Legal

Joint Privacy Policy

UK GDPR  ·  EU GDPR  ·  POPIA  ·  Last updated: March 2026

This policy applies to both entities: Sports Tech Africa Limited T/A STZA® · Registered in England & Wales · Company No: 16850337 · ICO Ref: C1880558 · stza.io
African Sports Technology Network (Pty) Ltd · Registered in South Africa · Company No: 2026/020895/07 · POPIA Reg: 2026-002350 · africanstn.com

1. About this policy

This Joint Privacy Policy applies to two related entities operating within the same group:

Sports Tech Africa Limited T/A STZA®

  • Registered in England & Wales, Company Number: 16850337
  • UK data controller registered with the Information Commissioner's Office (ICO), Reference: C1880558
  • Website: stza.io

African Sports Technology Network (Pty) Ltd ("AfricanSTN")

  • Registered in South Africa, Company Registration Number: 2026/020895/07
  • Responsible Party under POPIA, Information Regulator Registration: 2026-002350
  • Website: africanstn.com

Sports Tech Africa Limited ("STZA") is the UK parent entity. African Sports Technology Network (Pty) Ltd ("AfricanSTN") is its South African operating subsidiary. Each entity is a controller/responsible party in respect of its own processing activities. Where the two entities jointly determine the purposes and means of processing (for example, shared infrastructure and group administration), they act as joint controllers/responsible parties.

This policy explains how we collect, use, store, and protect your personal information. It applies regardless of which website or platform you access. For South African data subjects, this policy should be read alongside AfricanSTN's PAIA Manual prepared in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000, which is available on request from privacy@stza.io.

2. Applicable law

We process personal information in compliance with the following legal frameworks:

  • United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 — applicable to Sports Tech Africa Ltd and to data subjects in the United Kingdom.
  • EU General Data Protection Regulation (EU GDPR) — applicable where EU data subjects are involved.
  • South African Protection of Personal Information Act 4 of 2013 (POPIA) — applicable to African Sports Technology Network (Pty) Ltd and to data subjects in South Africa.
  • Promotion of Access to Information Act 2 of 2000 (PAIA) — governs access to information requests directed at AfricanSTN.

Where the frameworks overlap, we apply the higher standard of protection.

3. Information officer

The Information Officer responsible for data protection compliance across both entities is:

Nikola Mladenovic CA(SA)
Director, Sports Tech Africa Ltd & African Sports Technology Network (Pty) Ltd
Email: privacy@stza.io

A Deputy Information Officer may be designated for South African operational matters as the business scales. Details will be updated in this policy when appointed.

4. Information we collect

4.1 Information you provide directly

You may provide personal information when you contact us, request information, subscribe to updates, join our community or membership platform, register for events, or respond to surveys. This may include:

  • Name and surname
  • Email address and contact details
  • Company name and role
  • Country, province, and city
  • Professional interests, sector, and technology focus areas
  • Membership preferences and ecosystem role
  • Payment details (for membership or training services)
  • Any information shared during consultations or correspondence

4.2 Information collected automatically

When you visit our websites, we may automatically collect your IP address, browser type and device information, pages visited and usage patterns, and data via cookies or similar tracking technologies (see Section 11).

4.3 Community and membership platform information

If you join our community or membership platform, we may collect additional voluntary information including profile details (biography, skills, interests), company and sector details, directory visibility preferences, training and event attendance records, and records of participation in forums or discussions. You may update or delete this information at any time.

5. How and why we use your information

5.1 Purposes of processing by data subject category

Data subject category Purpose of processing Lawful basis
Website visitorsWebsite analytics, performance improvement, security monitoringLegitimate interest (GDPR Art 6(1)(f) / POPIA S11(1)(f))
Enquiry contactsResponding to enquiries, providing requested informationConsent (GDPR Art 6(1)(a)) / Legitimate interest
Ecosystem community contactsNetworking, partnership exploration, ecosystem development, business developmentLegitimate interest (GDPR Art 6(1)(f) / POPIA S11(1)(f))
Members and training participantsMembership administration, training delivery, CPD tracking, event managementContractual necessity (GDPR Art 6(1)(b) / POPIA S11(1)(b)); Consent for marketing
POPIA representation clientsDelivery of POPIA representation and compliance servicesContractual necessity (GDPR Art 6(1)(b) / POPIA S11(1)(b))
Distribution partnersDistribution partnership management, commercial relationship managementContractual necessity / Legitimate interest
STZA advisory clientsFractional FD and advisory service deliveryContractual necessity (GDPR Art 6(1)(b))
Suppliers and service providersProcurement, payment, contract managementContractual necessity (GDPR Art 6(1)(b) / POPIA S11(1)(b))

5.2 General uses

Across all categories, we may also use your information to maintain compliance with UK GDPR, EU GDPR, POPIA, and other applicable legislation, and to protect our legal rights and the security of our systems. We do not use your information for automated decision-making or profiling.

6. Direct marketing

We may send you marketing communications about our services, events, membership opportunities, and industry updates where you have given your consent, or where we have a legitimate interest and you have not objected.

Under POPIA Section 69, we will only send direct marketing communications by electronic means where we have obtained your prior consent. You have the right to opt out of direct marketing at any time by contacting privacy@stza.io or using the unsubscribe mechanism in any marketing communication.

Under UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR), we rely on either your consent or the "soft opt-in" exemption (where you have an existing relationship with us and the communication relates to similar services). You may opt out at any time.

AfricanSTN maintains a direct marketing opt-out register in accordance with POPIA Section 69(3). Any person who has opted out will not be contacted for direct marketing purposes.

7. Information sharing

We do not sell or rent your personal information to third parties. We may share your information only in the following circumstances:

7.1 Third-party service providers (operators/processors)

We engage trusted third-party service providers to assist in operating our services. These providers process personal information on our behalf under written agreements that comply with GDPR Article 28 and POPIA Section 21. Current providers include:

  • Google LLC (Google Workspace) — email, document storage, and cloud infrastructure
  • Notion Labs Inc. — community database hosting
  • Netlify Inc. — website hosting
  • Xero Limited — accounting and financial record-keeping

We conduct due diligence on all service providers and maintain a register of operators/processors in our Data Protection Compliance Framework.

7.2 Intragroup sharing

Personal information may be shared between STZA and AfricanSTN for group administration purposes, governed by an Intragroup Data Transfer Agreement.

7.3 Legal obligations

We may disclose personal information where required to comply with applicable law, including court orders, regulatory requirements, or law enforcement requests.

7.4 Protection of rights

We may disclose personal information where necessary to protect our legal rights, your rights, or the security of our systems.

7.5 With your consent

We will obtain your prior consent before making your profile visible in community directories, sharing your information with partners or collaborators, or using your information for any purpose not described in this policy.

8. International data transfers

Because we operate across the United Kingdom and South Africa, and use service providers based in other jurisdictions (including the United States), your personal information may be transferred between countries. Such transfers are protected by the following mechanisms:

  • Intragroup Data Transfer Agreement between STZA and AfricanSTN, providing adequate protection for transfers between the UK and South Africa.
  • Standard Contractual Clauses (SCCs) approved by the UK ICO or European Commission, incorporated into our agreements with Google and Notion.
  • Binding agreements with adequate protection provisions as required by POPIA Section 72(1)(a) for transfers of South African data subjects' information.
  • Adequacy assessments where the receiving country has been assessed as providing a level of protection substantially similar to POPIA.

Transfer Impact Assessments are conducted for each service provider. All international transfers comply with UK GDPR, EU GDPR, and POPIA.

9. Data security

We implement appropriate technical and organisational measures to protect your personal information, including:

  • Two-factor authentication (2FA) on all business accounts
  • Encryption in transit and at rest across all cloud platforms
  • Device encryption on all laptops and mobile devices
  • Strong password policy with password management tools
  • Access controls restricting personal information to authorised users only
  • Regular review of security measures and third-party access

No method of digital storage or transmission is entirely secure. We follow industry best practices and will notify affected individuals and the relevant regulators in the event of a data breach as required by law.

10. Data retention

Record categoryRetention period
Website analytics data26 months
Enquiry and correspondence records3 years from last contact
Ecosystem community contactsUntil purpose is fulfilled or you object/opt out (reviewed annually)
Membership and training recordsDuration of membership plus 3 years
Client engagement records (POPIA representation)Duration of engagement plus 5 years
STZA advisory client recordsDuration of engagement plus 7 years
Financial records7 years from end of financial year
Regulatory correspondenceRetained indefinitely for compliance purposes

You may request deletion of your information at any time. Please refer to Section 12 for how to exercise this right.

11. Cookies and tracking technologies

Cookies are small text files placed on your device when you visit a website. Our websites (stza.io and africanstn.com) are hosted on Netlify, which may set cookies on your device as part of its hosting infrastructure. We use the following categories of cookies:

  • Strictly necessary cookies — essential for the website to function (session management, security, form submission). These cannot be disabled and do not require consent. Duration: session or as required.
  • Performance and analytics cookies — collect aggregated, anonymous information about how visitors use our websites. Duration: up to 12 months. These require your consent.
  • Functionality cookies — remember your settings and preferences (including your colour theme preference). Duration: session or persistent. These require your consent.

We do not currently use marketing or advertising cookies. If this changes, we will update this policy and obtain your consent before deploying such cookies.

You can manage cookies through your browser settings. Disabling non-essential cookies will not affect core website functionality.

A cookie consent banner will be implemented on both websites to allow you to manage your cookie preferences when the sites are fully established.

12. Your rights

12.1 UK and EU data subjects (UK GDPR / EU GDPR)

You have the right to: access your personal information (Article 15); request correction of inaccurate or incomplete data (Article 16); request erasure of your data (Article 17); object to processing, including for direct marketing purposes (Article 21); restrict processing in certain circumstances (Article 18); withdraw consent at any time, without affecting the lawfulness of prior processing; and data portability — receive a copy of your data in a structured, machine-readable format (Article 20).

12.2 South African data subjects (POPIA)

You have the right to: be notified that your personal information is being collected and the purpose thereof (Section 18); access your personal information held by us (Section 23); request correction or deletion of inaccurate or unlawfully processed information (Section 24); object to the processing of your personal information (Section 11(3)); object to direct marketing (Section 69); and submit a complaint to the Information Regulator.

Formal access requests under POPIA must be submitted using the prescribed Form 2, available from the Information Regulator's website at inforegulator.org.za or on request from privacy@stza.io.

12.3 How to exercise your rights

To exercise any of your rights, please contact us at privacy@stza.io. We will acknowledge your request within 5 business days and respond substantively within the timeframes required by applicable law (30 days under POPIA; one month under UK GDPR/EU GDPR).

13. Community and membership platform

If you join our community or membership platform: you control what information appears on your profile; you may change your visibility settings or delete your account at any time; your posts in forums or discussions may be visible to other members; we will never publish your profile externally without your explicit consent; and networking and collaboration features are opt-in only.

14. Special personal information and children's data

We do not directly collect or process special personal information (as defined in POPIA Section 26 or GDPR Article 9) or children's data through our websites or membership platform.

In the course of providing POPIA representation services, AfricanSTN may receive regulatory correspondence that references special personal information or children's data processed by its clients. Enhanced security measures and data minimisation protocols are applied to any such records.

15. Complaints

If you believe your personal information has been mishandled, please contact us first at privacy@stza.io. We will acknowledge your complaint within 5 business days and provide a substantive response within 20 business days.

If you remain dissatisfied, you have the right to lodge a complaint with the relevant supervisory authority:

16. Changes to this policy

We may update this Joint Privacy Policy from time to time. The latest version will always be posted on our websites with the updated date shown at the top of the document. Material changes will be communicated to affected individuals where practicable. Continued use of our websites or services following any update constitutes acceptance of the revised policy.

17. Contact us

Sports Tech Africa Limited T/A STZA®
Registered in England & Wales · Company Number: 16850337
ICO Registration: C1880558
Email: privacy@stza.io
Website: stza.io

African Sports Technology Network (Pty) Ltd
Registered in South Africa · Company Registration Number: 2026/020895/07
Information Regulator Registration: 2026-002350
208 Doonside, Leicester Road, Bedford Gardens, Gauteng, 2007
Email: privacy@stza.io
Website: africanstn.com

Terms of use → ← Back to home