Privacy Policy

Last updated: March 2026

1. Introduction

Online POS ("we", "us", or "our") is committed to protecting the privacy and personal information of our users. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Online POS platform, website, and related services (collectively, "the Service").

This policy is drafted in compliance with the Protection of Personal Information Act, 2013 (POPIA) of the Republic of South Africa. By using the Service, you consent to the practices described in this policy.

2. Responsible Party

For the purposes of POPIA, the responsible party (data controller) is:

  • Email: support@online-pos.co.za
  • Information Officer: support@online-pos.co.za
  • Country: South Africa

3. Information We Collect

We collect the following categories of information:

3.1 Information You Provide

  • Account Information: Full name, email address, password (hashed), business name, and business type when you create an account
  • Business Data: Product information, pricing data, supplier details, customer records, sales transactions, purchase orders, and inventory data that you enter into the Service
  • Billing Information: Payment details processed through our payment gateway (PayFast). We do not store full credit card numbers
  • Communication Data: Information you provide when contacting support, submitting feedback, or using the contact form
  • Integration Credentials: API keys, seller account details, and authentication tokens for third-party marketplace connections (e.g., Takealot)

3.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, actions performed, time spent on the Service, and navigation patterns
  • Device Information: Browser type and version, operating system, screen resolution, and device type (desktop, mobile, tablet)
  • Log Data: IP address, access times, referring URLs, and error logs for security and troubleshooting purposes
  • Cookies and Session Data: Authentication tokens, session identifiers, and user preference data (see Section 10)

3.3 Information from Third Parties

  • Marketplace Data: When you connect your Takealot seller account, we receive product listings, offer data, order details, sales data, and pricing information via the Takealot API
  • Payment Notifications: Transaction confirmations and payment status updates from our payment gateway

4. Purpose and Legal Basis for Processing

We process your personal information for the following purposes and legal grounds under POPIA:

  • Contract Performance: To provide, operate, and maintain the Service, including processing your sales, managing inventory, and synchronising marketplace data
  • Account Management: To create and manage your account, authenticate your identity, and provide customer support
  • Billing and Payments: To process subscription fees, generate invoices, and manage billing cycles
  • Service Improvement: To analyse usage patterns, identify issues, and improve the Service's features, performance, and user experience
  • Security: To detect and prevent fraud, unauthorised access, and other security threats
  • Communication: To send essential service notifications (billing alerts, security notices, feature updates, and account-related messages)
  • Legal Compliance: To comply with applicable South African laws, regulations, and legal processes

We will not use your personal information for direct marketing purposes without your explicit opt-in consent.

5. Data Storage, Security, and Retention

5.1 Storage

Your data is stored on secure cloud infrastructure with industry-standard security measures. Data may be stored or processed in data centres located outside South Africa, subject to appropriate safeguards as required by POPIA.

5.2 Security Measures

  • All data transmitted between your browser and our platform is encrypted using HTTPS
  • Passwords are securely hashed and are never stored in plain text
  • Database access is restricted and protected by authentication and network-level security
  • Regular automated backups ensure data recovery in the event of system failure
  • Role-based access controls limit access to personal data to authorised personnel only
  • Integration credentials are encrypted at rest

5.3 Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. After account deletion or cancellation, we retain your data for up to 30 days to allow for data recovery or export. After this period, your data is permanently deleted from our active systems.

Certain data may be retained for longer periods where required by law (e.g., financial records for tax purposes as required by SARS, which may be up to 5 years).

6. Data Sharing and Third Parties

We do not sell your personal information. We may share your data with the following categories of third parties, solely for the purposes described:

  • Cloud Infrastructure Providers: Secure cloud hosting and database services — for operating and storing the Service
  • Payment Processors: PayFast — for processing subscription payments securely
  • Marketplace Platforms: Takealot — when you connect your seller account, we exchange product and order data via their API
  • Email Services: For sending transactional emails such as account verification, password resets, and billing notifications

All third-party service providers are bound by contractual obligations to protect your data and are prohibited from using it for any purpose other than providing their services to us.

We may also disclose your information if required to do so by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Online POS, our users, or the public.

7. Third-Party Integrations

When you connect a third-party integration (such as Takealot), you authorise us to access and process your seller account data through the platform's official API. This includes product listings, pricing data, order information, and inventory levels.

We only access data that is necessary to provide our synchronisation, auto-pricing, and order management features. You can disconnect an integration at any time from your account settings, which will stop further data exchange with that platform.

Your use of third-party platforms is subject to their own privacy policies and terms of service. We encourage you to review the privacy practices of any third-party service you connect to.

8. Your Rights Under POPIA

Under the Protection of Personal Information Act (POPIA), you have the following rights regarding your personal information:

  • Right to Access: You may request confirmation of whether we hold personal information about you and request access to that information
  • Right to Correction: You may request that we correct or update any inaccurate, incomplete, or misleading personal information
  • Right to Deletion: You may request the deletion of your personal information, subject to any legal obligations requiring us to retain certain data
  • Right to Object: You may object to the processing of your personal information on reasonable grounds, unless legislation provides for such processing
  • Right to Data Portability: You may request your data in a standard, machine-readable format (CSV, Excel) through our built-in export features
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your personal information has been mishandled

To exercise any of these rights, contact our Information Officer at support@online-pos.co.za. We will respond to your request within 30 days as required by POPIA.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.

10. Cookies and Tracking Technologies

We use the following types of cookies:

  • Essential Cookies: Required for the Service to function properly, including authentication session tokens, CSRF protection tokens, and user preference settings. These cannot be disabled
  • Functional Cookies: Used to remember your preferences, such as language settings, theme preferences, and sidebar state

We do not use third-party advertising or tracking cookies. We do not participate in cross-site tracking or retargeting. We do not share cookie data with advertisers or ad networks.

11. International Data Transfers

As a cloud-based service, your data may be processed or stored in data centres located outside the Republic of South Africa. Where such transfers occur, we ensure that adequate safeguards are in place as required by Section 72 of POPIA, including ensuring that the recipient country has adequate data protection legislation or that appropriate contractual protections are in place.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, as required by Section 22 of POPIA. The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and records affected
  • The measures taken or proposed to address the breach
  • Recommendations for what you can do to mitigate potential harm
  • Contact details of our Information Officer

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes via email or through a prominent notice within the Service at least 14 days before the changes take effect.

We encourage you to review this policy periodically. The "Last updated" date at the top indicates when this policy was last revised. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

14. Information Regulator Contact

If you are unsatisfied with our handling of your personal information, you may lodge a complaint with the Information Regulator of South Africa:

  • Email: complaints.IR@justice.gov.za
  • Website: www.justice.gov.za/inforeg

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Privacy enquiries: support@online-pos.co.za
  • General support: support@online-pos.co.za
  • Country: South Africa