We keep it straight: this document tells you exactly what personal information we collect, why we collect it, how we protect it, and what rights you have over it — in plain language, not legalese.
BlakFire Management Solutions ("BlakFire", "we", "us", "our") is an IT services company registered in South Africa and based in Gauteng. We provide Microsoft 365 setup and management, Power Apps development, custom web application development, Intune device management, and technology consulting services.
We operate the public marketing website at www.bfms.co.za and a secure client project portal at client-portal.bfms.co.za (the "Portal"). This Privacy Policy applies to both.
For the purposes of the Protection of Personal Information Act 4 of 2013 (POPIA), BlakFire Management Solutions is the Responsible Party — the entity that determines the purpose and means of processing your personal information.
We only collect information that is necessary to provide our services or respond to your enquiries. Below is a full breakdown of every category of personal data we process.
A — Website Contact Form (www.bfms.co.za)
When you submit an enquiry through our website contact form, we collect:
| Field | Why it's collected | Stored in database? |
|---|---|---|
| Full Name | To address you correctly in our reply | No — emailed to us only |
| Email Address | To respond to your enquiry | No — emailed to us only |
| Company Name | Optional context for your enquiry | No — emailed to us only |
| Service Interest | To route your enquiry appropriately | No — emailed to us only |
| Message | The content of your enquiry | No — emailed to us only |
Contact form submissions are delivered to our internal inbox via PHP mail() and
are not stored in any database. We also send you an auto-confirmation email to
acknowledge receipt.
B — Client Portal Accounts (client-portal.bfms.co.za)
Portal accounts are created by BlakFire staff — clients do not self-register. When we create your account and during the course of delivering your project, we process the following:
| Data Category | Specific Fields | Purpose |
|---|---|---|
| Account identity | Full name, email address, username | Authentication and personalisation |
| Contact details | Phone number, company name | Project communications and invoicing |
| Session metadata | Last login timestamp, timezone | Security and session management |
| Project data | Project name, description, service type, dates, financial amounts | Project delivery and progress tracking |
| Documents | File name, file type, file size, storage path, upload/review metadata | Document exchange required for project delivery |
| Notes & communications | Message body, author name, timestamp | Project communication records |
| Activity log | Event type, description, actor name, role, IP address, timestamp | Security audit trail and project accountability |
| Notifications | Title, body text, read status | Keeping you informed of project updates |
| Password | Bcrypt hash only (never stored in plain text) | Authentication |
Under POPIA, we must have a lawful basis for processing your personal information. We rely on the following grounds:
| Processing Activity | Lawful Basis |
|---|---|
| Responding to website enquiries | Legitimate interest / pre-contractual steps at your request |
| Delivering contracted project services | Performance of a contract to which you are a party |
| Portal authentication and security | Legitimate interest in protecting our systems and your data |
| Audit logging including IP addresses | Legitimate interest in security and accountability |
| Sending project notifications | Performance of a contract / legitimate interest |
| Auto-acknowledgement emails | Legitimate interest in good customer communication |
We do not send marketing emails, newsletters, or promotional communications unless you have explicitly consented to receive them. We do not use your data for profiling, automated decision-making, or advertising purposes.
We keep our use of cookies to the absolute minimum required for functionality. We do not use advertising cookies, tracking pixels, or analytics cookies of any kind.
Cookies we set:
Browser storage we use:
bos_session) is strictly necessary for portal login and is exempt from consent requirements under POPIA. You are free to disable cookies in your browser, but doing so will prevent you from signing into the client portal.
Our website and portal load resources from the following third-party CDN providers. These are limited to fonts and icons — we use no analytics, advertising, or social-tracking scripts.
| Provider | What Is Loaded | Their Privacy Policy |
|---|---|---|
| Google Fonts fonts.googleapis.com |
Bebas Neue, Rajdhani, JetBrains Mono typefaces. When your browser requests a font file, Google's servers receive your IP address and browser user-agent. No cookies are set by Google Fonts. | policies.google.com/privacy |
| Cloudflare CDN cdnjs.cloudflare.com |
Font Awesome icon library. Cloudflare may log your IP address as part of CDN delivery. No tracking cookies are set. | cloudflare.com/privacypolicy |
We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, HotJar, Intercom, or any other behavioural tracking or analytics service on any of our pages.
Our web hosting is provided through a South African cPanel hosting environment. Your data resides on servers in South Africa unless you have uploaded documents hosted on an external storage provider (e.g. Google Drive, SharePoint, Dropbox) — in which case that provider's own privacy policy applies to those files.
We take the security of your personal information seriously and implement technical and organisational measures appropriate to the risk, including:
bos_session cookie is flagged HttpOnly, Secure, and SameSite=Strict — preventing cross-site request forgery and JavaScript-based cookie theft..htaccess deny rules.| Data Category | Retention Period | Reason |
|---|---|---|
| Contact form enquiries | Retained in our email inbox — typically 3 years | Business records and follow-up |
| Portal account data | Duration of the client relationship + 3 years after project completion | Legal and contractual obligations |
| Project records, documents, notes | 3 years after final project sign-off | Dispute resolution and contractual obligations |
| Activity log (including IP addresses) | 12 months rolling | Security audit and fraud prevention |
| Session data | 2 hours from last activity | Authentication — automatically expired |
| Portal notifications | 6 months after creation | Operational — no longer relevant after this period |
When retention periods expire, data is securely deleted or anonymised. You may request earlier deletion — see Section 9 (Your Rights) below.
We do not sell, rent, or trade your personal information to any third party.
We may disclose your information in the following limited circumstances:
As a data subject under POPIA, you have the following rights regarding your personal information:
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg 2001
www.justice.gov.za/inforeg ·
inforeg@justice.gov.za
Our services are intended for use by businesses and adults. We do not knowingly collect personal information from persons under 18 years of age. If you believe a minor has submitted personal information to us, please contact us immediately at hello@bfms.co.za and we will delete it promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do:
We encourage you to review this page periodically. The current version is always available at www.bfms.co.za/privacy.html.
If you have any questions about this Privacy Policy, want to exercise your rights, or have a concern about how we have handled your personal information, please contact our Information Officer:
We will acknowledge your request within 3 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you have the right to escalate your complaint to the Information Regulator of South Africa.