Last updated: May 2026
MARATTO AFRICA LTD is the data controller for personal data processed via maratto.africa. We operate MARATTO™, Africa's Outsourced Technology Transfer Office, helping universities identify, protect, and commercialise their research.
MARATTO™ is part of the Dazzle Africa ecosystem. References to “we,” “us,” and “our” in this policy mean MARATTO AFRICA LTD.
Publicly available institutional and researcher metadata is curated from open sources including OpenAlex and used to construct university and researcher profile data within the platform. Where such data identifies an individual, you may request review, correction, or removal via privacy@maratto.africa.
We process personal data for the following purposes:
We do not sell your data. We do not share your data with third parties except as described in Section 4.
We use the following providers to operate the platform. Each acts as a processor under our written instructions, with appropriate data processing terms in place.
| Provider | Purpose | Location | Privacy policy |
|---|---|---|---|
| Supabase | Database and authentication | United States | supabase.com/privacy ↗ |
| Vercel | Hosting and deployment | United States | vercel.com/legal/privacy-policy ↗ |
| Vercel Analytics | Cookieless performance metrics | United States | vercel.com/docs/analytics/privacy-policy ↗ |
| PostHog | Product analytics and session tracking (consent required) | United States / European Union | posthog.com/privacy ↗ |
| Sanity | Content management system | United States | sanity.io/legal/privacy ↗ |
| Resend | Transactional email delivery | United States | resend.com/legal/privacy-policy ↗ |
| Cloudinary | Image and media hosting | United States | cloudinary.com/privacy ↗ |
| Cal.com | Meeting scheduling | United States | cal.com/privacy ↗ |
| Google Fonts | Typography | Global | policies.google.com/privacy ↗ |
We process personal data under one or more of the following lawful bases:
Where applicable, we may also rely on the Data (Use and Access) Act 2025 (DUAA) “recognised legitimate interests” basis for specific processing activities listed in that Act.
Under UK GDPR, EU GDPR (where applicable), and South Africa's Protection of Personal Information Act, 2013 (POPIA), you have the right to:
To exercise any of these rights, contact privacy@maratto.africa. We will respond within one month. We may pause this period where we reasonably need further information to verify your identity or clarify the scope of your request, as permitted under the DUAA 2025.
We retain personal data only for as long as necessary for the purposes described in this policy.
| Data category | Retention period |
|---|---|
| Account data (active users) | Duration of your account, plus 6 months after closure |
| Account data (closed or inactive accounts) | 12 months from last login, then archived or deleted |
| Register Interest and contact form submissions | 24 months from submission, unless converted to an active engagement |
| Engagement and contract records | 7 years from end of engagement (UK statutory retention for contractual records) |
| Email and correspondence | 36 months from last meaningful contact |
| Complaints records | 36 months from resolution |
| Cookieless analytics (Vercel Analytics) | Per Vercel's retention policy, aggregated and not tied to identifiable individuals |
| PostHog session and behavioural data | 12 months from collection |
| Server access and security logs | 90 days |
| Backup data | 35 days rolling, then overwritten |
You may request earlier deletion at any time by contacting privacy@maratto.africa. We will action verified requests within one month unless we have a legal obligation requiring continued retention, in which case we will explain the basis.
MARATTO AFRICA LTD is established in the United Kingdom. Personal data is primarily processed in the United Kingdom, European Union, and United States.
Where we transfer personal data outside the United Kingdom or European Economic Area, we rely on one or more of the following safeguards:
For transfers from South Africa under POPIA, we rely on Section 72 transfer mechanisms including binding contractual terms and adequacy of the recipient jurisdiction.
In accordance with Section 56 of South Africa's Protection of Personal Information Act, 2013, we have appointed an Information Officer responsible for compliance with POPIA in respect of South African personal data processed by MARATTO.
The Information Officer is responsible for handling data subject requests, complaints, and regulatory enquiries relating to South African personal data.
If you believe we have processed your personal data unlawfully or contrary to this policy, you have the right to complain to us directly.
To submit a complaint:
Our commitment:
Escalation:
If you are dissatisfied with our response, or if you prefer to complain to a supervisory authority directly, you may contact:
We use cookies and similar technologies as described in our Cookie Policy at maratto.africa/cookies. You can manage your preferences via the cookie banner or the Cookie Preferences link in our footer.
Under the DUAA 2025, certain low-intrusion cookies (such as those used for basic analytics or service functionality) no longer require consent, provided a clear opt-out mechanism is offered. Marketing and tracking cookies continue to require your explicit consent under PECR.
MARATTO is a professional platform aimed at university, research, investor, donor, industry, and partner audiences. It is not directed at children under 18 and we do not knowingly collect personal data from minors.
If you believe we have inadvertently collected personal data from a child, please contact privacy@maratto.africa and we will delete it promptly.
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest where supported by our processors, access controls, audit logging, and regular review of our security posture. No system is perfectly secure and we cannot guarantee absolute security, but we work to industry-standard practices.
We will update this page when our practices or applicable law change. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated by email to active account holders where reasonably possible. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.
This policy was last reviewed against the Data (Use and Access) Act 2025 (UK), UK GDPR, EU GDPR, and South Africa's Protection of Personal Information Act, 2013 (POPIA).