Privacy policy

At How Might We, we follow the highest standards of protecting your personal information when we process it.

We understand that your personal information is important to you and that some people may be uneasy about sharing it. Your privacy is just as important to us, and we are dedicated to protecting and collecting your information in a lawful manner. We want to do our best to ensure that you understand how and why we may process your information. For that reason, we have created this privacy policy for you to read and to understand how we safeguard your personal information and respect your privacy (“Privacy Policy”).

Purpose of this Privacy Policy

This Privacy Policy aims to give you information on how we collect and process your personal information through any form of your engagement with us. This Privacy Policy complies with, and facilitates the obligations required from, the South African Protection of Personal Information Act, No. 4 of 2013 (“POPIA”), as amended.

It is important that you read this Privacy Policy together with any other privacy notices we may share when we are collecting or processing personal information about you, so that you are fully aware of how and why we are using your personal information. This Privacy Policy supplements any other notices and is not intended to override them.

Due to the nature of our services we may process the data of minors or special categories of personal information as part of the research project we are hired to undertake.

Responsible Party and Operator

How Might We is the “Responsible Party” and carries responsibility for your personal information when we decide how to process it. Most of the time, we are an “Operator” of personal information on behalf of a Responsible Party (our client) who hires us to perform a service on their behalf. In that case, that client’s privacy policy will apply to you.

We have appointed an information officer at How Might We who is responsible for overseeing questions about this Privacy Policy. If you have any questions about this Privacy Policy or want to exercise your legal rights, please contact our information officer.

Changes to this Privacy Policy

This Privacy Policy was last updated on 11 March 2026 and previous versions are archived and can be provided on request.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

This Privacy Policy is subject to change without notice and is updated or amended from time to time and will be effective once we upload the amended version to our website. Your continued participation in our services or projects constitutes your acceptance of this Privacy Policy, as amended. It is your responsibility to read this document periodically to ensure you are aware of any changes.

Third-Party Links

Our website may include links to third-party platforms, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share information about you. We do not control these third-party platforms and are not responsible for their privacy statements or terms. When you leave our website, or engage with such third parties, we encourage you to read the distinct privacy policy of every third-party you engage with.

During your time with us, we may collect, use, store, and transfer (“process”) different kinds of personal information about you depending on the type of interaction we have. We have grouped all of the types as follows:

Identity data including identity number, full name, marital status, title, occupation, date of birth, gender, race, legal status, photographs or information about your company such as company name, address and/or company registration details, company registration documents, 

Contact data including residential address, business address, email address, and contact numbers.

Research data, including stories and information that you willingly tell us during our research sessions. 

Social media data including all information publicly available through your public social media accounts including posts, stories, likes and comments.

Transaction data including details about payments to and from you, contracts, contractual terms, contract fees, subscriptions, invoices and other details of services you have obtained from us or provide to us.

Technical data including internet protocol address/es, browser type and version, time zone setting and location, cookies, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and services or interact with us.

Usage data including information about how you use our company, our website, surveys, and services. 

Marketing and communications data including messages sent to us about your preferences in receiving notices and marketing from us and our clients, your communication preferences, details of which communications were sent to you, how they were sent and your interaction with them.

We may also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal information but is not considered personal information in law because it’s anonymised. If we combine Aggregated Data with your personal information and you may thereafter be directly or indirectly identified, we will treat this combined data as personal information and process it in accordance with this Privacy Policy.

We may need to collect certain of the above personal information by law, or under the terms of a contract we have with you. If you cannot provide the minimum requested data to us or do not consent to our processing of your data, we may not be able to perform the contract of service we have or are trying to enter into with you and you may therefore be unable to receive a complete and comprehensive service from us. Therefore, if you decide not to provide us with the necessary personal information, you understand that you cannot participate in a research project with us.

We use different methods to collect personal information from and about you, including through:

Direct interactions: You may give us your personal information by participating in one or more of our research projects, or by corresponding with us through our website, by WhatsApp, email or otherwise.

Automated technologies or interactions: As you interact with our website and online forms, we may automatically collect technical data and usage data about your equipment, browsing actions and patterns. We may collect this personal information by using cookies, server logs and other similar technologies. 

Third parties: We may receive personal information about you from various third parties such as:

• analytics providers; 
• marketing platforms; 
• messaging platforms such as WhatsApp;
• search information provider

Our reasons for processing personal information therefore include one or more of the following: 

• to engage with you in connection with (i) your participation in one of our market research or user experience (UX) research projects (including project operational contact such as scheduling, consent administration and incentive administration) or (ii) your request for, or use of, our services as a client;
• to design, conduct, moderate and assist market research and related research activities on behalf of our clients, and to produce research learnings and insights for the legitimate business interests of our company and our clients;
• to allow you to use our services and to provide you with our services as contracted;
• to contract with you as a service provider to How Might We;
• to share research data, research outputs and insights with the client who hired us to undertake the research project and, where applicable, third parties appointed by that client (or by us on the client’s behalf) to support the research (for example, fieldwork agencies, analysis partners and technology providers), subject to appropriate safeguards;
• to process and service your payment for any services we render;
• to manage payments, fees, and charges;
• to meet our regulatory and compliance requirements;
• to manage our relationship with you, which may include notifying you about changes to our contracts, participant information sheets or consent forms, Privacy Policy, or services, and managing the delivery and effectiveness of permitted communications (including operational project communications, future research invitations, client/third-party research follow-ups and direct marketing where you have opted in);
• to administer and protect our company, website and services (including troubleshooting, data analysis, testing, support, reporting, security monitoring, incident management, and the hosting, storage and backup of data using service providers and cloud providers);
• to use data analytics and service performance metrics to improve our services, research methodology, client relationships and experiences; and
• to send you (i) operational communications necessary to administer a research project you have joined, (ii) future research invitations and/or client/third-party research follow-ups where you have opted in, and (iii) direct marketing only where you have expressly opted in (and, in each case, with appropriate sender identification and an opt-out/withdrawal mechanism where required).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules and where required or permitted by law.

We strive to provide you with choices regarding how we use your personal information, particularly around marketing and advertising. Direct marketing communications will only be sent to you where you have given your prior, specific and informed opt-in consent (for example, to receive messages by email, SMS, WhatsApp, or phone). Research operations communications (including session scheduling, incentives, consent administration, and other communications strictly necessary to administer a research project you have already joined) are not direct marketing and may be sent on that basis.

You may receive direct marketing communications from us only if you have opted in to receive them. Your participation in a research project (or provision of your details for research purposes) does not, by itself, constitute consent to direct marketing; however, we may still contact you with communications that are strictly operational for a research project you have already joined (including session scheduling, incentives and consent administration). Any direct marketing message we send will identify us (or the sender acting on our behalf) and will include a clear, easy and free mechanism to opt out or withdraw consent at any time; opting out of direct marketing will not affect our processing of your personal information for other lawful purposes, including research operations communications.

Where we rely on your consent to contact you, we will seek your consent in an express, specific and informed manner and, where applicable, separately for each communication type and channel (including email, SMS, WhatsApp, and phone). Your choices will be recorded as part of our Marketing and Communications Data.

For purposes of this Privacy Policy, we distinguish the following communication types:

Project operational contact: communications that are strictly necessary to administer a research project you have already joined, including session scheduling, logistics, reminders, consent administration, incentive administration, quality control and essential project notices. By joining a research project, you understand that such operational contact may be necessary to deliver the project. This is separate from marketing and is not treated as opt-in to any other communication type.

Future research invitations: invitations from How Might We to participate in new or additional research projects in the future. We will only send future research invitations where you have expressly opted in to receive them.

Client/third-party research follow-ups: follow-up invitations or research-related communications from our client (as Responsible Party) and/or third-party research partners or fieldwork agencies appointed by our client or by us, relating to research opportunities or follow-up activities. We will only allow such client/third-party research follow-ups where you have expressly opted in to be contacted for this purpose.

Marketing: direct marketing communications (including promotional messages or invitations that are not strictly necessary to administer a research project you have already joined). We will only send (and will only allow any third party to send) direct marketing communications to you where you have expressly opted in to receive them.

Each consent (where given) is optional, can be limited by channel, and may be withdrawn at any time using the opt-out mechanism in the relevant message or by contacting our Information Officer. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal, and will not affect project operational contact that is necessary to administer a research project you have already joined.

We will maintain records to evidence any consents and withdrawals, which may include the date and time, method of capture (for example, online form, written consent form or recorded verbal consent), the specific communication type(s) and channel(s) selected, the wording presented to you at the time, and the source of the request.

We may allow certain third parties to contact you using your Contact Data (including by email, SMS, WhatsApp and/or phone), but only in the limited circumstances described below and subject to appropriate contractual safeguards.

Categories of third parties that may contact you may include our client who has hired us to undertake a research project (as the relevant Responsible Party), third‑party research partners or fieldwork agencies appointed by our client or by us to assist with delivering a research project, and authorised messaging or communications service providers acting as Operators on our instructions.

Permitted purposes for third‑party contact are limited to:

• Research operations and research follow‑up, which includes communications that are strictly necessary to administer a research project you have already joined (such as session scheduling, incentive administration, consent administration, quality control, and survey or research follow‑up related to that project); and
• Direct marketing, which includes promotional communications or invitations that are not strictly necessary to administer a research project you have already joined.

No third party may contact you for direct marketing purposes using email, SMS, WhatsApp, or phone unless you have given prior, specific and informed opt‑in consent to receive such direct marketing (including, where applicable, consent to be contacted by or on behalf of that third party). Your participation in a research project, or your receipt of research operations communications, does not constitute consent to third‑party direct marketing.

Where a third party is permitted to contact you for direct marketing, each message must identify the sender (and, where applicable, the party on whose behalf the message is sent) and must include a clear, easy and free method to opt out or withdraw consent.

All personal information which you provide to us will be securely stored electronically on Google Drive and the recordings will also be stored on a private password-protected Vimeo channel. Only How Might We and our relevant clients will have access to the files on Google Drive and Vimeo. This information will be encrypted using Google Drive and Vimeo’s HTTPS encryption.

Once this information is no longer required, due to the fact that the research session or study has been completed, your data will be safely and securely archived for a period of 7 (seven) years or longer should this be required by any other law applicable in South Africa. Thereafter, all your personal information will be permanently destroyed.

We may also anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

We may have to share your personal information with the parties set out below for the purposes described above.

• Internal Third Parties including other companies within our group and their respective directors and employees, who will act as joint responsible parties or operators.
• External Third Parties including:
  • our client who has hired us to undertake a research project on their behalf. They are the responsible party and all the personal information we gather is therefore their responsibility which we share with them safely and securely;
  • authorised third-party service providers under contract with us who need your personal information to provide their services to you as a consequence of engaging with us;
  • service providers and contractors providing their services to us and acting as operators of your personal information on instruction from us;
  • South African or other national governments and/or their respective authorities pursuant to our adherence with legislative requirements; such as tax; and
  • professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services to us as and when required.
• Third parties to whom we may choose to sell, transfer, or merge parts of our company or our assets. Alternatively, we may seek to acquire other organisations or merge with them. If a change happens to our company, we may continue to use your personal information in the same way as set out in this Privacy Policy.

We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information in accordance with our instructions and standards.

We may make use of “cookies” to automatically collect information and data through the standard operation of the internet servers. “Cookies” are small text files a website can use (and which we may use) to recognise repeat users, facilitate the user’s on-going access to and use of a feature and allow a website to track user behaviour and compile aggregate data that will allow the website operator to improve the functionality of the website and its content, and to display more focused advertising to a user by way of third party tools.

The type of information collected by cookies is not used to personally identify you. If you do not want information collected using cookies, there is a simple procedure in most browsers that allows you to deny or accept the cookie feature. Please note that cookies may be necessary to provide you with certain features available on our website and thus if you disable the cookies on your browser you may not be able to use those features, and your access to our website may therefore be limited. If you do not disable “cookies”, you are deemed to consent to our use of any personal information collected using those cookies, subject to this Privacy Policy and our other policies or terms.

We may share, store, host, back up, and otherwise process your personal information outside of South Africa, including by transferring it to third-party cloud service providers (and their data centres) for cloud hosting and storage, resilience/backup, communications and other IT services, and to engage with other third party service providers such as software providers and contractors.

Whenever we may transfer your personal information out of South Africa (including to cloud providers), we will ensure a similar degree of protection is afforded to it by implementing appropriate safeguards. These safeguards may include a lawful transfer basis under applicable law, contractual requirements, and appropriate technical and organisational security measures (for example, encryption in transit and at rest where appropriate, access controls and least-privilege permissions, security monitoring, and incident management processes):

• We will only transfer your personal information to countries that have appropriate data protection legislation in place similar to that of South Africa; and/or
• Where we use service providers (including cloud providers), we will put in place written agreements and/or specific contracts/clauses requiring that personal information is processed only on our documented instructions, kept confidential, protected with appropriate security measures, and that the provider assists with security incidents and enables audits or other assurance where appropriate, so that personal information is processed and secured lawfully.

You have rights in relation to your personal information where we are the relevant “Responsible Party” over such personal information. Please contact us to find out more about, or manifest, these rights:

• request access to your personal information;
• request correction of your personal information;
• request erasure of your personal information;
• object to the processing of your personal information;
• request a restriction of processing your personal information;
• request transfer of your personal information; and/or
• right to withdraw consent.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If for any reason you think that your personal data is not being processed correctly or that it is being used for a purpose other than what it was originally intended, you may contact our Information Officer. 

Our contact details

• Information Officer: Amanda Joseph
• Email Address: hello@howmightwe.co.za
• Postal Address: 184 Upper Buitenkant Street, Oranjezicht, Cape Town, 8001
• Telephone: +27 21 010 1700

You have the right to make a complaint at any time to the South African regulator’s office (Information Regulator’s Office of South Africa). We would, however, appreciate the chance to deal with your concerns before you approach any such regulator, so please contact us in the first instance.