Privacy policy

At How might We, we follow the highest standards of protecting your personal information when we process it. 

We understand that your personal information is important to you and that some people may be uneasy about sharing it. Your privacy is just as important to us and we are dedicated to protecting and collecting your information in a lawful manner. We want to do our best to ensure that you understand how and why we may process your information. For that reason, we have created this privacy policy for you to read and to understand how we safeguard your personal information and respect your privacy (“Privacy Policy”).

Purpose of this privacy policy

This Privacy Policy aims to give you information on how we collect and process your personal information through any form of your engagement with us. This Privacy Policy complies with, and facilitates the obligations required from, the South African Protection of Personal Information Act, No. 4 of 2013 (“POPIA”), as amended. 

It is important that you read this Privacy Policy together with any other privacy notices we may share when we are collecting or processing personal information about you, so that you are fully aware of how and why we are using your personal information. This Privacy Policy supplements any other notices and is not intended to override them.

Due to the nature of our services we may process the data of minors or special categories of personal information as part of the research project we are hired to undertake.

Responsible party and operator

How Might We is the “Responsible Party” and carries responsibility for your personal information when we decide how to process it. Most of the time, we are an “Operator” of personal information on behalf of a Responsible Party (our client) who hires us to perform  a service on their behalf. In that case, that client’s privacy policy will apply to you.

We have appointed an information officer at How Might We who is responsible for overseeing questions about this Privacy Policy. If you have any questions about this Privacy Policy or want to exercise your legal rights, please contact our information officer.

Changes to this Privacy policy 

This Privacy Policy was last updated on 13 May 2025 and previous versions are archived and can be provided on request.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

This Privacy Policy is subject to change without notice and is updated or amended from time to time and will be effective once we upload the amended version to our website. Your continued participation in our services or projects constitutes your acceptance of this Privacy Policy, as amended. It is your responsibility to read this document periodically to ensure you are aware of any changes.

Third-party links

Our website may include links to third-party platforms, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share information about you. We do not control these third-party platforms and are not responsible for their privacy statements or terms. When you leave our website, or engage with such third parties, we encourage you to read the distinct privacy policy of every third-party you engage with.

During your time with us, we may collect, use, store, and transfer (“process”) different kinds of personal information about you depending on the type of interaction we have. We have grouped all of the types as follows:

Identity data including identity number, full name, marital status, title, occupation, date of birth, gender, race, legal status, photographs or information about your company such as company name, address and/or company registration details, company registration documents, 

Contact data including residential address, business address, email address, and contact numbers.

Research data, including stories and information that you willingly tell us during our research sessions. 

Social media data including all information publicly available through your public social media accounts including posts, stories, likes and comments.

Transaction data including details about payments to and from you, contracts, contractual terms, contract fees, subscriptions, invoices and other details of services you have obtained from us or provide to us.

Technical data including internet protocol address/es, browser type and version, time zone setting and location, cookies, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and services or interact with us.

Usage data including information about how you use our company, our website, surveys, and services. 

Marketing and communications data including messages sent to us about your preferences in receiving notices and marketing from us and our clients, your communication preferences, details of which communications were sent to you, how they were sent and your interaction with them.

We may also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal information but is not considered personal information in law because it’s anonymised. If we combine Aggregated Data with your personal information and you may thereafter be directly or indirectly identified, we will treat this combined data as personal information and process it in accordance with this Privacy Policy.

We may need to collect certain of the above personal information by law, or under the terms of a contract we have with you. If you cannot provide the minimum requested data to us or do not consent to our processing of your data, we may not be able to perform the contract of service we have or are trying to enter into with you and you may therefore be unable to receive a complete and comprehensive service from us. Therefore, if you decide not to provide us with the necessary personal information, you understand that you cannot participate in a research project with us.

We use different methods to collect personal information from and about you, including through:

Direct interactions: You may give us your personal information by participating in one or more of our research projects, or by corresponding with us through our website, by WhatsApp, email or otherwise.

Automated technologies or interactions: As you interact with our website and online forms, we may automatically collect technical data and usage data about your equipment, browsing actions and patterns. We may collect this personal information by using cookies, server logs and other similar technologies. 

Third parties: We may receive personal information about you from various third parties such as:

• analytics providers; 
• marketing platforms; 
• messaging platforms such as WhatsApp;
• search information provider

Our reasons for processing personal information therefore include one or more of the following: 

• to engage with you after you have agreed to participate in one of our research projects or have requested our services as a client;
• to conduct and assist research sessions and for the business interests of our company and our client; 
• to allow you to use our services and to provide you with our services as contracted;
• to contract with you as a service provider to How Might We;
• to share research data and information with our client who hired us to undertake the research project and any third parties they appoint to research such information as well; 
• to process and service your payment for any services we render;
• to manage payments, fees, and charges;
• to meet our regulatory and compliance requirements; 
• to manage our relationship with you which may include notifying you about changes to our contracts, consent forms, Privacy Policy, or services or the delivery of communications and the effectiveness thereof;
• to administer and protect our company, website and services (including troubleshooting, data analysis, testing, support, reporting and hosting of data);
• to use data analytics to improve our services, client relationships and experiences; and
• to provide you with direct marketing where applicable or communications about the project and its outcome that may be of interest to you. 

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules and where required or permitted by law.

We strive to provide you with choices regarding how we use your personal information, particularly around marketing and advertising. To manifest your rights attached to any marketing sent to you as an existing client or a research participant, please use the in-built prompts provided on those communications, or contact us directly.

You may receive marketing communications from us if you have requested our services, requested information from us, participated in a research project or provided us with your details in any other circumstance and, in each case, have not opted-out of receiving marketing from us. Where you opt-out of receiving marketing messages, this opt-out will not apply to other personal information of yours which we process for another lawful basis.

All personal information which you provide to us will be securely stored electronically on Google Drive and the recordings will also be stored on a private password-protected Vimeo channel. Only How Might We and our relevant clients will have access to the files on Google Drive and Vimeo. This information will be encrypted using Google Drive and Vimeo’s HTTPS encryption. 

Once this information is no longer required, due to the fact that the research session or study has been completed, your data will be safely and securely archived for a period of 7 (seven) years or longer should this be required by any other law applicable in South Africa. Thereafter, all your personal information will be permanently destroyed.

We may also anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

We may have to share your personal information with the parties set out below for the purposes described above.

• Internal Third Parties including other companies within our group and their respective directors and employees, who will act as joint responsible parties or operators. 
• External Third Parties including: 
• our client who has hired us to undertake a research project on their behalf. They are the responsible party and all the personal information we gather is therefore their responsibility which we share with them safely and securely; 
• authorised third-party service providers under contract with us who need your personal information to provide their services to you as a consequence of engaging with us;
• service providers and contractors providing their services to us and acting as operators of your personal information on instruction from us;
• South African or other national governments and/or their respective authorities pursuant to our adherence with legislative requirements; such as tax; and 
• professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services to us as and when required.
• Third parties to whom we may choose to sell, transfer, or merge parts of our company or our assets. Alternatively, we may seek to acquire other organisations or merge with them. If a change happens to our company, we may continue to use your personal information in the same way as set out in this Privacy Policy.

We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information in accordance with our instructions and standards.

We may make use of “cookies” to automatically collect information and data through the standard operation of the internet servers. “Cookies” are small text files a website can use (and which we may use) to recognise repeat users, facilitate the user’s on-going access to and use of a feature and allow a website to track user behaviour and compile aggregate data that will allow the website operator to improve the functionality of the website and its content, and to display more focused advertising to a user by way of third party tools. 

The type of information collected by cookies is not used to personally identify you. If you do not want information collected using cookies, there is a simple procedure in most browsers that allows you to deny or accept the cookie feature. Please note that cookies may be necessary to provide you with certain features available on our website and thus if you disable the cookies on your browser you may not be able to use those features, and your access to our website may therefore be limited. If you do not disable “cookies”, you are deemed to consent to our use of any personal information collected using those cookies, subject to this Privacy Policy and our other policies or terms.

We may share and process your personal information outside of South Africa for the purpose of cloud storage or to engage with third party service providers such as software providers and contractors. 

Whenever we may transfer your personal information out of South Africa, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal information to countries that have appropriate data protection legislation in place similar to that of South Africa; and/or
• Where we use service providers, we will use specific contracts/clauses which ensure personal information is processed and secured lawfully.

You have rights in relation to your personal information where we are the relevant “Responsible Party” over such personal information. Please contact us to find out more about, or manifest, these rights:

• request access to your personal information;
• request correction of your personal information;
• request erasure of your personal information;
• object to the processing of your personal information;
• request a restriction of processing your personal information;
• request transfer of your personal information; and/or
• right to withdraw consent.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If for any reason you think that your personal data is not being processed correctly or that it is being used for a purpose other than what it was originally intended, you may contact our Information Officer. 

Our contact details

• Information Officer: Amanda Joseph
• Email Address: hello@howmightwe.co.za
• Postal Address: 184 Upper Buitenkant Street, Oranjezicht, Cape Town, 8001
• Telephone: +27 21 010 1700

You have the right to make a complaint at any time to the South African regulator’s office (Information Regulator’s Office of South Africa). We would, however, appreciate the chance to deal with your concerns before you approach any such regulator, so please contact us in the first instance.