Privacy Policy

Thank you for visiting the Exclusive Pool Heating Privacy Policy and our website. Exclusive Pool Heating is committed to treating the personal and corporate information of our site users and customers with respect and sensitivity. This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, the legal bases for processing under POPIA and GDPR/UK GDPR, your rights, and how to contact our Information Officer. This policy applies to data collected via solarpoolheatingsa.co.za, by phone, WhatsApp, form submissions, online tools and calculators, email and during site assessments and installations.

About Us

Company name: Exclusive Pool Heating

Website: solarpoolheatingsa.co.za

Address: 1147 Wargrave Road, Henley On Klip, Gauteng, South Africa 1961

Contact Information Officer: info@solarpoolheatingsa.co.za | Tel 010 012 6125

What Personal Information We Collect

• Contact and identity: name, email, telephone/WhatsApp number, postal and physical address provided when requesting a quote or placing an order.
• Company/CC/Business Name
• Transaction and billing: invoices, EFT bank details for payments, signatures on delivery or installation notes. We may provide PayFast links on request; we do not store card details.
• Technical and usage: IP address, approximate geographic location derived from IP, device and browser information, cookies, UTM and campaign tracking parameters, and analytics data from Google Analytics and similar tools.
• Communications records: emails, WhatsApp messages and telephone call records related to quotes, orders and service delivery.
• Site assessment and installation data: site photos (taken only with your consent), installation notes, measurements and onsite records required to deliver services.
• We collect personal data directly from you and automatically capture technical data when you interact with our website or submit forms.

How We Use Personal Information and Legal Bases

• Provide and manage quotes, bookings, site assessments, deliveries and installations — performance of contract.
• Communicate about quotes, bookings, deliveries and installations — performance of contract and our legitimate interest in efficient service.
• Process payments and keep accounting/tax records — legal obligations and contract performance.
• Store site assessment photos and notes for service delivery, quality assurance and warranty support — contract performance; consent for marketing publication.
• Improve our services, products and website performance using analytics and campaign tracking (including UTM data) — legitimate interests in product/service improvement and technical reliability; for EU/UK users we will obtain consent where required.
• Personalise communications and service delivery (appointment reminders, order updates, recommended products) when you opt in — consent or contract performance.
• Detect, prevent and investigate fraud, abuse and security incidents using IP, geolocation and submission metadata — legitimate interest and legal compliance.
• Compile anonymised, aggregated insights for internal reporting and marketing performance measurement.
• Send marketing communications — only with your opt in consent; you may withdraw consent at any time.
• Comply with legal obligations and respond to lawful requests from regulators or courts — legal obligation.
• We do not process special category (sensitive) personal data except where required by law and with additional safeguards.

Cookies, Tracking and Consent (Cookiebot)

We use Cookiebot to manage cookie consent and to record consent receipts and timestamps. Cookie categories used are: Necessary, Preferences, Statistics, Marketing. Cookiebot is configured to block analytics and marketing tags by default and to expose consent state to Google Tag Manager. Google Analytics (GA4), Google Ads, and other marketing tags will only fire for EU/UK/Swiss users after valid consent is recorded via Cookiebot. Facebook and Bing tags are treated the same. For non EEA/UK/Swiss users, non essential tags remain blocked until the user provides consent; Cookiebot settings and GTM triggers control tag firing site wide. You can change or withdraw cookie consent at any time via the Cookiebot preferences manager on our website or by emailing info@solarpoolheatingsa.co.za. Additionally, you can control interest based advertising and opt out of cookies used by Google and other third party vendors via these external tools: Google My Ad Center (https://myadcenter.google.com/), Google Ad Settings (https://adssettings.google.com/), the Network Advertising Initiative Consumer Opt Out (https://optout.networkadvertising.org/), and the Digital Advertising Alliance WebChoices Tool (https://optout.aboutads.info/). Withdrawal prevents non essential cookies from firing on subsequent visits but does not affect processing already lawfully completed. We log consent receipts, consent timestamps and withdrawal actions for cookie and marketing consents. Cookiebot records and our CRM consent flags are retained for a minimum of seven years or for as long as required by applicable law.

Do Not Sell Personal Information

We do not sell your personal information. We will never trade, rent or otherwise sell your personal data to third parties for marketing or any other purpose.

When We Share Data With Third Parties

We only share personal information with third parties where necessary to provide our services, comply with legal obligations, or where you have given consent. Typical recipients include:

• Payment processors: PayFast for processing online and card payments.
• Accounting and invoicing: SAGE for bookkeeping and tax records.
• Hosting and IT services: Elitehost for server hosting, email and backups.
• Delivery and installers: courier and delivery partners and installers (only the minimum contact and delivery information required to complete deliveries and installations).
• Analytics and advertising: Google Analytics, Google Ads and similar providers for aggregated analytics and campaign measurement where lawful consent has been obtained.
• Professional advisers and regulators: legal, audit or regulatory bodies where required by law or for the exercise of legal claims.

We require all subprocessors to sign Data Processing Agreements and implement appropriate security controls before we share personal data with them. We limit the data shared to the minimum necessary for each recipient’s role. We perform initial security and privacy due diligence on key providers (for example PayFast, SAGE and Elitehost) and carry out periodic reviews; we maintain evidence of these checks and retain the right to request security information or perform audits on a risk based basis.

Automated Decisioning and Profiling

We do not use third parties to make automated decisions about you that have legal or similarly significant effects. Where automated profiling or decisioning is used in future, we will disclose this, explain the logic, significance and consequences, and provide ways to obtain human review where required by law.

Sharing, Subprocessors and International Transfers

• We share personal data only with trusted service providers who help deliver our services. Any delivery partners receive only the minimum necessary data to perform deliveries. Installers are internal employees.
• Where data is transferred outside South Africa (for example to analytics or ad platform vendors in the EU or US), we ensure appropriate safeguards are in place such as contractual protections or standard contractual clauses and notify you where additional consent is required.
• We maintain an internal Record of Processing Activities listing categories of personal data, categories of data subjects, processing purposes, legal bases, recipients and retention periods; this record is maintained for accountability and is available to the Information Regulator on request.

Photo Consent and Publication

• We obtain consent before taking photos on private property. Installation photos used for marketing are anonymised where practical.
• You may withdraw publication consent at any time by emailing info@solarpoolheatingsa.co.za; we will remove or anonymise published images where reasonably feasible and confirm completion of removal.
• A written photo release form can be provided on request.

Storage, Retention and Deletion

We retain personal data only as long as necessary for the purposes collected and to meet legal obligations. Default retention periods:

• Leads: 2 years.
• Customer records, orders and invoices: 7 years (tax/accounting obligations).
• Installation photos: 5 years (unless you request earlier deletion).
• Marketing lists: until you withdraw consent or opt out.

After retention periods expire we securely delete or irreversibly anonymise personal data unless legal holds or other obligations require longer retention.

Security Measures

We apply industry standard technical and organisational measures to protect personal data, including:

• TLS/HTTPS and HSTS for data in transit; encryption of stored data where appropriate.
• Role based access controls and multi factor authentication for administrative and server access.
• Encrypted backups, regular patching, vulnerability scanning and endpoint protection.
• Audit logging of access to customer records and installer uploads.
• Written Data Processing Agreements with subprocessors and periodic security reviews.
• A documented incident response plan to investigate, contain, document and notify breaches where required.
• We will follow the Information Regulator’s Security Compromise Notification process.
• Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals we will submit the SCN1 form where required, notify the Information Regulator without undue delay and inform affected individuals as required by law.

Data Subject Rights and DSAR Procedure

You have rights under POPIA and GDPR/UK GDPR, including access, rectification, erasure, restriction, portability and objection. To exercise your rights:

• Contact our Information Officer at info@solarpoolheatingsa.co.za.
• Verification: we will verify identity using the minimum necessary evidence, typically confirmation via the registered email or phone number and one corroborating transaction reference (invoice or booking reference). We will not require excessive identity documents unless there are reasonable fraud indicators. For third party representatives we require written authorisation.
• Timescales: we aim to respond to verified requests within 10 business days. DSAR responses will be delivered by secure email containing a PDF or ZIP file via a secure link unless an alternative format is requested. We do not charge for routine requests.
• If we refuse or need an extension we will explain why, cite relevant legal grounds and log the decision.
• We endeavour to ensure the quality, accuracy and confidentiality of Personal Information in our possession. Accordingly, we will take all reasonable steps to prevent unauthorised access to, or disclosure of your personal Information. However, it is impossible to guarantee that your personal information shall be 100% secure.

Withdrawing Consent and Opt Out

• Cookies: change or withdraw consent using the Cookiebot preference manager on our website or email info@solarpoolheatingsa.co.za. Withdrawal will stop non essential cookies from firing on subsequent visits.
• Marketing: withdraw consent by emailing info@solarpoolheatingsa.co.za; we will promptly remove you from marketing lists and confirm removal.
• Photo publication: withdraw by emailing info@solarpoolheatingsa.co.za; we will remove or anonymise images where reasonably feasible and confirm completion.
• Withdrawal does not affect processing already lawfully carried out (for example, processing necessary to fulfil a contract, meet tax obligations, or retain records for legal reasons).

Your Rights in Regards to the Personal Information We Collect

• Of access to their personal information stored and processed by us. This may be done by emailing us at info@solarpoolheatingsa.co.za
• To rectification of personal information that we hold on a user’s behalf, in instances where such personal information is incorrect or incomplete.
• To restrict/suspend processing of personal information to only that which is strictly necessary for us to perform our services to you.
• Of erasure of personal information (“right to be forgotten”) if such information is no longer needed for the original processing purpose, alternatively if a user withdraws their consent and there is no other reason or justification to retain such personal information, further alternatively, if a user has objected to such personal information being processed and there is no justified reason for the processing of such personal information.
• To object to the processing of Personal Information for direct marketing purposes.
• To withdraw their consent at any time, if processing of personal information is based on consent.
• To object to processing of Personal Information, if such processing is based on legitimate interests.

Links From The Website

• The services available through the website, may contain links to other third party websites, including (without limitation) social media platforms, payment gateways, appointment scheduling and/or live chat platforms (“third party websites”). If you select a link to any third party website, you may be subject to such third party website’s terms and conditions and/or other policies, which are not under our control, nor are we responsible therefore.
• Hyperlinks to third party websites are provided “as is”, and we do not necessarily agree with, edit or sponsor the content on third party websites.
• We do not monitor or review the content of any third party website, Opinions expressed or material appearing on such websites are not necessarily shared or endorsed by us and we should not be regarded as the publisher of such opinions or material. Please be aware that we are not responsible for the privacy practices, or content, of other websites, either.
• Users should evaluate the security and trustworthiness of any third party website before disclosing any personal information to them. We do not accept any responsibility for any loss or damage in whatever manner, howsoever caused, resulting from your disclosure to third parties of personal information.

Application Of The Electronic Communications And Transactions Act 25 Of 2002 (“ECT Act”)

• Data messages (as defined in the ECT Act) will be deemed to have been received by us if and when we respond to the data messages.
• Data messages sent by us to a user will be deemed to have been received by such user in terms of the provisions specified in section 23(b) of the ECT Act.
• Users acknowledge that electronic signatures, encryption and/or authentication are not required for valid electronic communications between us and users.
• Information to be provided in terms of section 43(1) of the ECT Act:
• Users warrant that Data Messages sent to us from any electronic device, used by such user, from time to time or owned by such user, from time to time or owned by such user, were sent and or authorised by such user, personally.
• This Website is owned and operated by Exclusive Pool Heating.
• Address for service of legal documents: 1147 Wargrave Road, Henley On Klip, Gauteng, South Africa, 1961.
• Contact Number: 010-012-6125
• Website – located at solarpoolheatingsa.co.za
• Email address: info@solarpoolheatingsa.co.za

Incident Response and Breach Notification

If a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals we will: contain and investigate the incident, document and log the breach, and notify the Information Regulator and affected individuals where required by POPIA and GDPR/UK GDPR.

PAIA and Access to Information

Where applicable we will comply with the Promotion of Access to Information Act (PAIA). Information about how to make a PAIA request is available from our Information Officer at info@solarpoolheatingsa.co.za.

Changes to This Policy

We may update this Privacy Policy to reflect changes to our services, legal obligations or processing practices. We will publish the revised policy at solarpoolheatingsa.co.za and show the last updated date.

Contact and Supervisory Authority

For questions about this policy or to exercise your rights contact: Information Officer — info@solarpoolheatingsa.co.za. South African data subjects may contact the Information Regulator. EU/UK data subjects may contact the supervisory authority in the relevant member state.

Data Processing Agreement Summary for Subprocessors

Processors must process data only on our documented instructions; implement appropriate technical and organisational measures; ensure confidentiality of personnel with access; assist with data subject requests and breach notifications; return or delete data on termination; and not engage subprocessors without prior written authorisation and equivalent obligations.

Lodging of Complaints

We only process your Personal Information in compliance with this privacy policy and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your Personal Information or are unsatisfied with how we have handled your Personal Information, you have the right to lodge a complaint with the supervisory authority in your country.