Privacy Policy

1. Who are we and what do we do?

C Herbst Consulting Proprietary Limited trading as CH Consulting (“we”, “our” or “us”) is a South African company who, amongst others, provides tax compliance services to its customers in South Africa.

2. What is the purpose of this policy?

This Policy tells you, as our customer (“you” or “your”), how we collect, use, store and share (“process”) data which tells us who you are, from which someone can determine who you are or otherwise relates to you (collectively, “personal data”).

If you are a prospective or present customer, this policy should be read together with our terms of service (“Ts & Cs“).

3. What is our privacy vision?

Our privacy vision is to provide you with accurate tax efficient crypto tax reports in a manner that respects and protects your privacy. You should know what personal data we process, why we process it and what rights you have in relation to your personal data which we hold.

4. What information do we process and where is it collected from?

We process, amongst others, the following types of personal data:

Data set Type of data, description and source
Contact data

If you request that we contact you through our website or otherwise request that we contact you, we will process data to enable us to do so, luding –

  • name and surname;
  • contact details: email and telephone number; and
  • any information that you provide in the “message” block on our website.

You are the source of this data.

Onboarding data

If you appoint us to provide services to you, we will need to process your –

  • name and surname;
  • contact details: email and telephone number; and
  • terms of services / terms and conditions with us.

You are the source of this data.

Tax report data

If you appoint us to provide services to you, we will need to process information regarding the type of crypto tax report you purchase (a Basic, Standard, Premium or other report) (a “report”) and what the factors taken into account or which comprise such report, luding –

  • supporting documents including:
  • medical aid tax certificates, it3b and it3c certificates, income statements, balance sheets, identity documents, passports, estate agent statements and any other supporting documents;
  • the number of transactions;
  • software;
  • transaction reconciliation;
  • annual tax reporting (Y/N);
  • negative balance analysis (Y/N);
  • liquidity pools / mining / staking / lending / nodes / futures / margin (Y/N);
  • IDOs (Y/N);
  • NFT (Y/N);
  • tax optimisation (Y/N);
  • number of revisions (Y/N); and
  • timeframe.

You are the source of this data and some of it is automatically generated by purchasing our services, dependent on the report you purchase.

Payment and billing data

If you appoint us to provide services to you, we will need to process –

  • the price of your report, taxes and amounts levied thereon;
  • if you pay by credit card – your billing information, luding your credit card number, bank and billing address;
  • if you pay with crypto – your crypto wallet number and any linked information;
  • your invoices; and
  • your payment history, luding date, time and information.

We process credit card payments through our credit card payment services provider, PayFast

You, your payment services provider, and PayFast are sources of this data.

Financial data

If you appoint us to provide services to you, we will need to process information about your crypto assets luding –

  • your cryptocurrency wallet, number and linked information;
  • types of cryptocurrency;
  • number and value of crypto assets;
  • number, type and number of crypto related transactions;
  • crypto purchases invoices and sales, at what prices and on what dates;
  • public address of crypto wallets (not private keys);
  • read only API key and secret to centralised exchanges;
  • CSV exports of with wallet data or centralised exchange data;
  • FIAT bank account data;
  • operational data on relevant business processes or trading strategies; and
  • contextual and related data.

You are the source of this data.

Tax data

If you appoint us to provide services to you, we will need to process your tax information, luding –

  • the countries in which you are a tax resident;
  • your tax number; and
  • the amount of tax you are required to pay

You are the source of this data.

Aggregated data

As we provide tax reporting services, different data sets or points may be aggregated by us to produce your tax report.

We do not make any decisions using this data that have legal consequences for you.

Communications data

If you appoint us to provide services to you, we will process your communications with us, which ludes the meta data of communications. If you call or video call us, we may transcribe or record such call to monitor our services and record your instructions.

You are the source of this data and some of this data is generated by us.

We require your personal data to provide the service to you. Failure to provide us with your personal data will result in us being unable to provide you with our services.

5. Why do we process your personal data?

We process your personal data for the following purposes and based on the legal bases:

5.1 Operations

We may process your personal data for the purposes of operating our website; providing our services and products in the form of tax reports to customers; generating invoices, bills and other payment-related documentation; and credit control. The legal bases for this processing are:

  • our legitimate interests, namely the proper administration of our website, services and business; and/or
  • the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

5.2 Relationships and communications

We may process your personal data for the purposes of managing our relationships and communicating with you (excluding communicating for the purposes of direct marketing) by email, Whatsapp, website chatbot, SMS and/or telephone, providing support services and complaint handling. The legal bases for this processing are:

  • our legitimate interests, namely communications with our website visitors, service users, individual customers and the maintenance of relationships, and the proper administration of our website, services and business; and/or
  • the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

5.3 Research and analysis

We may process personal data for the purposes of researching and analysing the use of our website and services, as well as researching and analysing other interactions with our business. The legal basis for this processing is our legitimate interests, namely monitoring, supporting, improving and securing our website, services and business generally.

5.4 Record keeping

We may process your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records generally. The legal bases for this processing is:

  • our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our business in accordance with this policy; and/or
  • the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

5.5 Security

We may process your personal data for the purposes of security and preventing fraud and other criminal activity. The legal basis of this processing is our legitimate interests, namely the protection of our website, services and business and the protection of others.

5.6 Insurance and risk management

We may process your personal data where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.

5.7 Legal claims

We may process your personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.

5.8 Legal compliance and legitimate interests

We may also process your personal data where such processing is necessary for compliance with a legal obligation to which we are subject or in order to protect your legitimate interests or the legitimate interest of another person.

6. Who do we share your personal data with?

We may disclose your personal data to our insurers and/or professional advisors insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice.

Financial transactions relating to our services are handled by our payment services provider, PayFast. We will share transaction data with our payment services provider only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers’ privacy policies and practices at https://www.payfast.co.za/wp-content/uploads/2021/10/PayFast-Privacy-Policy.pdf.

In addition to the specific disclosures of personal data set out in this 6, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, luding a subpoena, reporting obligation or request by a regulator or tax authority in any applicable jurisdiction, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

7. Do we transfer your personal data to other countries?

We process your personal data in the Republic of South Africa (“RSA”), which is the country where we are situated and from which our employees work.We ensure that your personal data is protected in RSA both by contractual and other reasonably practicable measures.

8. How do we store your personal data?

Your personal data will be stored on the services of our hosting services providers: Google Cloud Services, whose servers are located in RSA and abroad and Karbon https://karbonhq.com/en-GB/security/, whose servers are located.in the United States of America.

Your personal data may be kept in paper copy by our employees, but only to the extent necessary.

Only authorised personnel have access to your data.

9. How do we ensure your personal data kept is kept secure?

We use administrative, technological and physical controls to protect your personal data against unauthorised loss, damage, modification, disclosure or access. Such controls ludes policies, monitoring, access control, password protection, firewalls, anti-virus and encryption where possible.

Even though we take reasonable measures to protect your personal data, transmitting information over electronic platforms creates certain risks which we cannot prevent. We will not be held responsible for any loss occurred in the transmission of data.

10. How long do we store your personal data for?

We store information for as long we have a purpose to keep it, being either a business purpose or where the law requires us to keep it, whichever is longer.

We completely delete and destroy personal data two years after the completion of our mandate with you.

11. How do we make sure your personal data is accurate?

The personal data you provide us must be accurate and up to date – you are responsible for doing so. Providing us with inaccurate, false, misleading or omplete information may affect the services we provide you and the correctness of the crypto tax report we issue you. It is therefore imperative that you provide data to us in time and which is correct.

We have processes in place for you to request that the personal data we hold about you is amended, corrected or deleted. We have the right to refuse any request where it requires disproportionate effort, threatens the privacy of others or would be impractical.

If the data we have about you is out of date or inaccurate, please contact our information officer at the details at 13.

12. What happens if your data is subject to a data breach?

If an unauthorised person has accessed your data, we will notify you to the extent we are required by law to do so. We will also notify the South African Information Regulator to the extent that we are required to.

13. What are your rights regarding your data?

You have the rights to:

  • request access to the personal data we hold;
  • request that we correct or delete personal data;
  • object to the processing of personal data in certain instances; and/or
  • withdraw consent where consent is the basis we rely on for processing.

Should you have a question or query with regards to the processing of personal data, please contact our information officer with the following details:

Name: Chris Herbst
Physical Address: 2nd Floor, Oude Poskantoor Building, C/O Bird and Plent Street, Stellenbosch
Email: chris@chconsulting.co.za
Telephone No: +27 21 205 8211

14. The Protection of Personal Information Act No 4 of 2013 (“POPIA”)

Given that we process data in RSA and because we are domiciled in RSA, we are required to comply with RSA’s data privacy legislation, POPIA. Should we have a complaint about the way we process your data, you can contact RSA’s Information Regulator at the following details:

Email: complaints.IR@justice.gov.za
Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal address: P.O Box 31533, Braamfontein, Johannesburg, 2017

This policy amounts to a notice of processing as is required by POPIA.

15. The General Data Protection Regulation 206/679 (“GDPR”)

Given that we do not have an establishment in the European Union (“EU”), nor do we directly market our goods and services to EU data subjects, or monitor EU data subjects, we are not required to comply with the GDPR, however, we ensure that fair information processing priples are complied with in relation to your data, as set out in this notice.

16. Will this policy change?

This policy is subject to change. We will tell you if it does.

17. Version Control

Last updated February 2023.