Privacy Policy

---

1.  Introduction 

Tabalot (Pty) Ltd ("we", "us", "our"), registration number 2022/885803/07, operates the Tabalot marketplace application ("App") in compliance with South Africa’s Protection of Personal Information Act 4 of 2013 (POPIA). This policy governs the processing of personal data for users within South Africa.

2.  Scope and Applicability 

2.1  Jurisdictional Coverage 

This policy applies to:

• Natural persons residing in South Africa.
• Juristic persons (e.g., businesses) registered in South Africa.

2.2  Exclusions 

• Users under 18 years old (see Section 9).
• Data processed by third-party payment gateways (e.g., PAYGATE), which are subject to their own privacy policies.

3.  Information We Collect 

3.1 Data Provided by Users 

Category:

Account Data

Examples:

Name, email, phone number, profile photo, date of birth and location.

Purpose:

User authentication, account management

Category:

Content Data

Examples:

Product listings, chat logs, ratings

Purpose:

Service delivery, dispute resolution

3.2 Automatically Collected Data 

• Device Information: IP address, device model, OS version.
• Usage Analytics: Session duration, feature interaction patterns.
• Geolocation: Approximate location (city-level) for item proximity features.

4. Legal Basis for Processing 

We process data under Section 11 of the POPIA which is based on:

Basis

Use Case

Contractual Necessity

Core App functionality (e.g., account creation, transactions)

Legitimate Interest

Fraud prevention, service optimization

Explicit Consent

Marketing communications, precise geolocation

5. Data Sharing and Third-Party Governance 

5.1 Recipients of Data 

Third Party:

Google GCP

Data Shared:

Hosting infrastructure

Safeguards:

SCCs, ISO 27001 certification

Third Party:

PAYGATE

Data Shared:

Payment processing

Safeguards:

PCI-DSS compliance

5.2 SDK Governance 

We maintain a public directory of third-party SDKs:

SDK:

Google GCP

Apple Developer

Firebase

Purpose:

Analytics, crash reporting

Data Collected:

Device ID, usage events

SDK:

Google Login

Purpose:

Social authentication

Data Collected:

Public profile data

Pre-Integration Requirements:

• Privacy impact assessments for all SDKs.
• Annual audits of data flows.

6. User Rights (Section 23 of the POPIA)

6.1 Exercisable Rights 

As a data subject, you have the following rights under POPIA:

• Access: Request a copy of your data.
• Rectification: Correct inaccurate information.
• Erasure: Delete non-essential data.
• Objection to the processing of personal data for direct marketing.

6.2 Response Protocol 

• Submit requests to dpo@tabalot.com with valid ID verification.
• Responses within 30 calendar days in accordance with Section 25 of the POPIA.

7. Data Security 

7.1 Technical Measures 

• Encryption: AES-256 (data at rest), TLS 1.3 (data in transit).
• Access Controls: Role-based permissions, multi-factor authentication.

7.2 Breach Management 

• Notification Timeline: 72 hours to the Information Regulator.
• User Alerts: Issued via email for high-risk breaches.

8. Data Retention Schedule 

Data Type:

Chat Logs

Retention Period:

1 year

Legal Basis:

Dispute resolution

Data Type:

Transaction Records

Retention Period:

5 years

Legal Basis:

Tax Administration Act

Data Type:

Marketing Consent

Retention Period:

Until revoked

Legal Basis:

Section 69 of the POPIA

9. Children’s Privacy 

• Age Verification: confirmation during registration.
• Underage Accounts: Deleted within 48 hours of detection, in accordance with POPIA.

10. International Transfers 

• EU/US Transfers: Protected by Standard Contractual Clauses (SCC’s) with Google.
• Localization: Primary storage in Johannesburg data centers.

11. Direct Marketing 

11.1 Consent Framework 

• Opt-In: Separate toggle for email promotions.
• Opt-Out: "Unsubscribe" link in all marketing communications.

11.2 Cookie Consent 

• Categories: Essential cookies.
• Management: In-app privacy dashboard to manage cookie preferences.

12. Policy Updates 

• Material Changes: 30-day notice via email.
• Version History: Archived at Tabalot Policy Hub.

13. Contact Information 

Role:

Information Officer

Details:

Cedar Place, Bryanston

Email dpo@tabalot.com

Role:

Information Regulator

Details:

JD House, Braamfontein

Annex A: Definitions

• Juristic Persons: Companies/entities registered with CIPC.
• SCCs: Standard Contractual Clauses (EU 2021/914).

Citations:

• POPIA Compliance Framework (2021)
• AWS Data Processing Addendum (2024)
• Google Analytics Terms (2025)

This policy meets ISO 27701 standards for privacy management systems.