Effective date: 21 April 2026 · Next scheduled review: 21 April 2027
Hinc Group (Pty) Ltd, together with its affiliated entities and operating divisions (collectively "Hinc Group", "we", "us", or "our"), is committed to protecting the privacy and personal information of every individual who interacts with our business. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA), the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK General Data Protection Regulation (UK GDPR), and all other applicable data protection laws in the jurisdictions in which we operate.
This Policy applies to personal information collected through our website at hincgroup.com, through direct client engagements, through our training and consulting programmes, and through any other channel by which individuals provide information to Hinc Group. By engaging with us, you acknowledge that you have read and understood this Policy.
We reserve the right to amend this Policy at any time. Material changes will be communicated by updating the effective date above and, where appropriate, by direct notification to affected data subjects. Continued engagement with Hinc Group after any amendment constitutes acceptance of the revised Policy.
For the purposes of POPIA and equivalent legislation, Hinc Group (Pty) Ltd is the Responsible Party (also referred to as Data Controllerunder the GDPR). Our contact details are set out below.
| Registered name | Hinc Group (Pty) Ltd |
| Principal office | Pretoria, South Africa |
| Additional offices | Dubai (UAE) · London (UK) · Singapore |
| UK correspondence | 52 Swindon Lane, Cheltenham, Gloucestershire GL50 4NS |
| [email protected] | |
| Website | hincgroup.com |
Any queries, requests, or complaints relating to this Policy should be directed to our designated Information Officer at [email protected].
We collect only the personal information that is necessary, adequate, and relevant to the specific purpose for which it is collected. The categories of personal information we may collect include, but are not limited to, the following.
| Category | Examples |
|---|---|
| Identity information | Full name, job title, professional registration numbers |
| Contact information | Email address, telephone number, postal address |
| Professional information | Employer, industry sector, qualifications, CV/résumé data |
| Enquiry and correspondence data | Content of messages, proposals, and service requests submitted to us |
| Training and programme data | Attendance records, assessment results, competency profiles |
| Financial information | Billing address, invoice details (not payment card data) |
| Technical and usage data | IP address, browser type, pages visited, session duration (website analytics) |
| Cookie and tracking data | Preferences, session identifiers (see Section 11) |
| Sensitive personal information | Only collected where strictly necessary and with explicit consent (e.g., health information for on-site training) |
We do not knowingly collect personal information from individuals under the age of 18 without the consent of a competent person as defined under POPIA. If you believe we have inadvertently collected such information, please contact us immediately.
Personal information is collected through the following channels: directly from you when you complete a contact form, submit an enquiry, register for a training programme, or enter into a consulting engagement with us; from third parties such as referral partners, professional directories, or publicly available sources where permitted by law; and automatically through our website via cookies and analytics tools when you browse our digital properties. We will always inform you at the point of collection of the purpose for which your information is being collected.
We process personal information only for specific, explicitly defined, and lawful purposes. The table below sets out the primary purposes of processing and the corresponding legal basis under POPIA and the GDPR.
| Purpose | Legal Basis (POPIA / GDPR) |
|---|---|
| Responding to enquiries and service requests | Contractual necessity / Legitimate interest |
| Delivering consulting and training services | Performance of contract |
| Issuing invoices and managing accounts | Legal obligation / Contractual necessity |
| Sending service-related communications | Contractual necessity / Legitimate interest |
| Marketing communications (where opted in) | Consent |
| Improving our website and services | Legitimate interest |
| Complying with legal and regulatory obligations | Legal obligation |
| Protecting our legal rights and interests | Legitimate interest |
| Health and safety management on-site | Legal obligation / Vital interest |
We will not process your personal information for any purpose incompatible with the purposes listed above without first obtaining your consent or establishing a separate lawful basis for doing so.
Hinc Group does not sell, rent, or trade personal information to third parties for their own marketing purposes. We may share personal information with the following categories of recipients, strictly on a need-to-know basis and subject to appropriate confidentiality and data protection obligations.
Service providers and operators: Third-party suppliers who process personal information on our behalf, including cloud hosting providers, email delivery platforms, analytics providers, and accounting software vendors. All such operators are required to process personal information only on our documented instructions and in accordance with applicable data protection law.
Professional advisers: Lawyers, auditors, insurers, and other professional advisers who require access to personal information in the course of providing their services to Hinc Group, subject to professional confidentiality obligations.
Regulatory and law enforcement authorities: Where we are required to do so by law, court order, or regulatory directive, or where disclosure is necessary to protect the rights, property, or safety of Hinc Group, our clients, or the public.
Business transfers: In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal information may be transferred to the acquiring entity, subject to equivalent privacy protections.
Client organisations: Where you are a participant in a training or consulting programme sponsored by your employer, we may share programme participation and assessment data with the sponsoring organisation as part of our contractual obligations, subject to the terms of our engagement agreement.
Given that Hinc Group operates across South Africa, the United Arab Emirates, the United Kingdom, and Singapore, personal information may be transferred to and processed in jurisdictions outside the country in which it was collected. We will only transfer personal information across borders where an adequate level of protection is ensured, either by virtue of the receiving country's data protection laws, by contractual safeguards (such as standard contractual clauses approved by the relevant supervisory authority), or by the explicit consent of the data subject.
Where personal information of South African data subjects is transferred outside the Republic, we comply with the requirements of Section 72 of POPIA. Where personal information of EU or UK data subjects is transferred to third countries, we implement appropriate safeguards in accordance with Chapter V of the GDPR and the UK GDPR respectively.
We retain personal information only for as long as is necessary to fulfil the purpose for which it was collected, or as required by applicable law. The following general retention periods apply, subject to any longer period required by law or legitimate business necessity.
| Category | Retention Period |
|---|---|
| Client engagement records | 7 years from conclusion of engagement |
| Training and assessment records | 5 years from programme completion |
| Financial and invoicing records | 7 years (statutory requirement) |
| Website enquiry and contact form data | 3 years from date of enquiry |
| Marketing consent records | Until consent is withdrawn, then 1 year |
| Website analytics data (anonymised) | 26 months (rolling) |
| Employee and contractor records | As required by applicable labour law |
Upon expiry of the applicable retention period, personal information will be securely destroyed or de-identified in accordance with our data destruction procedures.
Hinc Group implements appropriate technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, loss, or destruction. These measures include, but are not limited to, encryption of data in transit and at rest, access controls and role-based permissions, regular security assessments and penetration testing, staff training on data protection obligations, and incident response procedures aligned with the notification requirements of POPIA and the GDPR.
Notwithstanding the foregoing, no method of electronic transmission or storage is entirely secure. While we take all reasonable precautions, we cannot guarantee the absolute security of personal information transmitted to or stored by us. In the event of a personal information breach that poses a risk of harm to data subjects, we will notify the relevant supervisory authority and affected individuals in accordance with applicable legal requirements.
Subject to the conditions and limitations set out in applicable data protection law, you have the following rights in relation to your personal information held by Hinc Group.
| Right | Description |
|---|---|
| Right of access | To request a copy of the personal information we hold about you. |
| Right to correction | To request correction of inaccurate or incomplete personal information. |
| Right to erasure | To request deletion of your personal information where no lawful basis for continued processing exists. |
| Right to object | To object to processing based on legitimate interest or for direct marketing purposes. |
| Right to restrict processing | To request that we limit the processing of your personal information in certain circumstances. |
| Right to data portability | To receive your personal information in a structured, machine-readable format (GDPR/UK GDPR data subjects). |
| Right to withdraw consent | To withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing. |
| Right to lodge a complaint | To lodge a complaint with the Information Regulator (South Africa), the ICO (UK), or the relevant supervisory authority in your jurisdiction. |
To exercise any of the above rights, please submit a written request to [email protected]. We will respond within the timeframe prescribed by applicable law (30 days under POPIA; one month under the GDPR, with the possibility of a two-month extension for complex requests). We may require you to verify your identity before processing your request.
Our website uses cookies and similar tracking technologies to enhance user experience, analyse site traffic, and support our marketing activities. A cookie is a small text file placed on your device when you visit our website. We use the following categories of cookies.
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly necessary | Essential for the website to function (session management, security) | No |
| Functional | Remember your preferences and settings | Yes |
| Analytics | Understand how visitors use our website (anonymised where possible) | Yes |
| Marketing | Deliver relevant advertising and track campaign performance | Yes |
You may manage or withdraw your consent to non-essential cookies at any time through your browser settings or by contacting us at [email protected]. Please note that disabling certain cookies may affect the functionality of our website.
Our website may contain links to third-party websites, social media platforms, and external resources. This Policy does not apply to those third-party sites, and Hinc Group accepts no responsibility or liability for their privacy practices or content. We encourage you to review the privacy policies of any third-party sites you visit.
Our services are directed at business professionals and organisations and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child without appropriate consent, we will take immediate steps to delete that information from our records.
Hinc Group does not make decisions about individuals that produce legal or similarly significant effects based solely on automated processing, including profiling. Where automated tools are used to assist in service delivery or communications, a human review process remains in place for any consequential decisions.
If you have a concern about how we have handled your personal information, we encourage you to contact us in the first instance at [email protected]so that we may attempt to resolve the matter. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.
| Jurisdiction | Supervisory Authority | Website |
|---|---|---|
| South Africa | Information Regulator | inforegulator.org.za |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| European Union | Relevant national DPA | edpb.europa.eu |
| UAE (DIFC) | DIFC Commissioner of Data Protection | difc.ae |
To the maximum extent permitted by applicable law, Hinc Group shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from or related to any breach of this Policy or any unauthorised access to personal information, except where such liability cannot be excluded by law. Our total aggregate liability in connection with this Policy shall not exceed the amount paid by you, if any, for the services giving rise to the claim in the twelve months preceding the event giving rise to liability.
This Policy is governed by and construed in accordance with the laws of the Republic of South Africa. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of the Republic of South Africa, without prejudice to the rights of data subjects in other jurisdictions to seek remedies before their local supervisory authorities or courts as permitted by applicable law.
We review this Privacy Policy at least annually and whenever there is a material change to our processing activities or applicable law. The current version will always be available at hincgroup.com/privacy-policy. Where changes are material, we will notify affected data subjects by email or by a prominent notice on our website prior to the change taking effect.
For all privacy-related queries, access requests, or complaints:
We aim to respond to all requests within 30 days. Complex requests may take up to 90 days; we will notify you if an extension is required.