Protection of Personal Information (POPIA) Policy

This policy describes our approach to data protection and privacy

Payments
POPIA
Privacy
Terms & Condition
Returns & Refund
Shipping & Delivery

1. Purpose and Application

This Protection of Personal Information (POPIA) Policy sets out how the Company complies with the Protection of Personal Information Act 4 of 2013 (“POPIA”) and related legislation.The Policy establishes principles and governance measures for the lawful processing of personal information in the course of the Company’s e-commerce operations.

This Policy applies to all directors, employees, contractors, operators, and third parties who process personal information on behalf of the Company. It covers all personal information processed electronically or manually, relating to customers, website users, suppliers, service providers, and any other identifiable natural or juristic persons.

2. Legal Framework

This Policy is informed by and aligned with the following legislation, as amended from time to time:

  • The Protection of Personal Information Act 4 of 2013 (“POPIA”);
  • The Promotion of Access to Information Act 2 of 2000 (“PAIA”);
  • The Consumer Protection Act 68 of 2008 (“CPA”);
  • The Electronic Communications and Transactions Act 25 of 2002 (“ECTA”), and
  • any other applicable South African legislation.

3. Conditions for Lawful Processing

The Company commits to processing personal information in accordance with the eight conditions for lawful processing set out in POPIA.

Personal information shall be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. Processing shall be limited to information that is adequate, relevant and not excessive for the purpose for which it is collected.

Personal information is collected directly from the data subject where reasonably practicable and is processed only where a lawful basis exists, including contractual necessity, legal obligation, legitimate interest, or informed consent.

Personal information shall be collected for a specific, explicitly defined and lawful purpose related to the Company’s business operations. Further processing shall be compatible with the original purpose of collection.

The Company shall take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary.

Appropriate technical and organisational measures shall be implemented to safeguard
personal information against loss, damage, unauthorised access, unlawful processing or accidental disclosure.

4. Purpose Specification and Retention

Personal information is collected for specific, explicit, and lawful purposes, including account creation, order fulfilment, payment processing, delivery, customer support, marketing communications, fraud prevention, and legal compliance. The Company retains personal information only for as long as necessary to fulfil these purposes or as required by law, after which it is securely destroyed, deleted, or anonymised.

5. Information Quality and Accuracy

Reasonable steps are taken to ensure that personal information is accurate, complete, and up to date. Data subjects are encouraged to notify the Company of any changes to their personal information.

6. Security Safeguards

The Company implements appropriate technical and organisational measures to safeguard personal information against loss, unauthorised access, unlawful processing, or damage. These measures include access controls, secure authentication, encryption where appropriate, secure payment gateways, staff confidentiality obligations, and oversight of operators.

7. Data Subject Rights

Data subjects have the right to access their personal information, request correction or
deletion, object to processing in certain circumstances, and withdraw consent where applicable. Requests are handled in accordance with POPIA and within prescribed timeframes.

8. Security Compromises

In the event of a data breach, the Company will take immediate steps to contain and assess the incident and will notify the Information Regulator and affected data subjects where required by law.

9. Cross-Border Transfers

Personal information is transferred outside South Africa only where POPIA requirements are met, including adequate protection or data subject consent.

10. Governance

The Company appoints an Information Officer responsible for POPIA compliance, training, and ongoing monitoring.

11. Review

This Policy shall be reviewed at least every three years or earlier if required by legislative or operational changes.