Privacy Policy
SecureWeb — Privacy & Data Protection Policy
Last updated: January 2026
⸻
1. Our Commitment to Privacy
SecureWeb is committed to protecting the personal and business data entrusted to us.
We design our services to align with:
• Zimbabwe’s Cyber and Data Protection Act [Chapter 12:07] (CDPA)
• Relevant African regulatory frameworks that apply to our clients
• International data protection best practices and security standards
SecureWeb (Stuxweb (Private) Limited, trading as SecureWeb) is a Zimbabwe-registered company. For most of our own operations (website, marketing, client relationship management), we act as a data controller. When we work for clients, we may act as a data processor and/or outsourced DPO on their behalf.
⸻
2. Data We Collect
We aim to collect only what we need.
We may collect:
• Contact information – name, role, email address, phone/WhatsApp
• Business-related information – organisation name, sector, systems and risk context
• Website usage data – IP address, device and browser type, pages visited, basic analytics
• Information you submit – via consultation forms, readiness questionnaires, training sign-ups or newsletter forms
We do not knowingly collect unnecessary or excessive personal data, and we do not intentionally collect personal data directly from children through this website.
⸻
3. How We Use Data
We use data to:
• Deliver and improve our services – consultancy, Compliance-in-a-Box, DPO-as-a-Service, training and advisory work
• Respond to enquiries and consultations – including preparing proposals and statements of work
• Provide compliance and security support – including assessments, recommendations and reporting
• Communicate with you – about projects, events, service updates and, where you agree, educational content or newsletters (with opt-out available at any time)
• Analyse website performance and usage trends – to improve content, usability and security
We rely on lawful bases such as:
• Performance of a contract or steps taken at your request
• Compliance with legal and regulatory obligations
• Our legitimate interests in operating, securing and improving our services
• Your consent, where we use it for optional communications (which you may withdraw at any time)
⸻
4. Roles and Responsibilities (Controller vs Processor)
When we provide services to organisations:
• The client remains the Data Controller – they decide what personal data is collected and why.
• SecureWeb acts as a Data Processor and advisor – we process data only on the client’s documented instructions, or as an outsourced DPO where formally appointed.
• We encourage clients to minimise and pseudonymise personal data shared with us wherever possible.
For our own website, mailing lists, business development and internal operations, SecureWeb is the Data Controller for the personal data we hold about you.
SecureWeb does not sell client or visitor data.
⸻
5. Cross-Border Processing and Cloud Services
SecureWeb is based in Zimbabwe but operates using reputable cloud service providers (for example, Google Workspace, Microsoft 365 and similar tools). These providers may host data on servers located outside Zimbabwe, including in the European Union and the United States.
In addition:
• Some members of the SecureWeb team may access systems and client information from outside Zimbabwe when providing remote services.
This means certain personal data may be stored, processed or accessed outside Zimbabwe, which is treated as cross-border processing under the CDPA and related guidelines.
We manage this by:
• Selecting providers with strong security controls and recognised certifications
• Reviewing and relying on their published data protection and data processing terms
• Limiting the personal data we store in generic cloud tools and avoiding unnecessary sensitive data
• Enforcing strict access controls, unique accounts, least-privilege permissions and multi-factor authentication (MFA)
• Conducting appropriate risk assessments and, where required, Data Protection Impact Assessments (DPIAs)
• Putting contractual safeguards in place with service providers and, where necessary, with clients
Where the law requires express consent for certain cross-border transfers or for processing of sensitive data, we will obtain that consent separately and explain the purpose, main destinations and safeguards in plain language.
⸻
6. Security Measures
We apply reasonable and appropriate technical and organisational safeguards, including:
• Role-based access controls and strong authentication (including MFA on key systems)
• Monitoring, logging and investigation of suspicious activity
• Secure cloud architecture and configuration
• Encryption in transit and at rest where appropriate
• Managed password and secrets management
• Governance oversight by experienced security and data protection professionals
• Staff awareness and training on security and confidentiality
No system is completely secure, but we continuously work to reduce risk to a level that is proportionate to the data and services we handle.
If we become aware of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will assess the incident and, where required, notify the relevant Authority and affected clients, in line with legal requirements.
⸻
7. Data Retention
We retain data only as long as necessary to:
• Fulfil service and contractual obligations
• Meet legal and regulatory requirements (including record-keeping)
• Resolve disputes or enforce agreements
• Maintain appropriate business and audit records
Typical retention periods may include:
• General enquiries and contact forms – up to 2 years from last interaction
• Client engagement records and key correspondence – usually up to 7 years after the end of the engagement, unless longer retention is required by law or justified for legal defence
• Training and event attendance lists – up to 3 years, unless you stay on our mailing list by consent
When data is no longer needed, we securely delete or irreversibly anonymise it.
⸻
8. Data Subject Rights
Where applicable under the CDPA and other data protection laws, individuals may request:
• Access – a copy of the personal data we hold about them
• Correction – rectification of inaccurate or incomplete data
• Deletion – erasure of data in certain circumstances
• Restriction – limitation of processing in specific situations
• Objection – to certain types of processing, including direct marketing
• Withdrawal of consent – where we rely on consent (without affecting processing carried out before withdrawal)
Requests can be submitted via our contact channels (see section 11). We may need to verify your identity before responding.
Individuals also have the right to lodge a complaint with the Data Protection Authority in Zimbabwe. We encourage you to contact us first so we can try to resolve any concern directly.
⸻
9. Cookies & Analytics
SecureWeb uses:
• Essential cookies – to enable core site functionality and security
• Analytics tools – to understand how the site is used and to improve performance and content
You can control or disable cookies through your browser settings. If we introduce non-essential cookies (for example, for marketing), we will provide a clear notice and, where required, ask for your consent.
⸻
10. Third Parties and Sharing
We may engage trusted third-party service providers such as:
• Hosting and cloud infrastructure providers
• E-mail and communication platforms
• Customer relationship and project management tools
• Accounting and billing services
• Security and analytics providers
These third parties only receive data to the extent necessary for them to deliver their services to us and are bound by contractual and legal safeguards, including confidentiality and appropriate technical and organisational measures.
We do not share personal data beyond what is necessary for service delivery, legal compliance, or the protection of our rights, our clients and individuals. We do not sell personal data.
⸻
11. Updates and Contact
We may update this Policy from time to time. Material changes will be reflected on this page with an updated “Last updated” date, and where appropriate we may provide a more prominent notice.
If you have questions, requests or concerns about this Policy or how we handle data, please contact:
E-mail: privacy@secureweb.org.zw
Website: https://secureweb.org.zw
