Privacy Policy | HealXRlabs

Last updated: April 2026

Effective date: 7 April 2026

1. Introduction and Scope

HealXRlabs (Pty) Ltd (“HealXRlabs”, “we”, “us”, or “our”) is committed to protecting the privacy and personal information of every individual who interacts with us. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your personal information when you:

Visit or interact with our website at https://healxrlabs.co.za (the “Website”);
Engage with us for professional services, including digital transformation consulting, software engineering, design, and governance services;
Communicate with us via email, telephone, contact forms, or social media;
Subscribe to our newsletters, insights, or marketing communications;
Attend our events, webinars, or workshops; or
Otherwise provide your personal information to us.

This policy applies to all personal information processed by HealXRlabs, whether collected online or offline, and applies to all data subjects, including but not limited to website visitors, clients, prospective clients, business partners, suppliers, and job applicants.

We process personal information in accordance with the Protection of Personal Information Act, 2013 (Act 4 of 2013) (“POPIA”), the Electronic Communications and Transactions Act, 2002 (Act 25 of 2002) (“ECT Act”), and other applicable South African legislation. Where our services extend internationally, we also have regard to the European Union General Data Protection Regulation (“GDPR”) and other relevant international data protection frameworks.

By using our Website or providing your personal information to us, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use our Website or provide us with your personal information.

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them below, in line with the definitions set out in POPIA:

“Consent” means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
“Data Subject” means the person to whom personal information relates -- this includes you, the user of our Website or recipient of our services.
“Information Officer” means the person registered with the Information Regulator who is responsible for ensuring compliance with POPIA within our organisation.
“Information Regulator” means the independent body established in terms of Section 39 of POPIA to monitor and enforce compliance with the Act.
“Operator”means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party (equivalent to a “data processor” under the GDPR).
“Personal Information” means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including but not limited to: name, identity number, contact details, email address, physical address, online identifiers, location data, biometric information, personal opinions, views, preferences, correspondence, employment history, financial information, and any information relating to the education or medical, financial, criminal, or employment history of the person.
“Processing” means any activity or set of activities concerning personal information, including collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use, dissemination, distribution, merging, linking, restriction, degradation, erasure, or destruction of information.
“Responsible Party”means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information (equivalent to a “data controller” under the GDPR).
“Special Personal Information”means personal information concerning a data subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sex life, biometric information, or criminal behaviour.
“Website” means the HealXRlabs website accessible at https://healxrlabs.co.za, including all subdomains and pages.

3. Responsible Party Details

For the purposes of POPIA, HealXRlabs is the Responsible Party in respect of your personal information. Our details are as follows:

Registered Name: HealXRlabs (Pty) Ltd
Trading As: HealXRlabs
Physical Address: 20 Mirage Drive, Johannesburg, Gauteng 1724, South Africa
Website: https://healxrlabs.co.za
Email: team@healxrlabs.co.za
Telephone: +27 78 716 0366

Our Information Officer can be contacted at team@healxrlabs.co.za with the subject line “POPIA -- Information Officer”.

4. What Personal Information We Collect

Depending on how you interact with us, we may collect the following categories of personal information:

4.1 Identity and Contact Information

Full name, first name, and surname
Email address (personal or business)
Telephone number and/or mobile number
Physical and/or postal address
Job title, role, and department
Organisation or company name
Social media handles or profile URLs

4.2 Technical and Usage Information

IP address and approximate geolocation
Browser type, version, and language settings
Operating system and device type (desktop, mobile, tablet)
Screen resolution and viewport dimensions
Referring website URL and exit pages
Pages visited, time spent on each page, and navigation path
Click patterns, scroll depth, and interaction events
Session recordings and heatmap data (via Microsoft Clarity)
Date and time of access
Unique device identifiers and cookie identifiers

4.3 Communication Information

Content of emails, contact form submissions, and chat messages
Records of telephone conversations (where applicable and with consent)
Feedback, reviews, and testimonials
Communication preferences and marketing opt-in/opt-out records

4.4 Professional and Business Information

Company registration details and VAT numbers
Billing and invoicing information
Project requirements, briefs, and specifications
Contractual and engagement records
Professional qualifications and experience (for job applicants)

4.5 Information We Do Not Collect

We do not intentionally collect Special Personal Information as defined by POPIA (such as information concerning race, ethnicity, religious beliefs, political opinions, health, sex life, biometric data, or criminal behaviour) unless it is strictly necessary and permitted by law. If we are ever required to process such information, we will obtain your explicit consent beforehand.

5. How We Collect Personal Information

5.1 Directly from You

We collect information that you voluntarily provide to us when you:

Complete a contact form or enquiry form on our Website
Send us an email or telephone us
Subscribe to our newsletter or mailing list
Request a quotation or proposal
Enter into a service agreement or contract with us
Submit a job application or curriculum vitae
Interact with us on social media platforms
Attend our events, webinars, or workshops

5.2 Automatically Through Technology

When you visit our Website, we automatically collect certain technical information through cookies, web beacons, pixel tags, and similar tracking technologies. This includes the technical and usage information described in Section 4.2 above. Please refer to our Cookie Policy for full details on the tracking technologies we use.

5.3 From Third Parties

We may receive personal information about you from third-party sources, including:

Business referral partners who introduce you to our services
Publicly available sources such as company websites, LinkedIn, and public registries
Analytics and advertising partners (e.g., Google, Microsoft)
Previous employers or professional references (in the context of recruitment)
Our clients, where you are a representative or contact person for a client organisation

6. Purpose of Processing

We process your personal information only for specific, explicitly defined, and lawful purposes. The purposes for which we process personal information include:

Service Delivery: To provide, manage, and administer the professional services you have engaged us for, including digital transformation consulting, software engineering, UX/UI design, and governance services.
Communication: To respond to your enquiries, requests, or complaints; to communicate with you about our services, projects, or engagements; and to provide you with relevant updates.
Marketing and Newsletters: To send you marketing communications, newsletters, insights, case studies, and promotional materials, where you have opted in to receive such communications or where we have a legitimate interest in doing so.
Website Improvement: To analyse how our Website is used, to improve its design, functionality, content, and user experience, and to troubleshoot technical issues.
Analytics and Reporting: To generate aggregated, anonymised statistics and reports about website traffic, user behaviour, and service performance.
Quotations and Proposals: To prepare and deliver quotations, proposals, and scope-of-work documents in response to your requests.
Contractual Obligations: To enter into and perform our obligations under contracts and service agreements with you or your organisation.
Invoicing and Payments: To issue invoices, process payments, and manage our financial records and accounts.
Recruitment: To process job applications, evaluate candidates, conduct interviews, and manage the recruitment process.
Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests, including POPIA, the ECT Act, tax legislation, and the Companies Act.
Security and Fraud Prevention: To protect our Website, systems, and services from unauthorised access, misuse, fraud, and security threats.
Business Operations: To manage our internal business operations, including record-keeping, audits, and quality assurance.

7. Legal Basis for Processing Under POPIA

In terms of Section 11 of POPIA, personal information may only be processed if certain conditions are met. We rely on the following legal bases for processing your personal information:

Consent (Section 11(1)(a)): Where you have given us your voluntary, specific, and informed consent to process your personal information for a particular purpose -- for example, when you subscribe to our newsletter, submit a contact form, or opt in to marketing communications. You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.
Contractual Necessity (Section 11(1)(b)): Where processing is necessary to enter into or perform a contract with you -- for example, when we process your information to deliver the services you have engaged us for, to issue invoices, or to manage a project engagement.
Legal Obligation (Section 11(1)(c)): Where processing is necessary to comply with a legal obligation to which we are subject -- for example, maintaining financial records as required by the Income Tax Act or Companies Act, or responding to lawful requests from regulatory authorities.
Legitimate Interest (Section 11(1)(f)): Where processing is necessary for the pursuit of our legitimate interests or those of a third party to whom the information is supplied, provided that such interests are not overridden by your rights and interests. Examples include website analytics, improving our services, direct marketing to existing clients, and fraud prevention.
Protection of a Legitimate Interest (Section 11(1)(d) and (e)): Where processing is necessary to protect your legitimate interests or the legitimate interests of a third party, or where processing is necessary for the proper performance of a public law duty.

8. Cookies and Tracking Technologies

Our Website uses cookies and similar tracking technologies to enhance your browsing experience, analyse website usage, and assist with our marketing efforts. A cookie is a small text file that is placed on your device (computer, smartphone, or tablet) when you visit our Website.

We use the following categories of cookies:

Strictly Necessary Cookies: Essential for the basic operation of our Website, including session management, load balancing, and security features. These cookies do not require consent.
Analytics and Performance Cookies: Used to collect information about how visitors use our Website, including which pages are visited most often, time spent on pages, and any error messages encountered. We use Google Analytics (cookies: _ga, _gid, _gat) and Microsoft Clarity (cookies: _clck, _clsk, MUID, ANONCHK, SM, CLID, MR) for these purposes.
Functional Cookies: Enable enhanced functionality and personalisation, such as remembering your preferences, language settings, and form entries.
Marketing and Advertising Cookies: Used to track visitors across websites and display relevant advertisements. These cookies measure campaign effectiveness and are only set with your consent.

For comprehensive details about the specific cookies we use, their purposes, and their expiry periods, please refer to our Cookie Policy.

9. Google Analytics and Google Tag Manager

We use Google Analytics 4 (“GA4”), a web analytics service provided by Google LLC (“Google”), to analyse usage patterns on our Website. GA4 uses cookies and similar technologies to collect and analyse information about how you use our Website. The information generated is typically transmitted to and stored on Google servers, which may be located outside of South Africa, including in the United States.

We have implemented the following privacy-protective measures in our Google Analytics configuration:

IP anonymisation is enabled, meaning that your IP address is truncated before being transmitted to Google
Data sharing with Google for advertising purposes is disabled unless you have consented to marketing cookies
Data retention is set to the minimum period necessary for our analytical purposes
We do not enable Google Signals or User-ID features that would enable cross-device tracking

We may also use Google Tag Manager (“GTM”) to manage and deploy tracking tags on our Website. GTM itself does not collect personal information, but it facilitates the deployment of tags that may do so (such as Google Analytics and marketing pixels). All tags deployed through GTM are subject to the consent settings described in this policy and our Cookie Policy.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. Google's privacy policy is available at https://policies.google.com/privacy.

10. Microsoft Clarity

We use Microsoft Clarity, a user behaviour analytics tool provided by Microsoft Corporation (“Microsoft”), to understand how visitors interact with our Website. Microsoft Clarity collects the following types of data:

Session Recordings: Clarity records anonymised replays of user sessions, showing mouse movements, clicks, scrolling behaviour, and page interactions. These recordings do not capture text entered into form fields, passwords, or other sensitive input.
Heatmaps: Clarity generates aggregated heatmaps that show where users click, how far they scroll, and which areas of a page receive the most attention.
Performance Metrics: Clarity collects data on page load times, JavaScript errors, and other performance indicators.
Device and Browser Data: Including browser type, operating system, screen resolution, and device category.

Microsoft Clarity data is processed and stored by Microsoft, which may involve transfers to servers located outside of South Africa. Microsoft's privacy statement is available at https://privacy.microsoft.com/en-us/privacystatement.

We use Microsoft Clarity data solely for the purpose of improving our Website's usability, performance, and user experience. We do not use Clarity data to personally identify individual visitors.

11. Third-Party Service Providers and Data Sharing

We may share your personal information with trusted third-party service providers who assist us in operating our business and delivering our services. These third parties act as Operators under POPIA and are contractually obligated to process your information only on our instructions and in accordance with this Privacy Policy.

Categories of third-party service providers include:

Cloud Hosting and Infrastructure Providers: Including Vercel, Amazon Web Services (AWS), and Microsoft Azure, who host our Website and applications.
Analytics Providers: Including Google Analytics and Microsoft Clarity, as described in Sections 9 and 10.
Email and Communication Platforms: Including email service providers used to send newsletters, transactional emails, and marketing communications.
Customer Relationship Management (CRM) Systems: Used to manage client relationships, track enquiries, and maintain communication records.
Payment Processors: Where applicable, for processing payments securely.
Professional Advisors: Including legal, accounting, and auditing professionals who provide advisory services to our business.
Project Management and Collaboration Tools: Used to manage service delivery and collaborate with clients and team members.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may disclose your personal information if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others, to investigate fraud, or to respond to a government request.

12. International Data Transfers

Some of our third-party service providers are based in, or have servers located in, countries outside of the Republic of South Africa, including the United States, the European Union, and other jurisdictions. This means that your personal information may be transferred to, stored in, and processed in countries that may not have data protection laws equivalent to those in South Africa.

In accordance with Section 72 of POPIA, we will only transfer your personal information to a third party in a foreign country if one or more of the following conditions are met:

The recipient country has adequate data protection legislation in place;
The recipient is subject to binding corporate rules or a binding agreement that provides an adequate level of protection;
You have provided your consent for the transfer;
The transfer is necessary for the performance of a contract between us and you, or for the implementation of pre-contractual measures taken in response to your request;
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject; or
The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent.

We take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy, regardless of where it is processed.

13. Data Retention Periods

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. When personal information is no longer needed, we will securely delete or anonymise it. The following retention periods apply:

Contact Form Submissions and General Enquiries: Retained for a period of 2 years from the date of submission, unless the enquiry leads to a client engagement, in which case the information is retained as part of the client record.
Client and Engagement Records: Retained for a period of 5 years from the end of the relevant engagement or contractual relationship, in accordance with the Companies Act, Income Tax Act, and VAT Act requirements.
Financial and Invoicing Records: Retained for a minimum of 5 years as required by SARS and the Income Tax Act, 1962.
Marketing and Newsletter Subscriptions: Retained until you unsubscribe or withdraw your consent, plus an additional period of 6 months for record-keeping purposes.
Website Analytics Data: Google Analytics data is retained for 14 months. Microsoft Clarity session data is retained for 30 days.
Cookie Data: Retention periods vary by cookie type -- see our Cookie Policy for specific details.
Job Applications: Retained for 12 months from the date of application, or longer with your consent, to consider you for future vacancies.
Communication Records: Retained for 3 years from the date of the last communication, unless linked to an active engagement.

14. Data Security Measures

We are committed to ensuring the security of your personal information and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, destruction, loss, or any form of unlawful processing. These measures include, but are not limited to:

Encryption of data in transit using TLS/SSL (HTTPS) across our entire Website
Encryption of data at rest where technically feasible
Secure hosting on reputable cloud infrastructure with SOC 2 and ISO 27001 certifications
Access controls and authentication mechanisms to restrict access to personal information to authorised personnel only
Regular security assessments and vulnerability scanning
Firewall and intrusion detection systems
Employee awareness and training on data protection and information security
Incident response procedures for addressing data breaches
Contractual data protection obligations imposed on third-party service providers

Despite our best efforts, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Regulator and affected data subjects in accordance with Section 22 of POPIA.

15. Children's Privacy

Our Website and services are not directed at, and are not intended for, children under the age of 18. We do not knowingly collect personal information from children. In terms of Section 35 of POPIA, personal information of children (persons under the age of 18) may not be processed unless it is carried out with the prior consent of a competent person (parent or guardian) or is necessary for the establishment, exercise, or defence of a right or obligation in law.

If we become aware that we have inadvertently collected personal information from a child without proper authorisation, we will take immediate steps to delete such information from our records. If you believe that we may have collected information from a child, please contact us immediately at team@healxrlabs.co.za.

16. Your Rights Under POPIA

As a data subject, you have the following rights in relation to your personal information under POPIA:

Right of Access (Section 23): You have the right to request confirmation of whether we hold personal information about you, and to request access to a record or description of the personal information we hold about you, including information about the identity of all third parties who have or have had access to the information.
Right to Correction (Section 24): You have the right to request the correction or deletion of personal information about you that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or that has been obtained unlawfully.
Right to Deletion (Section 24): You have the right to request the destruction or deletion of a record of personal information about you that we are no longer authorised to retain.
Right to Object (Section 11(3)): You have the right to object, on reasonable grounds relating to your particular situation, to the processing of your personal information. Where you object to processing for direct marketing purposes, we will cease processing immediately.
Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Right Not to be Subject to Automated Decision-Making (Section 71): You have the right not to be subject to a decision which is based solely on the basis of automated processing of your personal information intended to provide a profile of you.
Right to Lodge a Complaint (Section 74): You have the right to lodge a complaint with the Information Regulator if you believe that we have interfered with the protection of your personal information.

17. How to Exercise Your Rights

To exercise any of the rights described above, please submit a written request to our Information Officer using the following methods:

Email: team@healxrlabs.co.za (subject line: “POPIA Data Subject Request”)
Post: POPIA Data Subject Request, HealXRlabs (Pty) Ltd, 20 Mirage Drive, Johannesburg, Gauteng 1724, South Africa

When submitting a request, please provide:

Your full name and contact details
A clear description of the information or right you wish to exercise
Proof of identity (a copy of your South African ID or passport) to verify your identity and prevent fraudulent requests

We will acknowledge receipt of your request within 5 business days and will respond substantively within 30 days, as required by Section 25 of POPIA. In certain circumstances, we may extend this period, in which case we will notify you of the extension and the reasons for it. We may charge a reasonable fee for processing access requests, as permitted by POPIA, but we will inform you of any fees before proceeding.

Please note that we may refuse your request where POPIA permits or requires us to do so -- for example, where the request is unreasonable, repetitive, or where we are required by law to retain the information. If we refuse your request, we will provide you with written reasons for the refusal and inform you of your right to lodge a complaint with the Information Regulator.

18. Information Regulator Contact Details

If you are dissatisfied with how we have handled your personal information or a request you have made in terms of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa:

Name: The Information Regulator (South Africa)
Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017
Telephone: +27 (0)10 023 5207
Email: POPIAComplaints@inforegulator.org.za
Website: https://inforegulator.org.za

19. Changes to This Privacy Policy

We reserve the right to update or amend this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this policy, we will:

Update the “Last updated” date at the top of this page;
Post the revised policy on our Website;
Where the changes are significant, provide prominent notice on our Website or notify you directly via email (where we have your email address).

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal information. Your continued use of our Website after the posting of changes constitutes your acceptance of such changes.

20. Contact Details

If you have any questions, concerns, or requests relating to this Privacy Policy or our processing of your personal information, please contact us using the following details:

Company: HealXRlabs (Pty) Ltd
Address: 20 Mirage Drive, Johannesburg, Gauteng 1724, South Africa
Email: team@healxrlabs.co.za
Telephone: +27 78 716 0366
Website: https://healxrlabs.co.za

21. Effective Date

This Privacy Policy is effective as of 7 April 2026 and supersedes all prior versions of our privacy policy. The current version of this policy will always be available on our Website at https://healxrlabs.co.za/privacy-policy.