Estratico Privacy Policy (2026)

Last updated: 4 March 2026

1. Identity of the Controller

Estratico (“we”, “us”, “our”) is the controller of personal data processed through the website https://estratico.org.zw and related communication channels.

Controller details

  • Legal name: Estratico Technologies
  • Business activity: Software development and technology services
  • Registered location: Gweru, Zimbabwe
  • Principal place of business: Gweru, Zimbabwe
  • Website: https://estratico.org.zw
  • Email: hello@estratico.org.zw
  • Telephone: +263 783 052 192

For purposes of Zimbabwean law, Estratico is a data controller under the Cyber and Data Protection Act [Chapter 12:07] and any regulations made under it, including the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (SI 155 of 2024).

If and when required by law, Estratico will register with or obtain a data controller licence from the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), which is the designated Data Protection Authority.

2. Scope of this Policy

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you:

  • Visit or interact with our website (including pages hosted on Vercel’s platform).
  • Interact with code repositories or issue trackers we make publicly available on GitHub.
  • Contact us by email, contact forms, or other communication channels.

It does not apply to websites, services, or platforms that we do not own or control (for example, GitHub or Vercel’s own websites); those are governed by their own privacy policies.

3. Categories of Data We Collect

3.1 Data you provide directly

We may collect the following categories of personal data that you provide to us:

  • Contact details: Name, email address, telephone number, company or organization, job title.
  • Project and enquiry content: Information you provide when requesting proposals, support, or information about our services (project descriptions, technical requirements, timelines, budgets, or other context you voluntarily share).
  • Account / collaboration information: If we invite you to collaborate via GitHub or other tools, we may process your username, profile information, and any communications or contributions in project repositories.[^9]
  • Contract and billing information: Where we enter into a contract with you, we may process postal address, tax or billing details, payment references (but typically not full card details, which are handled by payment processors if used).
  • Job applications: If you apply for a role, we may process CVs, cover letters, references, portfolio links, and any other information you submit as part of the recruitment process.

Providing personal data is generally voluntary, but if you choose not to provide certain information, we may not be able to respond to your enquiry or provide some services.

3.2 Data collected automatically

When you visit our website, we and our service providers may automatically collect certain technical and usage data, which may constitute personal data under applicable law:

  • Device and usage information: IP address (which we may truncate or anonymise where feasible), browser type and version, operating system, device type, language settings, referring URLs, pages viewed, date and time of visits, time spent on pages, and clickstream data.
  • Log data: Server logs generated by our hosting provider and application platform (Vercel), including metadata about requests and responses for security, availability, and troubleshooting purposes.
  • Analytics data: Aggregated statistics about page views and events generated through Vercel Web Analytics or similar tools; these are designed not to identify individual visitors and do not rely on third‑party cookies by default.
  • Cookies and similar technologies: Our website and third‑party services (e.g. Vercel, GitHub embeds, email providers) may use cookies or similar technologies to enable core functionality, remember preferences, and measure performance.

Where we embed GitHub content (e.g. repository widgets) or link to GitHub, GitHub may collect data such as your IP address, browser information, and interactions with its services under its own privacy statement.

4. Cookies and Similar Technologies

Cookies are small text files stored on your device when you visit a website. We use a combination of strictly necessary cookies and, where configured, optional analytics cookies.

4.1 Types of cookies we may use

  • Strictly necessary cookies: Required for website operation, security, load balancing, session management, and basic preferences. They cannot generally be switched off and are usually set in response to actions you take, such as logging in to an admin area or submitting a form.
  • Performance and analytics cookies: Help us measure website performance, understand how visitors interact with pages, and improve our content. Depending on configuration, Vercel Web Analytics can operate without third‑party cookies and relies on aggregated, non‑identifying data.
  • Functional cookies: May remember choices you make (such as language or region) and provide enhanced features.

We will request your consent for any non‑essential cookies where required by applicable law, particularly for visitors from jurisdictions that mandate prior consent for analytics or tracking technologies.

4.2 Managing cookies

You can manage cookies through your browser settings, including blocking or deleting cookies, and some browsers and privacy tools offer more granular controls. Disabling certain cookies may affect website functionality.

If we use additional analytics (such as Google Analytics through Vercel or directly), we will provide a cookie banner or notice explaining such use and, where required, offer an opt‑in or opt‑out mechanism.

5. Legal Basis for Processing

5.1 Zimbabwean law

Under the Cyber and Data Protection Act [Chapter 12:07], we must ensure that personal data is processed in accordance with data protection principles and the right to privacy, including lawfulness, fairness, purpose specification, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

Our processing is grounded in the following bases recognised by Zimbabwean law:

  • Consent: For certain activities, such as using non‑essential cookies or sending some forms of marketing communications, we rely on your explicit or implicit consent, which you may withdraw at any time.
  • Contractual necessity: Processing necessary to enter into or perform a contract with you or your organisation, including responding to enquiries, providing services, managing projects, and invoicing.
  • Compliance with legal obligations: Processing to comply with record‑keeping, tax, accounting, or regulatory requirements.
  • Legitimate interests and similar grounds recognised by the Act: Processing necessary for our legitimate business interests, provided these are not overridden by your rights and freedoms, such as ensuring network and information security, preventing fraud or misuse of our services, and improving our website and offerings.

5.2 International standards (including GDPR‑aligned principles)

For visitors and clients in jurisdictions that recognise legal bases similar to those in the GDPR, we rely on:

  • Performance of a contract and pre‑contractual steps: To provide services, respond to requests, and manage our relationship with you.
  • Legitimate interests: For purposes such as:
    • Securing and monitoring our infrastructure and services.
    • Understanding website usage to improve content and performance.
    • Communicating with existing clients about service updates and improvements. These interests are assessed to ensure they are lawful, clearly articulated, necessary for the purposes described, and balanced against your rights.
  • Consent: For specific activities where consent is best practice or required under your local law (e.g. certain cookies, direct marketing).
  • Legal obligations: Where we must retain or disclose data in response to applicable laws or lawful requests.

6. Purposes for Which We Use Personal Data

We use personal data for the following purposes:

  • Service delivery: Providing software development, consulting, and related technology services, maintaining client relationships, and managing projects.
  • Communication: Responding to enquiries, support requests, and feedback submitted through forms, email, or other channels.
  • Business operations: Managing contracts, billing, bookkeeping, and related administrative activities.
  • Website operation and security: Operating, monitoring, and protecting our website and infrastructure, including detecting and preventing security incidents, abuse, or fraud.
  • Analytics and improvement: Analysing aggregated usage patterns to improve our website’s content, user experience, and performance.
  • Legal and compliance: Complying with our legal obligations, responding to lawful requests from authorities, and protecting our legal rights and the rights of others.
  • Recruitment: Evaluating candidates and managing recruitment processes when you apply for roles with us.

We will not use your personal data for purposes that are incompatible with those described in this Policy without informing you and, where required, obtaining your consent.

7. Third‑Party Services and Disclosures

We may share personal data with selected third parties in the following situations, always subject to appropriate contractual safeguards and, where applicable, data processing agreements.

7.1 Hosting and infrastructure

  • Vercel: Our website is hosted on Vercel’s platform. Vercel processes technical and analytics data (such as request logs and aggregated usage metrics) to deliver, secure, and improve its platform. Vercel Web Analytics is designed to collect anonymised, aggregated data, without third‑party cookies by default. Vercel acts primarily as a data processor on our behalf for hosting and analytics.
  • Other infrastructure providers: We may use additional infrastructure or cloud service providers for DNS, content delivery, or backups, which may process technical data to deliver those services.

7.2 Source code hosting and collaboration

  • GitHub: Our public code repositories are hosted on GitHub, Inc. or its affiliates. When you visit our repositories, star or fork projects, open issues, or contribute code, GitHub processes your personal data in accordance with its own Privacy Statement, which covers cookies, device information, analytics, and other uses. We may view your public profile information and contributions in connection with managing our projects.

7.3 Email and communications

  • Email service providers / SMTP relays: We may use third‑party email or transactional email providers to send and receive email (including contact‑form submissions). These providers process contact details and message content as necessary to deliver communications.
  • Support and productivity tools: If we use customer relationship management (CRM), ticketing, or productivity tools (e.g. to track enquiries or tasks), these may process names, contact details, and related communication metadata.

7.4 Professional advisers and authorities

We may disclose personal data to:

  • Professional advisers: Lawyers, accountants, auditors, or consultants who need access to such information to advise us, subject to confidentiality obligations.
  • Regulators and public authorities: Including POTRAZ and other competent authorities, if required by law or to comply with regulatory obligations, investigations, or orders.
  • Business transfers: In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the new owner, subject to continued protection consistent with this Policy.

We do not sell personal data.

8. International Transfers

Our use of third‑party service providers (such as Vercel and GitHub) may result in your personal data being processed in countries outside Zimbabwe, including the European Economic Area (EEA) and the United States.

Where we transfer personal data across borders, we will take appropriate measures to ensure that such transfers comply with applicable data protection requirements, which may include:

  • Using providers that offer adequate data protection safeguards recognised in their jurisdictions.
  • Incorporating contractual clauses that impose data protection obligations similar to those in Zimbabwean law and GDPR‑aligned standards.
  • Minimising the data transferred and, where feasible, pseudonymising or anonymising data before transfer.

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, or reporting requirements.

Indicative retention periods:

  • Enquiries and contact forms: Typically kept for up to 2 years after the last interaction, unless they lead to a contract, are needed to resolve a dispute, or must be kept longer under law.
  • Client and contract data: Retained for the duration of the relationship and for a reasonable period thereafter (often 5–7 years) to comply with legal obligations and for record‑keeping.
  • Technical and analytics logs: Retention depends on our and our providers’ configuration; logs are typically kept for a limited period necessary for security, troubleshooting, and analytics, after which they may be anonymised or deleted.
  • Recruitment data: Kept for the recruitment process and for a limited period afterwards (for example, 1–2 years) subject to applicable law and consent where required.

When personal data is no longer needed, we will securely delete or anonymise it, unless we must retain it to comply with legal obligations or to establish, exercise, or defend legal claims.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures include, as appropriate:

  • Technical measures: Use of secure protocols (HTTPS/TLS) for data in transit; encryption of data at rest where supported by our hosting and service providers; secure configuration of servers; access controls; and logging of access to systems handling personal data.
  • Organisational measures: Limiting access to personal data to personnel and contractors who need it for their role, subject to confidentiality obligations; maintaining policies and training on data protection and information security; and reviewing third‑party providers’ security practices.
  • Risk management: Conducting periodic assessments of risks to personal data and updating our controls where necessary, in line with SI 155’s emphasis on secure processing and continuous improvement.

While we strive to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. If we become aware of a data breach affecting personal data, we will assess the impact and, where required, notify POTRAZ within the applicable timeframe and, if necessary, affected individuals.

11. Data Controller Licensing and DPO

Under SI 155 of 2024, organisations that process personal data as data controllers may be required to obtain a licence from POTRAZ and to appoint a Data Protection Officer (DPO), particularly where data processing is substantial, involves sensitive data, or includes cross‑border transfers.

Estratico will:

  • Assess whether its data processing activities require a data controller licence and, if so, obtain and renew such licence within the required timeframes.
  • Appoint a DPO if and when required as a condition of licensing, and ensure that the DPO has appropriate qualifications, training, and independence to perform the role.

11.1 Data Protection Officer contact

If a DPO is appointed, their contact details will be updated here.

Until a DPO is formally appointed, you may direct data protection queries to:

12. Your Rights

Subject to applicable law, you have various rights in relation to your personal data.

Under the Cyber and Data Protection Act [Chapter 12:07] and related regulations, and in line with international standards such as GDPR‑aligned principles, you may have the right to:

  • Access: Obtain confirmation as to whether we process your personal data and, if so, receive a copy and information about the processing.
  • Rectification: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of personal data in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected or where you withdraw consent and there is no other legal basis.
  • Restriction: Request that we restrict processing in specific situations (e.g. while we verify accuracy or assess an objection).
  • Objection: Object to certain types of processing based on legitimate interests, including profiling related to those interests, and to direct marketing at any time.
  • Data portability (where applicable): Receive personal data that you provided to us in a structured, commonly used, and machine‑readable format and transmit it to another controller where technically feasible and legally required.
  • Withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

We will respond to rights requests within the time limits set by applicable law and may need to verify your identity before fulfilling your request.

13. How to Exercise Your Rights

To exercise any of your rights or to make a data protection enquiry, please contact us using one of the following:

Please:

  • Describe the right you wish to exercise and the data or processing to which your request relates.
  • Provide sufficient information for us to verify your identity and locate your data.

If we cannot fully comply with your request (for example, because of legal obligations or the rights of others), we will explain the reasons, to the extent permitted by law.

14. Complaints and Contacting POTRAZ

If you believe that we are processing your personal data in breach of applicable data protection laws, you are encouraged to contact us first so that we can attempt to resolve your concern.

You also have the right to lodge a complaint with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), which acts as the Data Protection Authority under the Cyber and Data Protection Act.

POTRAZ contact details (Please verify current contact details on the official POTRAZ website before use.)

  • Website: https://www.potraz.gov.zw
  • Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) – Data Protection Authority

If you are located in another jurisdiction, you may also have the right to lodge a complaint with your local data protection authority.

15. Children’s Data

Our website and services are intended for business and professional audiences and are not directed at children. We do not knowingly collect personal data from children without appropriate consent or authorisation as required by law.

If you believe that a child has provided us with personal data without appropriate consent, please contact us so that we can take appropriate steps to delete such data where required.

16. Automated Decision‑Making

We do not use personal data collected through our website to make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant impacts on individuals.

If this changes in the future, we will update this Policy and provide any notices and safeguards required by law.

17. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

When we make material changes, we will update the “Last updated” date at the top of the Policy and, where appropriate, notify you through our website or by other means. Your continued use of our website or services after changes take effect will signify your acceptance of the updated Policy.

18. Contact Us

If you have any questions about this Privacy Policy or how we handle personal data, please contact us at:

We recommend that you review this Policy periodically and consult your legal adviser to confirm that your actual practices, licensing status, and DPO arrangements remain compliant with Zimbabwean law and relevant international standards.