1. Responsible party
The responsible party for personal information collected through this website, our workshop operations, and related channels is the business trading as Butter My Sofa, with workshop at 42 Broadway East, Valhalla, Centurion, South Africa (unless we notify you otherwise in writing).
2. Information officer & enquiries
POPIA requires accountability. Enquiries about this notice, access or correction requests, and complaints handling may be directed to our Information Officer using the contact details published on our website (Contact section / contact form) or by post to the workshop address above. Mark correspondence “POPIA / Privacy”.
We may appoint or update deputies, processors, or operators from time to time. Where we do, we remain responsible for their processing under POPIA to the extent required by law.
3. Categories of personal information we may collect
Depending on how you interact with us, we may process:
- Identity & contact data: name, email address, phone number, delivery address, province, and similar fields you submit at checkout, on forms, or when requesting a quote.
- Account data (optional): if you create a customer account, we store your email (and display name if provided) and a password verifier derived using industry standard one-way hashing (we do not store your password in readable form).
- Transaction & order data: order identifiers, basket line items, amounts in South African Rand (ZAR), payment status as reported by our payment provider, shipping and fulfilment notes, and communications about your order.
- Quote & project data: descriptions, dimensions, notes, and files you upload for custom work (which may include photographs of furniture or spaces).
- Technical & security metadata: server logs, IP address, user agent, timestamps, cookies or similar identifiers where applicable, and fraud-prevention signals available to our hosting or payment infrastructure.
- Support & inbox content: messages you send via contact forms or email.
We aim to collect only what is reasonably necessary for the purposes in section 4. Voluntary fields should be limited to what you choose to share.
4. Purposes & lawful bases of processing
We process personal information for purposes including:
- Contract & pre-contract steps: quoting, order placement, payment initiation, delivery, after-sales support, and account services you request.
- Legal obligation: tax, accounting, consumer-law, or regulatory compliance where applicable.
- Legitimate interests of our business (where balanced with your rights): website security, abuse prevention, operational analytics that do not unduly profile you, quality control, defending legal claims, and improving our services. Where POPIA requires consent for specific processing, we will seek it separately (for example, certain direct marketing).
- Consent where we rely on consent (e.g. optional marketing). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
5. Payment processing — PayFast & card data
Card payments are processed by PayFast (or successor notified on our checkout). Card numbers, authentication (including any 3-D Secure step), and payment credentials are collected and processed by PayFast under its agreements and privacy policy — not by us on our own servers. We receive limited payment outcome data (for example, success/failure references) needed to reconcile orders.
You should review PayFast’s terms and privacy documentation before paying. We are not responsible for PayFast’s independent processing except to the extent imposed by mandatory law.
6. Hosting, cloud infrastructure & international transfers
Our website and APIs may be hosted on Cloudflare (and related edge infrastructure) with storage (including databases and object storage) in Cloudflare’s environment. That may involve processing or storage outside South Africa, including in jurisdictions that do not have the same privacy laws as South Africa.
Where personal information is transferred cross-border, we rely on lawful mechanisms available under POPIA (including consent where appropriate, operator agreements, and the safeguards required by law). By using the site and submitting information, you acknowledge this practical reality of cloud-hosted commerce, subject to your statutory rights.
7. Operators, processors & third parties
We may engage service providers (operators/processors) to help run the business — for example payment gateways, email delivery, analytics, or IT security. They may only process personal information on our documented instructions or as otherwise permitted by law, and we seek to impose confidentiality and security obligations contractually where feasible.
We do not sell your personal information as a commodity. We may disclose information to regulators, courts, or law enforcement when legally compelled, or to assert or defend our legal rights.
8. Cookies & similar technologies
We use strictly necessary cookies or similar mechanisms for security and session management (for example, signed HttpOnly session cookies for optional customer accounts and our admin console). We avoid non-essential tracking cookies where possible. Browser controls can limit cookies, but some features may not function without them.
9. Retention
We retain personal information only as long as needed for the purposes collected, legal record-keeping, tax, and dispute resolution. Indicative periods (non-exhaustive, subject to legal change and business needs):
- Orders & invoices: commonly at least 5 years for tax and commercial records.
- Quotes & project files: for a reasonable period to perform or decline work, manage warranties, and defend claims — typically up to several years unless a longer period is justified.
- Marketing consents & mailing lists: until withdrawn or the relationship ends, plus a short reconciliation tail.
- Security logs: shorter rolling retention where technically configured.
When retention expires, we delete or irreversibly de-identify information where practicable, unless a narrow archival carve-out applies.
10. Security measures
We implement reasonable technical and organisational measures appropriate to the risk, including transport encryption (HTTPS), access controls, separation of duties for administration, password hashing for accounts, and reliance on reputable payment and hosting providers. No system is perfectly secure; you accept residual internet risk and agree to use strong passwords and protect your devices.
11. Your rights under POPIA (summary)
Subject to POPIA conditions and exemptions, you may have the right to:
- request confirmation of whether we hold personal information about you;
- request access to certain records (PAIA may also apply to some records);
- request correction or deletion where appropriate;
- object to processing in prescribed circumstances;
- lodge a complaint with the Information Regulator (South Africa).
Information Regulator: inforegulator.org.za. We encourage you to contact us first so we can try to resolve concerns efficiently.
12. Direct marketing
If we send direct marketing by electronic communication, we will do so in line with POPIA and the Consumer Protection Act 68 of 2008 (CPA) (where applicable), including honouring opt-outs and maintaining reasonable unsubscribe mechanisms. We will not require consent to unrelated processing as a condition of sale unless lawfully framed.
13. Children
Our services are intended for adults and commercial transactions. We do not knowingly market to or contract with children without appropriate guardian involvement. If you believe a minor’s data was collected improperly, contact us promptly.
14. Automated decision-making
We do not use solely automated decisions that produce legal or similarly significant effects on you in the sense contemplated by POPIA section 71. Pricing and checkout rules are deterministic business logic, not profiling that replaces human review for legal outcomes.
15. Changes to this notice
We may update this notice to reflect legal, technical, or operational changes. Material changes will be indicated by updating the effective date below and, where appropriate, additional notice on the website. Continued use after changes constitutes acceptance of the updated notice to the extent permitted by law.
Effective date: 14 May 2026 · Document version: 1.0