SPAZA← Back to shop

Privacy Policy

How we protect your personal information under POPIA · Last updated: June 2026

Note for Spaza: This is a POPIA-aware starting point, not legal advice. Before publishing, please (1) have a South African data-protection professional review it, (2) appoint and register your Information Officer with the Information Regulator, and (3) fill in the contact details and company particulars marked below. The cross-border note (Supabase EU hosting) and the operators list should be confirmed against your actual providers.

1. Who we are

Spaza is an online marketplace operated by Eden Extract (Pty) Ltd (registration number 2025/756709/07) (“Spaza”, “we”, “us”). We are the “responsible party” for the personal information described in this policy, in terms of the Protection of Personal Information Act 4 of 2013 (POPIA).

Information Officer: [INSERT NAME] — contact: [INSERT EMAIL]. Our Information Officer is responsible for our POPIA compliance and is your point of contact for any privacy query or request.

2. What information we collect

Depending on how you use Spaza, we may collect:

  • Account details: your name, email address, password (stored securely / hashed) and phone number.
  • Delivery details: your shipping address, suburb, city, province and postal code.
  • Order information: the products you buy, order history and communications about your orders.
  • Seller details (if you sell on Spaza): your store name, business details, pickup address, and bank account details used to pay you.
  • Technical information: limited data needed to operate the site securely (for example session and login information).

We do not store your card details. Card payments are processed securely by our payment provider on their own systems.

3. Why we process it (lawful basis & purpose)

We process your personal information only where the law allows, in particular to:

  • Perform our contract with you — creating your account, processing orders, arranging delivery, and paying sellers.
  • Comply with legal obligations — such as tax, accounting and consumer-protection requirements.
  • Pursue legitimate interests — keeping the platform secure, preventing fraud, and improving our service.
  • Where required, on the basis of your consent — for example optional marketing, which you can withdraw at any time.

4. Who we share it with (operators & third parties)

We share personal information only as needed to run Spaza, with service providers (“operators”) who process it on our instructions and under confidentiality and security obligations. These include:

  • Our hosting and database provider (for storing account, order and store data).
  • Our payment provider (to process payments and pay sellers).
  • Our courier partner (to collect and deliver parcels — they receive the delivery name, address and contact details needed for delivery).
  • Sellers — when you place an order, the relevant seller receives the information needed to fulfil and deliver it.

We do not sell your personal information. We may disclose information where required by law or to protect our legal rights.

5. Where your information is stored (cross-border)

Some of our service providers store data outside South Africa — for example our database is hosted in the European Union. POPIA permits this where the receiving country or provider offers an adequate level of protection comparable to POPIA. By using Spaza, you understand that your information may be processed outside South Africa under these safeguards. [Confirm provider locations and safeguards with your providers.]

6. How long we keep it

We keep personal information only for as long as needed for the purposes above, or as required by law (for example, retaining order and tax records for the period required by South African law). When information is no longer needed, we securely delete or de-identify it.

7. How we protect it

We take reasonable technical and organisational measures to protect your information, including access controls, encryption in transit, secure authentication (with optional two-factor authentication available on your account), and limiting access to those who need it. No system is perfectly secure, but we work to keep your information safe.

8. Your rights

Under POPIA you have the right to:

  • Access the personal information we hold about you.
  • Ask us to correct or update information that is inaccurate or incomplete.
  • Ask us to delete information we no longer have a lawful reason to keep.
  • Object to processing in certain circumstances, including direct marketing.
  • Withdraw consent where we relied on it.
  • Lodge a complaint with the Information Regulator.

To exercise any of these, contact our Information Officer (section 1). You may make a request by email or other expedient means; we will respond as required by law.

9. Direct marketing

We will only send you marketing messages where the law allows or where you have consented. Every marketing message will give you a simple way to opt out, and you can object to marketing at any time by contacting us.

10. Data breaches

If a security compromise affects your personal information, we will notify the Information Regulator and affected people as soon as reasonably possible, as required by POPIA.

11. Children

Spaza is intended for users aged 18 and over. We do not knowingly collect the personal information of children without the consent of a competent person.

12. Changes & contact

We may update this policy from time to time; the “last updated” date above shows when. For any privacy question or to exercise your rights, contact our Information Officer at [INSERT EMAIL]. You may also contact the Information Regulator (South Africa) if you believe your rights have been infringed.

This policy is provided for transparency and does not limit any rights you have under the Protection of Personal Information Act 4 of 2013 or other applicable law.