Ref № PP-2026-06
Your data, handled with care.
Hexagon is a software studio based in Johannesburg, South Africa. We host, build and run software for our clients, and some personal information passes through the systems we operate, yours if you contact us, and our clients' users' if we run a system for them. This page explains exactly what we collect, why, and what we will never do with it. No legalese, promise.
Who we are
Hexagon is a software studio in Johannesburg, South Africa. We provide managed hosting, websites and web apps, custom technology, and secure systems for the businesses we work with.
For the systems we build and run on behalf of a client, that client is the owner of the data inside them, and Hexagon processes it on their instructions. For this website and for people who contact us directly, Hexagon is the responsible party. Either way, the contact details in section № 11 reach us.
What we collect
Here is the full inventory of what passes through this site and our studio:
- Things you send us. If you email us or fill in a form, we get your name, email address and whatever you choose to tell us about your project.
- Basic request logs. Like any website, our hosting records the usual technical details of a visit, such as IP address, browser type and the pages requested. These exist for security and to keep the site running, not to profile you.
- Your theme preference. If the site remembers light or dark mode, that choice lives in your browser only and is never sent to us.
That is it for the public site. We do not run advertising trackers, and we do not build profiles of visitors.
Systems we run for clients
Most of what Hexagon does is build and operate software for other businesses. When we run a system for a client, personal information may flow through it, the client's staff, and sometimes their customers.
In those cases the client owns that data and decides how it is used; Hexagon is the operator acting on their instructions, under a written agreement. We only process what the system needs to do its job, and we protect it with the measures in section № 08.
If your data sits inside a system Hexagon runs for a business you deal with, your request usually starts with that business. We will always help them action it, and you can also reach us directly.
Third parties we work with
A small number of infrastructure providers help us host and run software. They process data on our behalf, under their own strict obligations:
- Cloudflare routes traffic to our servers securely and shields the systems we run from attacks.
- Google Cloud provides hosting and infrastructure for some of the systems we operate.
- Hosting providers we manage on a client's behalf run their software under access we control and lock down.
That is the complete list for this site. We do not plug advertising networks, data brokers or analytics suites into it.
Your rights under POPIA
South Africa's Protection of Personal Information Act (POPIA) gives you real rights over your information, and we honour them:
- Access ask what information we hold about you, and we will show you.
- Correction if something is wrong or out of date, we will fix it.
- Deletion ask us to delete your information, and we will, unless a law or an open obligation requires us to keep it a while longer, in which case we will tell you why and for how long.
To exercise any of these, email privacy@hexagon.icu. If your data lives in a system we run for a business you deal with, see section № 04. You also have the right to complain to South Africa's Information Regulator if you believe your information has been mishandled.
How long we keep things
Only as long as we genuinely need to, operationally and legally, and not a day longer:
- Enquiries kept while we are talking and for a reasonable period after, then cleared.
- Financial records kept for the periods South African law requires for invoicing, accounting and tax.
- Request and security logs kept for security review, then cleared.
- Client system data kept and deleted according to the agreement with that client.
When the reason to keep something runs out, it goes.
How we protect it
Plainly, the locks on the doors:
- Encrypted connections everything travels over HTTPS, so it cannot be read in transit.
- Encryption at rest stored data is encrypted on the systems we run.
- Least-privilege access people and services get only the access their job needs, and no more.
- A small attack surface fewer moving parts, fewer doors, fewer ways in.
- Backups & recovery so a bad day stays a bad day, not a disaster.
- Audit trails key actions are logged, so unusual activity leaves footprints we can follow.
What we never do
We never sell personal data. Ever. Not your data, not our clients' data, not "anonymised insights", not anything. We also never use your information for marketing you did not ask for. Hexagon exists to build and run software, full stop.
Children
This site and our services are not directed at children. We do not knowingly collect personal information from children. If a child's information reaches us through a system we run, it is handled with the same care, and the same rights apply, exercised by a parent or guardian through the contact below.
Changes & how to reach us
If this policy changes, the new version will be published on this page and the "last updated" date at the top will move. This version was last updated on 16 June 2026.
Questions, requests, corrections, complaints: email privacy@hexagon.icu and a real person will get back to you.