Legal
Privacy Policy
Last updated 14 April 2026 · Version 1.1
1. Who we are
RankSmith ("RankSmith", "we", "us", "our") is a digital agency operated by Tapnet Solutions (Pty) Ltd, a South African company. RankSmith builds premium Next.js websites and runs ranking programmes for brands in South Africa and abroad. Tapnet Solutions (Pty) Ltd is the responsible party as defined in the Protection of Personal Information Act 4 of 2013 ("POPIA"). This policy applies to ranksmith.co.za and to any engagement between RankSmith and a client.
Responsible party: Tapnet Solutions (Pty) Ltd
Information Officer: Wynand de Beer
Phone: 079 174 8357
Email: wynand@tapnet.co.za
Registered office: 594 Bombani Street, Elarduspark, Pretoria, 0181, South Africa
2. What personal information we collect
2.1 Information you provide directly
- Contact form data (/contact): Your full name, email address, company, budget band, starting point, and the short brief you write.
- Audit request data (/audit): Your full name, email address, optional phone or WhatsApp number, company, the website to audit, optional budget, and the focus of the audit.
- Booking data (/book): Your full name, email address, optional phone number, company, the topic of the call, and the date and time you select.
- Engagement data: For clients in an active engagement, the contact details of the primary decision maker, billing details, and any personal information included in briefs or content.
- Correspondence: Emails, call notes, and messages exchanged during a strategy call or active engagement.
2.2 Information collected automatically
- Analytics data: With your consent, aggregated page views, navigation paths, and performance metrics through Vercel Analytics and Vercel Speed Insights. No personal identifiers are collected.
- Server logs: Standard web server logs for security and abuse monitoring, retained for 30 days.
- IP address (hashed): When you submit a form, your IP address is passed through a salted SHA-256 hash before storage. The raw IP is never persisted. The hash lets us group abuse events without being able to recover the underlying address. Used for rate limiting and spam prevention.
- User agent and referer: Truncated to 500 characters, stored alongside submissions for security investigation.
- Cookies: A small number of first party cookies. See Section 9.
3. Why we collect your information
| Data | Purpose | Legal basis |
|---|---|---|
| Contact form data | Respond to your brief, prepare for a strategy call | Consent |
| Engagement data | Deliver the services you hired us to deliver | Contract performance |
| Analytics data | Understand site performance, measure Core Web Vitals | Consent (via cookie banner) |
| Server logs | Security, abuse prevention, incident investigation | Legitimate interest |
| Consent cookie | Record your cookie choice so we do not ask twice | Legitimate interest + POPIA obligation |
4. Who we share your information with
We share personal information only with the operators listed in our Operator Agreements page, and only to the extent necessary. We do not sell, rent, or trade personal information.
5. Cross border data transfers
Some of your personal information is stored and processed outside of South Africa. We use international cloud service providers because they provide the reliability, edge network, and security guarantees our clients need.
5.1 Where your data is stored
| Processor | Purpose | Location |
|---|---|---|
| Neon | PostgreSQL database (form submissions, bookings, admin) | Frankfurt, Germany (EU) |
| Upstash | Redis for rate limiting (hashed identifiers only) | Ireland (EU) |
| Vercel | Application hosting and edge delivery | Global edge, primary compute US and EU |
| Google Workspace | Email and calendar for business correspondence | US and EU (Google global infrastructure) |
See the Operator Agreements page for the full operator list, the Data Processing Agreements in place, and each operator's security certifications.
5.2 How we protect data during transfers (Section 72 of POPIA)
POPIA permits the transfer of personal information outside of South Africa where one or more of the conditions in Section 72 are met. We rely on all of the following, collectively, for every transfer:
- Adequate protection (s72(1)(a)): Our database and rate limit infrastructure are hosted in the European Union, which is subject to the General Data Protection Regulation (GDPR). GDPR provides a level of protection substantially similar to, and in many respects stronger than, POPIA, including binding rules on onward transfer, breach notification, and data subject rights.
- Binding contractual agreements (s72(1)(a)): Data Processing Agreements with every operator contractually bind them to protection standards equivalent to POPIA. This includes contractual clauses addressing confidentiality, security, sub processor management, breach notification, and return or deletion on termination.
- Your explicit consent (s72(1)(b)): By ticking the consent checkbox on a form before submission, you explicitly consent to the cross border transfer of your personal information to the processors listed in Section 5.1.
- Contract performance (s72(1)(c)): The transfer is necessary to perform the service you are requesting (responding to your brief, running the audit, confirming the call).
5.3 Your right to object
If you object to cross border transfer of your personal information, email wynand@tapnet.co.za. We will explore South African hosting alternatives with you where commercially reasonable. In some cases we may not be able to deliver the service if cross border transfer is refused, and we will tell you before you commit to anything.
6. How long we keep your information
| Data type | Retention period |
|---|---|
| Contact form submissions | 24 months from submission |
| Audit request submissions | 24 months from submission |
| Bookings (confirmed or cancelled) | 24 months from the booked date |
| Engagement correspondence | Duration of engagement plus 5 years (tax law) |
| Invoices and financial records | 5 years from creation (South African tax law) |
| Hashed IPs and user agents on submissions | 12 months, then automatically deleted |
| Rate limit state (Redis) | Up to 24 hours rolling window, automatically expired |
| Admin audit log | 24 months, then automatically deleted |
| Analytics data | 24 months, then automatically deleted |
| Consent records | 12 months from your last choice |
| Server logs | 30 days |
When data is deleted, it is destroyed so it cannot be reconstructed, in accordance with Section 14(4) of POPIA.
7. Your rights under POPIA
As a data subject, you have the right to:
- Access: Request a copy of all personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information (subject to legal retention requirements)
- Object: Object to the processing of your personal information on reasonable grounds
- Withdraw consent: Withdraw any consent you have given, at any time, including analytics cookie consent via the Cookie settings link in the footer
- Complain: Lodge a complaint with the Information Regulator
To exercise any of these rights, email wynand@tapnet.co.za with the subject line "POPIA request". We respond within 30 days, free of charge.
Information Regulator (South Africa)
Email: enquiries@inforegulator.org.za
Website: https://inforegulator.org.za
8. Security
- All traffic served over HTTPS (TLS encryption in transit)
- Strict security headers: Content Security Policy, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HSTS, COOP, CORP
- Database (Neon) uses TLS connections with channel binding, row level encryption at rest, automated point-in-time backups
- Raw IP addresses are never persisted. IPs are hashed with a secret salt before storage (SHA-256)
- Admin access is protected by a server side encrypted session cookie (iron-session), bcrypt password hashing at cost factor 12, and rate limited login (5 attempts per 15 minutes per IP)
- Every admin action is recorded in an append only audit log
- Public forms are protected by per IP rate limiting, honeypot fields, a minimum submission time window, and origin verification to defend against cross site abuse
- No client side storage of personal data beyond the consent cookie
- All engagement files stored in encrypted cloud storage with access restricted to the engagement lead
- Access to any production system is revoked within one working day of an engagement ending
- Third party operators used for hosting, database, and productivity are all SOC 2 or equivalent certified
9. Cookies
9.1 Strictly necessary cookies
- ranksmith-consent - records your cookie preferences. Set only after you click a button on the cookie banner. Expires after 12 months.
- rs_admin_sess - encrypted admin session cookie. Only set for authenticated admin users on the /admin area. Never set for public visitors. HttpOnly, SameSite=Lax, Secure in production. Expires after 8 hours.
9.2 Analytics cookies (require consent)
- Vercel Analytics and Vercel Speed Insights - aggregated page views, navigation, and Core Web Vitals. No personal identifiers. Only loaded after you opt in through the cookie banner.
9.3 Marketing cookies
We do not set marketing cookies and we do not use any third party advertising or remarketing tags.
You can manage your cookie preferences at any time via the Cookie settings link at the bottom of every page.
10. Direct marketing
We do not run a marketing newsletter. If that ever changes, we will only send marketing communications to users who have explicitly opted in, and every email will include a one click unsubscribe. Transactional emails (responses to your brief, invoices, engagement updates) are not marketing and will be sent as part of the service.
11. Children
RankSmith's services are intended for businesses and adults. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will delete it.
12. Data breach notification
If we become aware of a security breach that compromises your personal information, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with Section 22 of POPIA. Notifications will include the nature of the breach, potential consequences, and recommended protective measures.
13. Changes to this policy
We may update this privacy policy from time to time. If we make material changes we will announce them on this page and, where appropriate, by email to active clients. Continued use of the site or an engagement after an update constitutes acceptance of the updated policy.
14. Contact us
- Responsible party: Tapnet Solutions (Pty) Ltd
- Information Officer: Wynand de Beer
- Phone: 079 174 8357
- Email: wynand@tapnet.co.za
- Registered office: 594 Bombani Street, Elarduspark, Pretoria, 0181, South Africa