VelaCommerce Privacy Policy
Last updated: 26 June 2026
This Privacy Policy explains how VelaCommerce processes personal information through the marketing website at velacommerce.co.za, the merchant console, and merchant storefronts hosted on the Platform.
1. Our roles under POPIA
- Responsible Party — for personal information of merchants, prospects, marketing contacts, and visitors to our own website.
- Operator — for personal information of end-customers collected through merchant storefronts. The merchant is the Responsible Party; we process strictly on their documented instruction under the Data Processing Agreement.
2. Information we collect
- Merchant accounts: business name, contact name, email, phone, banking and tax registration details.
- Storefront end-customers (as Operator): name, delivery address, email, phone, order history, pickup-point selections.
- Payment data: processed by the connected payment provider; we store transaction references but not card numbers.
- Technical data: IP address, device, browser, pages viewed, security logs.
3. Lawful basis (POPIA s.11)
We process information to perform the merchant contract, comply with South African tax and consumer law, and pursue our legitimate interests in operating and securing the Platform. Marketing emails are sent only with consent and you may opt out at any time.
4. Sharing with sub-processors
We engage a small set of operators to deliver the Platform — hosting, payments, delivery, and email. The current Sub-processor register is maintained on this site and updated when changes occur.
5. Cross-border transfers
Merchant and end-customer transactional data are hosted in South Africa. Where an operator processes data outside South Africa, we rely on POPIA s.72 safeguards (binding contractual protections that meet an adequate level).
6. Retention
- Order and tax records — 5 years (Tax Administration Act).
- Account records — for the lifetime of the account plus 12 months.
- Marketing preferences — until consent is withdrawn.
- Security and audit logs — 12 months rolling.
7. Your rights (POPIA s.5, 23, 24, 69)
You may:
- request a copy of personal information we hold about you,
- correct or delete information that is inaccurate or no longer needed,
- object to processing, including direct marketing,
- lodge a complaint with the Information Regulator (South Africa).
8. Security
We use TLS in transit, encryption at rest, row-level tenant isolation, per-tenant access controls, and audit logging. We will notify affected parties and the Information Regulator of any security compromise as required by POPIA s.22.
9. Cookies
See the Cookie notice for the cookies set by the marketing site, the merchant console, and storefronts.
10. Information Officer
Information Officer: VelaCommerce
Email: privacy@velacommerce.co.za
