POPIA Compliance

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's primary data privacy legislation. It came into full effect on 1 July 2021. POPIA gives South African residents the right to have their personal information protected and sets out rules for how organisations may lawfully collect, store, use, and share personal information.

Family Marketplace (Pty) Ltd is committed to full compliance with POPIA and respects the privacy rights of all data subjects (users) on our platform.

Under POPIA, Family Marketplace acts as the Responsible Party — the entity that determines the purpose and means of processing your personal information.

We only process your personal information when we have a lawful basis to do so under POPIA Section 11:

• Consent: You have given us specific consent to process your personal information (e.g., when registering an account).
• Contract: Processing is necessary to fulfil a contract with you (e.g., processing subscription payments).
• Legal obligation: We are required by law to process your information (e.g., FICA, tax compliance).
• Legitimate interest: Processing is necessary for our legitimate business interests, provided these do not override your rights.

• Full name, email address, phone number
• South African ID number (for identity verification)
• Physical address and location data
• Payment information (processed securely by PayFast/Paystack — we do not store card details)
• Business registration details (for vendor accounts)
• User-generated content (listings, photos, messages)
• Device and browser information, IP addresses
• Cookies and usage analytics (see our Cookie Policy)

Under POPIA, you have the following rights regarding your personal information:

To exercise any of these rights, email us at privacy@familymarketplace.co.za. We will respond within 30 days as required by POPIA.

We retain your personal information only for as long as necessary for the purpose it was collected, or as required by law:

• Active accounts: For the duration of your account plus 3 years after closure.
• Transaction records: 5 years (required by South African tax law).
• Identity verification records: 5 years after account closure.
• Listings and content: Deleted within 30 days of account closure.
• Cookies/analytics data: Maximum 24 months.

We may transfer personal information outside South Africa to service providers (e.g., cloud hosting, email services, AI services). All such transfers comply with POPIA Section 72, ensuring the recipient country provides an adequate level of protection, or appropriate safeguards are in place.

Our key third-party processors include:

• PayFast – Payment processing (South Africa)
• Paystack – Payment processing (South Africa)
• OpenAI – AI-powered features (USA — Standard Contractual Clauses apply)
• Google – Maps, analytics (USA — Standard Contractual Clauses apply)

We implement appropriate technical and organisational measures to protect your personal information against:

• Unauthorised access, disclosure, or alteration
• Loss, destruction, or damage

Measures include SSL/TLS encryption, password hashing (bcrypt), role-based access controls, and regular security audits.

In the event of a data breach that poses a risk to your rights, we will notify you and the Information Regulator as soon as reasonably possible, in accordance with POPIA Section 22.

If you are not satisfied with how we handle your personal information, you have the right to lodge a complaint with:

For any POPIA-related queries, access requests, or complaints:

• Email: privacy@familymarketplace.co.za
• Response time: Within 30 days as required by POPIA
• Online form: Contact Us