🔒 This policy is written in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), South Africa's primary data protection law. We are committed to processing your personal information lawfully, fairly, and transparently.
1. Who We Are (Responsible Party)
ArtworkHub SA (Pty) Ltd is the Responsible Party as defined in POPIA. We determine the purpose and means of processing your personal information.
Our designated Information Officer is responsible for overseeing compliance with POPIA. Contact details are available on our POPIA Notice.
2. What Personal Information We Collect
| Category | Data Collected | Who It Applies To |
|---|
| Account | Name, email address, password (hashed), account type | All registered users |
| Profile | Bio, profile photo, city, province, social media links, artistic statement | Artists & galleries |
| Orders | Shipping address, contact phone, order details | Buyers |
| Payments | Payment method preference, EFT reference numbers (we do not store card numbers) | Buyers & artists |
| Artworks | Artwork images, titles, descriptions, pricing, dimensions | Artists & galleries |
| Auction Activity | Bids placed, amounts, timestamps | Bidders |
| Class Bookings | Booking details, attendance status | Students |
| Technical | IP address, browser type, session data, page views | All visitors |
| Communications | Messages sent through the platform, newsletter subscriptions | All users |
3. How We Use Your Personal Information
We process your personal information only for the following purposes:
- Providing the service — creating accounts, processing orders, facilitating auctions and class bookings.
- Communications — order confirmations, password resets, notifications about your account activity.
- Platform safety — detecting fraud, verifying identity, enforcing our Terms of Service.
- Marketing — sending newsletters or promotional emails only with your consent, which you can withdraw at any time.
- Analytics — understanding how the platform is used to improve it (aggregated, anonymised where possible).
- Legal compliance — retaining transaction records as required by South African tax and commercial law.
4. Legal Basis for Processing
Under POPIA, we process your information on the following grounds:
- Contract performance — processing necessary to fulfil your order or provide services you've signed up for.
- Legitimate interests — platform security, fraud prevention, analytics.
- Consent — marketing emails and newsletter subscriptions. You may withdraw consent at any time.
- Legal obligation — retaining financial records as required by the South African Revenue Service (SARS).
5. Who We Share Your Information With
We do not sell your personal information. We share only what is necessary:
- Artists and buyers — an artist sees your shipping address and contact details to fulfil your order. A buyer sees artist contact information to complete a purchase.
- Payment processors — PayFast processes payments and is subject to their own privacy policy.
- Hosting and infrastructure — our servers and database providers are bound by data processing agreements.
- Email service providers — used to send transactional and marketing emails.
- Law enforcement — where required by court order or applicable South African law.
6. Cookies
We use the following cookies:
- Session cookie — keeps you logged in during your visit. Deleted when you close your browser.
- CSRF token — protects forms from cross-site attacks. Session-scoped.
- Analytics (optional) — Google Analytics or similar, to understand page usage. These can be blocked with browser extensions.
You can manage cookies in your browser settings. Blocking session cookies will prevent you from logging in.
7. Data Retention
- Active accounts — retained while your account is active.
- Inactive accounts — personal data anonymised or deleted after 3 years of inactivity, unless legal retention applies.
- Transaction records — retained for 5 years as required by South African tax law.
- Audit logs — retained for 12 months.
8. Your Rights Under POPIA
As a data subject you have the right to:
- Access — request a copy of the personal information we hold about you.
- Correction — request that inaccurate information be corrected.
- Deletion — request deletion of your data (subject to legal retention obligations).
- Objection — object to processing for direct marketing at any time.
- Complaint — lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.
To exercise any of these rights, email our Information Officer as detailed on our POPIA Notice. We will respond within 30 days.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal information, including:
- Passwords hashed using bcrypt (never stored in plain text).
- HTTPS encryption for all data in transit.
- CSRF protection on all forms.
- Session-based authentication with idle timeout.
- Access controls limiting staff access to personal data on a need-to-know basis.
In the event of a data breach that poses a risk to you, we will notify the Information Regulator within 72 hours and affected individuals as soon as reasonably possible.
10. Children's Privacy
The Platform is not directed at children under 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us immediately.
11. Changes to This Policy
We will notify registered users of material changes to this policy by email and by updating the version number and effective date at the top. Continued use of the Platform after changes constitutes acceptance.
12. Contact
Privacy queries: privacy@artworkhubsa.co.za
Information Officer details: POPIA Notice