Privacy Policy
Gaia Kreativ Agency (Pty) Ltd
Effective date: 11 July 2026
Last updated: 11 July 2026
Gaia Kreativ Agency (Pty) Ltd (“Gaïa”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have in relation to it.
This policy covers:
- Our website — gaiakreativ.co.za (the “Website”);
- The Gaïa OS web application — our internal operations platform for staff and invited collaborators (the “Web App”); and
- The Gaïa iOS application — our companion mobile app (the “iOS App”).
Together, the Web App and iOS App are referred to as the “Apps”, and the Website and the Apps together as the “Services”.
We process personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa. Where users are located in the European Economic Area or the United Kingdom, we also aim to meet the standards of the GDPR / UK GDPR.
1. Who we are (Responsible Party / Data Controller)
Gaia Kreativ Agency (Pty) Ltd
5 Anton Van Niekerk Dr, Faerie Glen, Pretoria, South Africa
Email: hi@gaiakreativ.co.za
Phone: +27 72 322 5235
For the purposes of POPIA, Gaia Kreativ Agency (Pty) Ltd is the responsible party.
Information Officer: Marco Inward — marco@gaiakreativ.co.za
2. Who this policy applies to
- Website visitors — anyone browsing gaiakreativ.co.za;
- Team members — Gaïa staff with @gaiakreativ.co.za accounts using the Apps;
- Invited collaborators — external freelancers, vendors, and client contacts invited into the Apps by a workspace administrator;
- Business contacts — client and vendor representatives whose contact details we hold in the course of running our agency;
- Prospective clients — people who contact us through the Website or by email.
3. Information we collect
3.1 Website (gaiakreativ.co.za)
When you browse the Website we may collect:
- Contact details you submit — if you contact us via a form or email link (name, email address, phone number, company, and the content of your message);
- Technical data — IP address, browser type, device type, and pages viewed, collected through our website hosting platform’s standard logs and cookies (see section 8, Cookies).
3.2 Account and profile information (Apps)
When an account is created in the Apps, we collect:
- Registration details — first name, last name, email address, and password. Passwords are hashed by our authentication provider; we never see or store your password in plain text.
- Profile details — job title, phone number, profile photo (avatar), and timezone.
- Account role and type — your role (owner, administrator, or member) and account type (internal team member, external collaborator, or vendor).
- Work settings — where applicable to internal staff: hourly cost, hourly rate, and daily capacity, set by workspace administrators for planning and billing purposes.
- Preferences — notification preferences (including quiet hours), interface preferences, and theme settings.
- Activity data — the date and time you were last active in the Apps.
3.3 Workspace and operational data (Apps)
In the course of using the Apps, the following data linked to your account is created and stored:
- Projects and tasks — task titles, descriptions, assignments, due dates, statuses, and review requests;
- Comments and mentions — comments you post on tasks and @mentions of other users;
- Time tracking — timers you start and stop, time entries, durations, billable status, and rate snapshots;
- Calendar events — studio calendar events, event types, and availability/absence records;
- Files and documents — files, task attachments, project documents, and logos you upload;
- Expenses — expense amounts, descriptions, categories, and receipt references;
- Notifications — in-app notifications generated by activity relevant to you.
3.4 Client and vendor contact information
As a creative agency, we hold business contact information for our clients and vendors in the Apps, including names, email addresses, phone numbers, job titles, billing addresses, and VAT numbers. We process this information for legitimate business purposes — managing projects, communication, and invoicing.
3.5 Invitations
When a workspace administrator invites someone to the Apps, we process the invitee’s email address, intended role and account type, and (where applicable) the project they are invited to. Invitation emails are sent through our email delivery provider.
3.6 iOS App — device permissions and on-device data
The iOS App requests the following permissions, all of which are optional:
- Camera — used only to take a profile photo. Photos are resized and compressed on your device before upload; the original photo is not retained by the App.
- Photo library — used only to choose a profile photo. We access only the photo you select.
- Calendar (Apple Calendar / EventKit) — used only if you enable the optional “Sync to Apple Calendar” feature. When enabled, the App writes your Gaïa studio events into a dedicated “Gaïa” calendar on your device. The App does not read, collect, or upload your personal calendar events to our servers. Calendar sync is one-way (Gaïa to your device) and can be switched off at any time in your profile settings.
The iOS App stores the following data locally on your device:
- Your authentication session, stored securely in the iOS Keychain;
- Calendar sync state (whether sync is enabled, a map of synced event identifiers, and the last sync time), stored in the App’s local preferences.
The iOS App does not request access to your location, contacts, microphone, or health data, and does not use Apple’s App Tracking Transparency framework because it performs no cross-app tracking.
3.7 Information we do not collect
- We do not use advertising trackers, advertising identifiers, or cross-site/cross-app tracking in the Apps.
- We do not run third-party analytics scripts (such as Google Analytics or similar) in the Apps.
- We do not sell personal information to anyone, and we never will.
- We do not knowingly collect special personal information (as defined in POPIA) or information about children.
4. How we use your information
We use personal information for the following purposes:
- To provide and operate the Services — creating your account, authenticating you, and showing you your tasks, calendar, and files. Legal basis: performance of a contract; legitimate interests.
- To run our studio operations — assigning work, tracking time, planning workload, and managing projects and clients. Legal basis: legitimate interests; performance of a contract.
- To communicate with you — invitation emails, account confirmation emails, and password reset emails. Legal basis: performance of a contract; legitimate interests.
- For billing and financial administration — time entries, rates, expenses, and client invoicing. Legal basis: legitimate interests; legal obligation.
- To keep the Services secure — authentication, session management, and access control. Legal basis: legitimate interests; legal obligation.
- To respond to enquiries — replying when you contact us through the Website or by email. Legal basis: consent; legitimate interests.
- To comply with the law — tax, accounting, and record-keeping obligations. Legal basis: legal obligation.
Where we rely on consent (for example, iOS camera, photo library, or calendar permissions), you may withdraw that consent at any time via your device settings or in-app settings, without affecting the lawfulness of processing before withdrawal.
We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects.
5. Who we share your information with
We do not sell or rent personal information. We share it only with:
5.1 Service providers (operators / processors)
We use a small number of trusted service providers to run the Services. Each processes personal information only on our instructions:
- Supabase — our application backend: authentication, database, file storage, and realtime updates for the Apps, hosted in the EU (Stockholm, Sweden). Processes account, profile, and all workspace data described in section 3.
- Resend — transactional email delivery (workspace invitation emails). Processes invitee name and email address and invitation details.
- Vercel — hosting of the Web App. Processes technical request data (IP address, request logs).
- Webflow — hosting of the Website. Processes technical request data and any details submitted through Website forms.
- Apple — app distribution (App Store) and on-device services (Keychain, EventKit). On-device only; Apple’s own services are governed by Apple’s privacy policy.
5.2 Other users of your workspace
The Apps are collaborative. Your name, avatar, job title, and your activity within the workspace (tasks, comments, time entries, calendar events, files you upload) are visible to other members of the same workspace in accordance with their access permissions. Financial fields such as hourly cost and rate are visible only to workspace administrators.
5.3 Shared links
Some features generate shareable links (for example, sharing a project document with a client). Anyone who has such a link can view the shared content without signing in. Share links use long, unguessable tokens, and access can be revoked by disabling the share. Similarly, files uploaded to the Apps (such as avatars and attachments) are served from storage URLs that are accessible to anyone in possession of the exact URL. Please treat shared links as confidential and only send them to intended recipients.
5.4 Legal disclosures
We may disclose personal information where required by law, regulation, court order, or a lawful request by a public authority, or where necessary to protect our rights, safety, or property or those of others.
5.5 Business transfers
If Gaia Kreativ Agency (Pty) Ltd is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users of any change in ownership or use of their personal information.
6. International transfers
We are based in South Africa. Our application backend (Supabase), including our database and file storage, is hosted in the European Union (EU North region — Stockholm, Sweden). Our other service providers (including Resend, Vercel, and Webflow) may store or process data on servers located outside South Africa, including in the European Union and the United States.
Where personal information is transferred across borders, we do so in accordance with section 72 of POPIA — relying on providers that are subject to laws or binding agreements providing an adequate level of protection substantially similar to POPIA (such as the GDPR, which applies to our EU-hosted infrastructure), or standard contractual protections in our agreements with them.
7. How long we keep your information
We keep personal information only as long as necessary for the purposes described in this policy:
- Account and workspace data — retained while your account is active. When an account is deactivated, the account can no longer be used to sign in; associated operational records (tasks, comments, time entries) are retained as part of our business records because they form part of project and billing history.
- Invitations — invitation records expire and unaccepted invitations are periodically cleared.
- Financial records — time entries, expenses, and billing-related data are retained for the periods required by South African tax and company law (generally at least 5 years).
- Website enquiries — retained for as long as needed to handle your enquiry and any follow-up.
You may request deletion of your personal information as described in section 10; we will delete it unless we are legally required or entitled to retain it.
8. Cookies and local storage
8.1 Website
The Website is hosted on Webflow and may set cookies necessary for its operation and basic functionality. If we introduce analytics or marketing cookies on the Website in future, we will update this policy and, where required, ask for your consent.
8.2 Web App
The Web App uses only strictly necessary cookies — session cookies set by our authentication provider (Supabase) to keep you signed in securely. These cookies are essential for the Web App to function and cannot be switched off within the App. We do not use advertising or third-party analytics cookies in the Web App.
The Web App also stores your interface preferences (such as light/dark theme) in your browser’s local storage. This data never leaves your browser.
8.3 iOS App
The iOS App does not use cookies. Local data storage on your device is described in section 3.6.
9. How we protect your information
We take reasonable, appropriate technical and organisational measures to secure personal information against loss, damage, unauthorised access, and unlawful processing, including:
- Encryption of data in transit (HTTPS/TLS) for all Services;
- Encryption of data at rest by our backend provider;
- Password hashing — we never store plain-text passwords;
- Row-level security on our database, so users can only access data belonging to their own workspace;
- Role-based access control within workspaces (owner / administrator / member, internal / external / vendor account types);
- Secure credential storage on iOS via the system Keychain;
- Restriction of privileged (administrative) database credentials to our servers only.
No system is completely secure. If we become aware of a data breach affecting your personal information, we will notify the Information Regulator and affected individuals as required by section 22 of POPIA.
10. Your rights
Under POPIA (and, where applicable, the GDPR) you have the right to:
- Access — request confirmation that we hold your personal information and request a copy of it;
- Correction — request that inaccurate or incomplete information be corrected (you can also edit most profile details directly in the Apps);
- Deletion — request deletion or destruction of personal information that we are not required to retain;
- Objection — object, on reasonable grounds, to the processing of your personal information;
- Withdraw consent — where processing is based on consent (such as iOS device permissions), withdraw it at any time;
- Portability (GDPR) — where applicable, receive your personal information in a structured, commonly used, machine-readable format;
- Complain — lodge a complaint with the Information Regulator (South Africa).
The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: POPIAComplaints@inforegulator.org.za
Website: inforegulator.org.za
To exercise any of these rights, contact us at hi@gaiakreativ.co.za. We may need to verify your identity before acting on a request. We will respond within a reasonable time and in any event within the timeframes required by applicable law.
If you are a collaborator invited into our workspace by a client or another organisation, some requests may need to be coordinated with the workspace administrator.
11. Children
The Services are business tools intended for people aged 18 and over. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
12. Third-party links
The Website and Apps may contain links to third-party websites and services (for example, links opened in your browser). We are not responsible for the privacy practices of third parties. We encourage you to read the privacy policies of any third-party services you visit.
13. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page shows when it was last revised. For material changes, we will provide notice through the Services or by email. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.
14. Contact us
If you have any questions about this Privacy Policy or how we handle your personal information:
Gaia Kreativ Agency (Pty) Ltd
5 Anton Van Niekerk Dr, Faerie Glen, Pretoria, South Africa
Email: hi@gaiakreativ.co.za
Phone: +27 72 322 5235
Information Officer: Marco Inward — marco@gaiakreativ.co.za