Privacy Policy
Last updated: 17 March 2026
1. Introduction
This Privacy Policy is issued by [Your Company Name (Pty) Ltd] (Registration No. [Registration Number]), trading as eCrafter ("we", "us", or "our"), with its registered address at [Registered Physical Address].
eCrafter is a web-based platform that connects Market Organizers with Vendors. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our website and services (collectively, the "Service"), in compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable South African legislation.
For the purposes of POPIA, we are the responsible party in relation to the personal information we process through the Service.
By accessing or using the Service you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.
2. Information Officer
In accordance with Section 55 of POPIA, we have designated an Information Officer who is responsible for encouraging compliance with POPIA, handling data subject requests, and cooperating with the Information Regulator.
Information Officer: [Information Officer Full Name]
Email: [io@ecrafter.co.za]
You may contact the Information Officer to exercise any of your rights described in Section 11 of this policy, or to raise any concerns about how your personal information is processed.
3. Information We Collect
3.1 Information You Provide
- Account information (mandatory): name, email address, password, and role (organizer or vendor) when you register. Without this information we cannot create your account or provide the Service.
- Profile information (mandatory for vendors, partially mandatory for organizers): business name, description, contact details, profile photo, product photos, and product descriptions. Incomplete profiles may limit your ability to apply to markets or manage them.
- Banking details (mandatory for approved vendors): bank name, account number, and branch code submitted for payment purposes. Without banking details, organizers cannot process payments to you.
- Application data (mandatory for vendor applications): pitch applications, product lists, category selections, and stand preferences. Without this information your application cannot be evaluated.
- Messages (voluntary): content of direct and broadcast messages exchanged between organizers and vendors.
3.2 Information Collected Automatically
- Usage data: pages visited, features used, timestamps, and referring URLs.
- Device data: browser type, operating system, screen resolution, and IP address.
- Cookies and similar technologies: session cookies for authentication and preferences. See Section 10 for details.
This data is collected automatically when you use the Service. You may limit some automatic collection through your browser settings, but this may affect the functionality of the Service.
3.3 Information from Third-Party Services
If you sign in using a third-party authentication provider (e.g., Google), we receive your name, email address, and profile picture as permitted by your account settings with that provider. This information is provided voluntarily when you choose to authenticate via a third party. We do not request or store your third-party password.
4. Lawful Basis for Processing
POPIA requires that we process your personal information only when we have a lawful basis to do so. The table below sets out the legal ground for each category of information we collect:
| Data Category | Lawful Basis (POPIA Section) |
|---|---|
| Account information | Necessary for contract performance (s 11(1)(b)) |
| Profile information | Contract performance (s 11(1)(b)) and legitimate interest (s 11(1)(f)) |
| Banking details | Necessary for contract performance (s 11(1)(b)) |
| Application data | Necessary for contract performance (s 11(1)(b)) |
| Messages | Necessary for contract performance (s 11(1)(b)) |
| Usage and device data | Legitimate interest (s 11(1)(f)) |
| Cookies (strictly necessary) | Legitimate interest (s 11(1)(f)) |
| Google OAuth data | Consent (s 11(1)(a)) |
5. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service.
- Create and manage your account and authenticate your sessions.
- Process vendor applications and facilitate stand assignments.
- Enable messaging between organizers and vendors.
- Generate exports such as product lists and barcode files.
- Send transactional notifications (e.g., application status updates).
- Monitor and improve the performance, security, and reliability of the Service.
- Comply with legal obligations and enforce our terms.
We will not use your personal information for purposes incompatible with those stated above unless we obtain your consent or are permitted to do so by law.
6. How We Store and Retain Your Information
Your data is stored in secure, cloud-hosted databases provided by our infrastructure partner, Supabase. Data is encrypted in transit (TLS) and at rest.
6.1 Retention Periods
In accordance with POPIA Section 14, we retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. The specific retention periods are:
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account + 12 months after account deletion |
| Profile information | Duration of account + 12 months after deletion |
| Banking details | Duration of account + as required by financial regulations (typically 5 years) |
| Application data | Duration of account + 24 months for dispute resolution |
| Messages | Duration of account |
| Usage and device data | 12 months (rolling) |
| Google OAuth data | Duration of account |
6.2 Data Destruction
When personal information is no longer required, we destroy or anonymize it in a manner that prevents reconstruction in an intelligible form, in accordance with POPIA Section 14. This includes secure deletion from databases and removal of any associated backups within a reasonable timeframe.
7. How We Share Your Information
We do not sell your personal information. We may share data in the following limited circumstances:
- Between organizers and vendors: when a vendor applies to a market, the organizer receives the vendor's profile, pitch, and product information necessary to evaluate the application.
- Service providers: we use third-party services (hosting, authentication, analytics) that process data on our behalf under strict contractual obligations consistent with POPIA requirements.
- Legal requirements: we may disclose information if required by law, regulation, legal process, or governmental request.
- Business transfers: in connection with a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.
8. Cross-Border Data Transfers
Our infrastructure partner, Supabase, may process and store data on servers located outside the Republic of South Africa. In accordance with POPIA Section 72, we ensure that any cross-border transfer of personal information is permitted because:
- The recipient is subject to law, binding corporate rules, or binding agreements that provide an adequate level of protection substantially similar to POPIA.
- The transfer is necessary for the performance of the contract between you and eCrafter.
Safeguards in place include contractual data processing agreements, encryption of data in transit (TLS) and at rest, and strict access controls limiting who can access personal information.
9. Google User Data
If you authenticate with Google, the following applies to the data we receive from Google APIs:
- Access: we access your Google account name, email address, and profile picture via Google's OAuth 2.0 authentication flow.
- Use: this data is used solely to create your eCrafter account, display your name and avatar within the Service, and communicate with you about your account.
- Storage: your Google-provided name, email, and profile picture URL are stored in our database for the duration of your account.
- Sharing: we do not share Google user data with third parties except as described in Section 7 (service providers operating under contract, or as required by law).
- Limited use: our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
10. Cookies
We use strictly necessary cookies to maintain your authenticated session and remember your preferences. We do not use advertising or tracking cookies. You can configure your browser to refuse cookies, but some features of the Service may not function properly without them.
11. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights in relation to the personal information we hold about you:
- Right to be notified (Section 18) — to be informed when your personal information is collected, including the purpose and legal basis.
- Right of access (Section 23) — to request confirmation that we hold your personal information and to obtain a copy of it.
- Right to correction (Section 24) — to request that we correct or complete personal information that is inaccurate, misleading, or incomplete.
- Right to deletion (Section 24) — to request that we delete personal information that is inaccurate, irrelevant, excessive, out of date, misleading, or unlawfully obtained.
- Right to object (Section 11(3)(a)) — to object to the processing of your personal information on reasonable grounds relating to your particular situation, unless legislation provides for such processing.
- Right to object to direct marketing (Section 69) — to object to the processing of your personal information for the purpose of direct marketing by means of unsolicited electronic communications.
- Right to withdraw consent (Section 11(2)(b)) — where processing is based on your consent, to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right regarding automated decision-making (Section 71) — not to be subject to a decision based solely on automated processing that significantly affects you, unless appropriate measures are in place.
- Right to lodge a complaint — to submit a complaint to the Information Regulator if you believe your rights have been violated (see Section 12).
How to Exercise Your Rights
To exercise any of these rights, contact our Information Officer using the details in Section 2. We will respond to your request within 30 days of receiving it. We may request verification of your identity before processing your request. A reasonable fee may be charged for access requests, as permitted by POPIA.
12. Information Regulator
The Information Regulator is the independent body established under POPIA to monitor and enforce compliance with data protection legislation in South Africa. If you are unsatisfied with our response to your request or believe that your personal information has been processed unlawfully, you have the right to lodge a complaint with the Information Regulator:
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: enquiries@inforegulator.org.za
Website: inforegulator.org.za
13. Data Breach Notification
In accordance with POPIA Section 22, if we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorised person, we will:
- Notify the Information Regulator as soon as reasonably possible after the discovery of the compromise.
- Notify you, the affected data subject, via email and/or an in-app notification, unless doing so would impede a criminal investigation.
- Provide sufficient information about the breach, including a description of the possible consequences and the measures we have taken or intend to take to address the compromise.
- Include recommendations for you to take to mitigate any possible adverse effects of the breach.
14. Data Security
We implement appropriate technical and organisational measures to protect your personal information against loss, damage, unauthorised access, or unlawful processing, in accordance with POPIA Section 19. These measures include:
- Encryption of data in transit (TLS) and at rest.
- Role-based access controls limiting access to personal information to authorised personnel only.
- Regular security reviews and vulnerability assessments.
- Secure authentication mechanisms including password hashing and session management.
However, no method of electronic transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via email or an in-app notification. Your continued use of the Service after such changes constitutes acceptance of the updated policy.
16. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
Email: privacy@ecrafter.co.za
Address: [Registered Physical Address]
Information Officer: See Section 2 for Information Officer contact details.
17. Governing Law
This Privacy Policy is governed by the laws of the Republic of South Africa, including the Protection of Personal Information Act 4 of 2013 (POPIA) and the Electronic Communications and Transactions Act 25 of 2002 (ECTA). Any disputes arising from this policy will be subject to the jurisdiction of the South African courts.