that such transfers comply with POPIA Section 72, which requires that the recipient country provides an adequate level of protection or that the transfer is subject to binding agreements that provide equivalent protection to that afforded under POPIA.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated by email to registered Customers at least 30 days before the revised policy takes effect. Continued use of our Services constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related queries or to exercise your POPIA rights, contact our Information Officer:

Email: privacy@cloudmonkey.co.za
General enquiries: hello@cloudmonkey.co.za