Privacy Policy

1. Introduction

THUMA Commerce ("THUMA," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at thuma.store and all related subdomains, dashboards, and services (collectively, the "Service"). This policy complies with the Protection of Personal Information Act, 2013 (POPIA) of South Africa.

2. Information We Collect

• Account Information: When you register as a merchant or customer, we collect your name, email address, phone number, business name, and store handle.
• Payment Information: We collect payment details necessary to process transactions. Credit card and banking details are processed by our payment partner, Peach Payments (PCI DSS Level 1 certified), and are never stored on THUMA servers.
• Store Data: Products, pricing, inventory, orders, customer lists, and analytics generated through your use of the Service.
• Customer Data: When customers place orders through a merchant store, we collect their name, delivery address, email, phone number, and order details. Merchants act as the Responsible Party for their customer data; THUMA acts as an Operator.
• Technical Data: IP address, browser type, device information, pages visited, and timestamps — collected via standard server logs and analytics.
• Communication Data: Emails, WhatsApp messages, and support tickets exchanged with us.

3. How We Use Your Information

• Service Delivery: To provide, maintain, and improve the Service — including order processing, courier integration, payment routing, and storefront hosting.
• Communication: To send transactional emails (order confirmations, shipping updates), service announcements, and — with your consent — marketing communications.
• Analytics: To understand usage patterns and improve the platform. Aggregated, anonymised data may be used for industry benchmarks.
• Legal Compliance: To comply with applicable laws, including POPIA, the Consumer Protection Act, and SARS requirements for VAT invoicing.
• Security: To detect, prevent, and address fraud, abuse, and technical issues.

4. Data Sharing and Third Parties

We share data only as necessary to deliver the Service. Third-party recipients include:

• Payment Processors (Peach Payments): For processing customer payments. Peach Payments is PCI DSS Level 1 compliant.
• Courier Partners (TCG, PUDO, Aramex, RAM, CourierIT): Name, delivery address, phone number, and parcel details are shared to generate waybills and facilitate delivery.
• WhatsApp (Meta): If a merchant enables WhatsApp commerce, customer phone numbers and order details may be sent via the WhatsApp Business API. Meta's data processing is governed by their terms.
• Cloud Infrastructure: Our services run on Vercel (hosting) and Neon (database), with data stored in European and US data centres. We use Cloudflare R2 for image storage.
• Accounting Integrations: If a merchant connects Sage or Xero, invoice and transaction data are sent to those services.
• We do not sell, rent, or trade personal information to third parties for their marketing purposes.

5. Data Residency and Transfers

While our infrastructure providers may store data outside South Africa, we select providers with strong data protection standards. All data transfers comply with POPIA requirements for cross-border data flows. Our primary database is hosted by Neon in the EU (Frankfurt region).

6. Cookies

We use essential cookies for session management and authentication. Analytics cookies (if enabled) track anonymous usage patterns. You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. After account termination, we retain transactional records for 5 years (as required by South African tax law under the Tax Administration Act). Customer personal data associated with orders is retained for the same period. You may request earlier deletion of non-mandatory records.

8. Your Rights Under POPIA

Under POPIA, you have the right to:

• Access the personal information we hold about you
• Request correction or deletion of inaccurate information
• Object to the processing of your personal information
• Lodge a complaint with the Information Regulator of South Africa
• Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@thuma.store. We will respond within 30 days as required by POPIA.

9. Merchant Responsibilities (POPIA)

Merchants using THUMA to collect customer data are Responsible Parties under POPIA. Merchants must:

• Obtain consent from their customers for data collection and processing
• Only collect data necessary for order fulfilment and legitimate business purposes
• Secure customer data and limit access to authorised personnel
• Respond to customer data access and deletion requests within POPIA timeframes
• Notify THUMA immediately of any data breach affecting their store

10. Security

We implement industry-standard security measures including encryption in transit (TLS 1.3), encryption at rest, access controls, and regular security reviews. Payment data is tokenised and never stored on our servers. However, no method of electronic transmission or storage is 100% secure.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active merchants and via a notice on the platform. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related inquiries or to exercise your POPIA rights:

• Email: privacy@thuma.store
• Postal: THUMA Commerce, South Africa
• Information Regulator of South Africa: https://www.justice.gov.za/inforeg/