Who are the best Zoho consultants in Cape Town?

Espresso Consulting is a Cape Town-based boutique technology consultancy that implements, extends, and customises Zoho products for South African businesses.

Who can integrate my business systems in South Africa?

Espresso Consulting designs and delivers system integrations and API connections for businesses across South Africa, including Cape Town and Johannesburg.

What is a fractional CTO and do I need one?

A fractional CTO provides senior technology leadership on a part-time or project basis, without the cost of a full-time hire. Espresso offers fractional CTO, IT manager, and project lead roles for South African businesses.

Who builds custom business software in Cape Town?

Espresso Consulting builds custom applications and bespoke business software for clients in Cape Town and across South Africa.

Fractional IT leadership South Africa

Espresso Consulting provides fractional IT leadership — CTO, IT manager, project lead — for businesses across South Africa that need senior direction without a full-time hire.

Privacy Policy | Espresso Consulting

Legal

Privacy Policy

How Espresso collects, uses, and protects your personal information — and the rights you hold under South African, European, and United States law.

Last updated

9 April 2026

Jurisdiction coverage

POPIA (South Africa) · GDPR / UK GDPR (EEA & UK) · CCPA/CPRA and US state laws

1. Introduction

Espresso Consulting (Pty) Ltd ("Espresso", "we", "us", or "our") is committed to protecting your personal information and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit https://espresso.consulting or engage with our services.

This policy is written to satisfy the requirements of the Protection of Personal Information Act 4 of 2013 (POPIA) applicable to South African residents, the General Data Protection Regulation (EU) 2016/679 (GDPR) applicable to residents of the European Economic Area and the United Kingdom, and applicable United States state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and similar legislation in other states.

By using this website or engaging our services, you acknowledge that you have read and understood this policy. If you do not agree with any part of this policy, please discontinue use of our website and services.

2. Who We Are

Espresso Consulting (Pty) Ltd is a boutique technology consultancy incorporated and operating in South Africa, with offices in Cape Town and Johannesburg. We provide technology consulting, custom software development, systems integration, and related professional services to businesses primarily in South Africa, with engagements that may extend to clients in Europe and the United States.

For the purposes of POPIA, Espresso is the Responsible Party in respect of personal information we process.

For the purposes of the GDPR, Espresso acts as the Data Controller in respect of personal data we process relating to EEA and UK data subjects.

3. Information We Collect

We collect personal information only to the extent necessary to deliver our services and operate our website responsibly.

Information you provide directly

Contact and enquiry information: name, email address, phone number, company name, and the nature of your enquiry when you submit a contact form or initiate a conversation through our website.

Engagement information: project briefs, business context, system descriptions, and related materials shared during a consulting engagement.

Communication records: correspondence by email, phone, or through our website chat interface.

Information collected automatically

Usage data: pages visited, time spent, referring URLs, browser type, operating system, and general geographic region, collected through analytics tools.

Device and connection data: IP address (anonymised where technically feasible), device type, and screen resolution.

Cookie data: session identifiers and preference data stored in cookies and similar technologies (see Section 9).

Information we do not collect

We do not collect special categories of personal information (such as health, racial or ethnic origin, religious belief, sexual orientation, or biometric data) through our website or in the ordinary course of our consulting work. If an engagement specifically requires handling such information, a separate data processing agreement will be established.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

• Responding to your enquiries and evaluating fit for a potential engagement.

• Delivering consulting services and fulfilling our contractual obligations to clients.

• Communicating about project status, proposals, and deliverables.

• Improving the quality and relevance of our website and services.

• Complying with applicable legal obligations.

• Protecting our rights and the security of our systems.

We do not sell your personal information to third parties. We do not use your information for automated individual decision-making or profiling that produces legal or similarly significant effects.

5. Legal Basis for Processing

The lawful basis on which we rely when processing personal information differs by jurisdiction.

South Africa — POPIA

Under POPIA, we process personal information on the following grounds:

• Consent: where you have given consent for a specific processing purpose, such as subscribing to communications.

• Contractual necessity: where processing is necessary to enter into or perform a contract with you.

• Legitimate interest: where our legitimate business interests in operating and improving our services do not override your rights and interests.

• Legal obligation: where processing is required by applicable South African law.

European Economic Area and United Kingdom — GDPR / UK GDPR

Under the GDPR and UK GDPR, our lawful bases for processing are:

• Article 6(1)(a) — Consent: where you have given clear consent for us to process your personal data for a specific purpose.

• Article 6(1)(b) — Contract: where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering a contract.

• Article 6(1)(f) — Legitimate interests: where we have a legitimate interest in processing your data and that interest is not overridden by your rights and freedoms.

• Article 6(1)(c) — Legal obligation: where processing is necessary for compliance with a legal obligation to which we are subject.

Where we rely on legitimate interests, those interests include: operating and securing our website, responding to enquiries, and improving our services.

United States

Where US state privacy laws apply, we process personal information as a business (not a data broker). Our processing activities described in this policy represent the purposes for which data is collected and used. We do not sell personal information or share it for cross-context behavioural advertising.

6. Your Rights

Your rights in relation to your personal information depend on the laws applicable in your jurisdiction. We honour all valid rights requests promptly and without charge, subject to applicable exemptions.

South African residents — POPIA

• Right of access: you may request confirmation of whether we hold your personal information and a copy of that information.

• Right to correction: you may request correction of inaccurate, incomplete, or out-of-date personal information.

• Right to deletion: you may request deletion of personal information we are no longer entitled to retain.

• Right to object: you may object to processing based on legitimate interest.

• Right to lodge a complaint: you may lodge a complaint with the Information Regulator of South Africa at inforeg.org.za.

EEA and UK residents — GDPR / UK GDPR

• Right of access (Article 15): the right to obtain a copy of your personal data and information about how it is processed.

• Right to rectification (Article 16): the right to have inaccurate data corrected.

• Right to erasure (Article 17): the right to have your data deleted where there is no legitimate ground for us to continue processing it.

• Right to restriction (Article 18): the right to restrict processing in certain circumstances.

• Right to data portability (Article 20): the right to receive your data in a structured, machine-readable format.

• Right to object (Article 21): the right to object to processing based on legitimate interests or for direct marketing.

• Rights related to automated decision-making (Article 22): the right not to be subject to solely automated decisions that produce significant effects.

• Right to withdraw consent: where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

• Right to complain: you have the right to lodge a complaint with your local supervisory authority. In the EU this is your national data protection authority; in the UK this is the Information Commissioner's Office (ico.org.uk).

California residents — CCPA / CPRA

• Right to know: you may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose for collecting it, and the categories of third parties with whom we share it.

• Right to delete: you may request deletion of personal information we have collected from you, subject to certain exceptions.

• Right to correct: you may request correction of inaccurate personal information.

• Right to opt out of sale or sharing: we do not sell personal information or share it for cross-context behavioural advertising, so no opt-out is required.

• Right to limit use of sensitive personal information: we do not use sensitive personal information beyond the purposes permitted under the CPRA.

• Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.

California residents may submit requests through the contact details in Section 11.

Other US state residents

Residents of Virginia, Colorado, Connecticut, Texas, and other states with enacted privacy legislation have rights similar to those described above — including rights to access, correct, delete, and opt out of certain processing. We will honour all valid rights requests made under applicable state law. To submit a request, use the contact details in Section 11.

7. Data Retention

We retain personal information only for as long as is necessary for the purposes for which it was collected, or as required by law.

• Website enquiry data: retained for up to 3 years from the date of the enquiry, unless you become a client, in which case client engagement records are retained for 7 years from the end of the engagement in accordance with South African legal requirements.

• Client engagement records: retained for 7 years after the conclusion of an engagement to satisfy contractual, tax, and legal obligations.

• Analytics data: aggregated and anonymised within 14 months of collection.

After the applicable retention period, personal information is securely deleted or anonymised.

9. International Data Transfers

Espresso is based in South Africa. Personal information we collect may be processed in South Africa and in countries where our service providers operate, including within the European Economic Area and the United States.

For transfers of personal data from the EEA or UK to South Africa: the European Commission has not issued an adequacy decision for South Africa. Where we receive personal data from EEA or UK-based clients or contacts, we rely on the Standard Contractual Clauses approved by the European Commission (or their UK equivalent, the International Data Transfer Agreement) as the transfer mechanism.

For transfers between South Africa and other countries: we take appropriate steps to ensure that any cross-border flow of personal information receives equivalent protection to that afforded under POPIA, as required by section 72 of POPIA.

You may request a copy of any transfer safeguards we have in place by contacting us at the details in Section 11.

10. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to support its operation and to understand how visitors use the site.

Types of cookies we use

• Essential cookies: required for the website to function correctly. These cannot be disabled.

• Analytics cookies: used to collect anonymised information about how visitors use the site (pages visited, time on site, referring source). We use Google Analytics for this purpose. Analytics cookies are only set with your consent where consent is required by law.

• Functionality cookies: used to remember your preferences across sessions.

Managing cookies

You can control cookies through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, or be notified when a new cookie is set. Please note that disabling certain cookies may affect the functionality of the website.

For EEA and UK visitors, we will request your consent before setting non-essential cookies, in compliance with the ePrivacy Directive and applicable national laws.

11. Data Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, accidental loss, destruction, or disclosure. These measures are reviewed and updated as necessary.

Our website is served over HTTPS. Access to personal data within our business is limited to personnel with a need to know. Where we engage third-party processors, we require them to maintain appropriate security standards.

Despite these measures, no internet transmission or electronic storage is completely secure. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately at the contact details in Section 12.

12. Children's Privacy

Our website and services are directed at businesses and professionals. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will delete it promptly.

If you believe we have collected personal information from a child, please contact us immediately at the details below.

13. Contact and Information Officer

To exercise any of your rights, submit a complaint, or ask questions about this policy, please contact:

Information Officer (POPIA) / Data Controller contact

Espresso Consulting (Pty) Ltd

Information Officer

Email: hello@espresso.consulting

Phone: +27 71 230 6305

Physical address: Cape Town and Johannesburg, South Africa

We will respond to all legitimate requests within 30 days. Occasionally it may take us longer if the request is complex or if you have made multiple requests; in such cases we will notify you and keep you updated.

14. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the services we offer. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Continued use of our website or services after any changes constitutes acceptance of the revised policy.

Questions about this policy?

Reach the Espresso Information Officer directly at hello@espresso.consulting. We respond to all privacy requests within 30 days.