Effective Date: V1.1 March 2026
1. INTRODUCTION
This Privacy Policy explains how Legal Axis (Pty) Ltd (South Africa) and its global affiliates (“we”, “us”, “our”) collect, use, disclose, and protect your personal information when you visit our website or interact with our services.
We are committed to protecting your privacy and handling your personal information in a manner that complies with:
- The General Data Protection Regulation (GDPR) (EU) 2016/679;
- The Protection of Personal Information Act, 2013 (POPIA) (South Africa); and
- The Data Protection Act 2017 (DPA) (Mauritius)
- Data Protection Legislation as may be applicable to the operations of a Client.
Please read this policy carefully to understand our practices regarding your personal data.
2. WHO WE ARE
Data Controller: Legal Axis (Pty) Ltd
Email: theoffice@legal-axis.online
For the purposes of GDPR, we are the data controller in respect of personal data processed through our website. For POPIA purposes, we are a “responsible party”. For Mauritius DPA purposes, we are a “data controller”
3. PERSONAL INFORMATION WE COLLECT
We may collect the following categories of personal information:
3.1 Information You Provide to Us
- Contact details (name, email address, telephone number, postal address);
- Professional information (job title, company name, practice area);
- Communication preferences;
- Correspondence sent to us (including emails and messages);
- Information provided when you complete forms on our website (including contact forms, newsletter sign-ups, and event registrations).
3.2 Information Collected Automatically
When you visit our website, we may automatically collect:
- Technical information (IP address, browser type and version, operating system);
- Usage data (pages visited, time spent on pages, click-stream data);
- Device information (device type, unique device identifiers);
- Referral sources (how you arrived at our website)
3.3 Special Categories of Data
We do not ordinarily collect sensitive personal information (such as health data, bio-metric data, or information relating to criminal convictions). Should it become necessary to process such data (e.g., in the context of legal services), we will obtain your explicit consent where required by applicable law.
4. LEGAL BASES FOR PROCESSING
We process your personal information only when we have a lawful basis to do so:
| Legal Basis | Applicable Laws | Examples |
|---|---|---|
| Consent | GDPR Art 6(1)(a); POPIA s 11; DPA s 4(1)(a) | Newsletter subscriptions; cookies (non-essential) |
| Contractual Necessity | GDPR Art 6(1)(b); POPIA s 11; DPA s 4(1)(b) | Providing legal services you requested |
| Legal Obligation | GDPR Art 6(1)(c); POPIA s 11; DPA s 4(1)(c) | Retaining records as required by law |
| Legitimate Interests | GDPR Art 6(1)(f); POPIA s 11; DPA s 4(1)(d) | Website analytics; improving our services; direct marketing (subject to opt-out rights) |
| Public Interest | DPA s 4(1)(e) | (Where applicable) |
For POPIA purposes, we rely on the lawful processing grounds set out in section 11 of POPIA.
5. HOW WE USE YOUR INFORMATION
We use your personal information for the following purposes:
- To provide legal services and respond to your enquiries;
- To administer and improve our website;
- To communicate with you about our services, events, and legal updates (where you have consented or where we have a legitimate interest);
- To comply with our legal and regulatory obligations;
- To establish, exercise, or defend legal claims;
- To monitor and analyse website usage and trends (using analytics tools);
- To detect and prevent fraud or other unlawful activities
6. COOKIES AND TRACKING TECHNOLOGIES
Our website uses cookies and similar tracking technologies.
6.1 What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help us remember your preferences and understand how you interact with our site
6.2 Types of Cookies We Use
| Cookie Type | Purpose | Consent Required? |
|---|---|---|
| Essential Cookies | Required for website functionality (e.g., security, session management) | No (legitimate interest) |
| Functional Cookies | Remember your preferences and settings | Yes |
| Analytics Cookies | Track website usage (e.g., Google Analytics, Matomo) | Yes |
| Marketing Cookies | Deliver relevant advertisements | Yes |
6.3 Cookie Consent
For non-essential cookies, we obtain your explicit consent before placing them on your device. You can manage your cookie preferences at any time through our cookie banner or by adjusting your browser settings
Under the POPI Act, direct marketing via electronic communications requires opt-in consent, which cannot be inferred from silence or pre-ticked boxes
6.4 Third-Party Cookies
Some cookies are placed by third-party services that appear on our pages (e.g., analytics providers). We do not control these cookies. Please refer to the relevant third-party privacy policies for more information.
7. DATA SUBJECT RIGHTS
You have specific rights regarding your personal information under applicable laws.
| Right | GDPR | POPIA | Mauritius DPA | Description |
|---|---|---|---|---|
| Right of Access | Art 15 | s 23 | s 38 | Request confirmation of whether we process your data and access to that data |
| Right to Rectification | Art 16 | s 24 | s 39(1) | Request correction of inaccurate or incomplete data |
| Right to Erasure (Right to be Forgotten) | Art 17 | s 24(1)(a) | s 39(2) | Request deletion of your data where there is no lawful basis for retention |
| Right to Restrict Processing | Art 18 | s 24(1)(a) | s 39(3) | Request restriction of processing in certain circumstances |
| Right to Data Portability | Art 20 | Not expressly provided | s 38(3) | Receive your data in a structured, machine-readable format |
| Right to Object | Art 21 | s 11(3) | s 40 | Object to processing based on legitimate interests or for direct marketing |
| Right to Withdraw Consent | Art 7(3) | s 11(4) | s 4(2) | Withdraw consent at any time, without affecting lawfulness of prior processing |
| Right to Lodge a Complaint | Art 77 | s 74 | s 51 | Complain to a supervisory authority |
7.1 Exercising Your Rights
To exercise any of these rights, please contact us at [Insert Email Address]. We will respond within the statutory time-frame (generally 30 days, or one month under GDPR)
We may need to verify your identity before processing your request.
8. DATA SECURITY
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or damage, including:
- Encryption of data in transit (HTTPS / SSL/TLS);
- Firewalls and intrusion detection systems;
- Access controls and authentication protocols;
- Regular security audits and vulnerability assessments;
- Staff training on data protection.
Under GDPR Article 32 and the POPI Act section 19, we are required to ensure a level of security appropriate to the risk
Data Breach Notification: In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (under GDPR) and affected individuals where required
9. DATA RETENTION
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
| Data Category | Retention Period |
|---|---|
| Website usage data (analytics) | 12 months |
| Contact form enquiries | 3 years after last communication |
| Client data (legal services) | 5 years after matter closure (or as required by law) |
| Newsletter subscriptions | Until you unsubscribe |
After the retention period expires, your data will be securely deleted or anonymised
10. INTERNATIONAL DATA TRANSFERS
As a global practice with offices in South Africa and Mauritius, we may transfer your personal information between jurisdictions
10.1 Cross-Border Transfer Safeguards
- Within South Africa: Data remains subject to The POPI Act.
- Within Mauritius: Data remains subject to the DPA.
- To the EU/EEA: Data receives the protection of GDPR.
- To other countries: We only transfer data where:
- The country has adequate data protection laws (as recognised by the European Commission or the Mauritian Data Protection Commissioner);
- We have implemented appropriate safeguards (e.g., Standard Contractual Clauses, Binding Corporate Rules);
- You have provided explicit consent; or
- The transfer is necessary for the performance of a contract
- The country has adequate data protection laws (as recognised by the European Commission or the Mauritian Data Protection Commissioner);
- Under Mauritius DPA, cross-border transfers require either adequacy decisions, appropriate safeguards, or explicit consent
11. THIRD-PARTY DISCLOSURES
We may share your personal information with:
- Service providers: IT hosting, email services, analytics providers (e.g., Google Analytics, Matomo);
- Professional advisors: Legal counsel, accountants, insurers;
- Regulatory authorities: Where required by law;
- Courts and tribunals: In connection with legal proceedings.
We require all third parties to respect your privacy and to process your data only on our documented instructions. We have Data Processing Agreements in place with all material third-party processors, as required by GDPR Article 28 and POPIA section 21
12. DIRECT MARKETING
We may use your contact details to send you legal updates, event invitations, and marketing communications where:
- You have given your explicit consent (as required by the POPI Act for electronic communications); or
- We have a legitimate interest (under GDPR) and you have not objected.
You may opt out at any time by clicking the “unsubscribe” link in our emails or by contacting us directly.
Under the POPI Act, direct marketing consent must be:
- Freely given;
- Specific;
- Informed;
- Unambiguous (no pre-ticked boxes)
13. CHILDREN’S PRIVACY
Our website and services are not directed at children under the age of 18. We do not knowingly collect personal information from children.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us. Under the POPI Act, a competent person (parent/guardian) must consent to the processing of a child’s personal information
14. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will notify you of material changes by posting the updated policy on our website with a revised “Effective Date”.
We encourage you to review this policy periodically.
15. SUPERVISORY AUTHORITIES
You have the right to lodge a complaint with the relevant data protection authority:
| Jurisdiction | Authority | Contact Details |
|---|---|---|
| South Africa | Information Regulator (South Africa) | www.justice.gov.za/inforeg |
| Mauritius | Data Protection Office | www.dataprotection.govmu.org |
| European Union | Your local Data Protection Authority | edpb.europa.eu |
We encourage you to contact us first so that we may attempt to resolve your concerns.
16. CONTACT US
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:
TO: Data Protection Officer / Privacy Officer
Email: Send us an Email