Privacy policy
This Privacy Policy describes how BioStrata (the "Site", "we", "us", or "our") collects, uses, and discloses your personal information when you visit, use our services, or make a purchase from biostrata.co.za (the "Site") or otherwise communicate with us (collectively, the "Services"). For purposes of this Privacy Policy, "you" and "your" means you as the user of the Services, whether you are a customer, website visitor, or another individual whose information we have collected pursuant to this Privacy Policy. Please read this Privacy Policy carefully. By using and accessing any of the Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use or access any of the Services.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on the Site, update the "Last updated" date and take any other steps required by applicable law.
How We Collect and Use Your Personal Information
To provide the Services, we collect and have collected over the past 12 months personal information about you from a variety of sources, as set out below. The information that we collect and use varies depending on how you interact with us. In addition to the specific uses set out below, we may use information we collect about you to communicate with you, provide the Services, comply with any applicable legal obligations, enforce any applicable terms of service, and to protect or defend the Services, our rights, and the rights of our users or others.
At BioStrata, we process your personal information in accordance with the Protection of Personal Information Act, 4 of 2013 (“POPIA”). The legal bases on which we rely for the collection and processing of your personal information include the following: Your Consent – Where you have given us clear, informed, and voluntary permission to process your personal information for specific purposes (e.g., subscribing to our newsletter or creating an account on our website). Contractual Necessity – Where processing is necessary to enter into or perform a contract with you (e.g., fulfilling your order for a BioStrata product). Legal Obligation – Where we are required to process your personal information in order to comply with legal and regulatory obligations (e.g., issuing tax invoices or retaining transaction records). Legitimate Interests – Where processing is necessary to pursue our legitimate interests or the legitimate interests of a third party, provided such interests do not override your fundamental privacy rights (e.g., improving our services, preventing fraud, or conducting analytics). We only collect and use personal information that is adequate, relevant, and not excessive for the purposes stated above, and we implement appropriate safeguards to protect your data in line with POPIA’s requirements.
What Personal Information We Collect
The types of personal information we obtain about you depends on how you interact with our Site and use our Services. When we use the term "personal information", we are referring to information that identifies, relates to, describes or can be associated with you. The following sections describe the categories and specific types of personal information we collect.
Information We Collect Directly from You
Information that you directly submit to us through our Services may include:
- Basic contact details including your name, address, phone number, email.
- Order information including your name, billing address, shipping address, payment confirmation, email address, phone number.
- Account information including your username, password, security questions.
- Shopping information including the items you view, put in your cart or add to your wishlist.
- Customer support information including the information you choose to include in communications with us, for example, when sending a message through the Services. Some features of the Services may require you to directly provide us with certain information about yourself. You may elect not to provide this information, but doing so may prevent you from using or accessing these features.
Your Rights Under the Protection of Personal Information Act (POPIA): As a data subject, you have the following rights in terms of the Protection of Personal Information Act, 4 of 2013 (“POPIA”). At BioStrata, we are committed to upholding these rights and providing mechanisms to help you exercise them easily and effectively:
Right of Access: You have the right to request confirmation of whether we hold personal information about you, and if so, to request access to that information, including details of what data we hold and how it is being processed. Right to Correction: You may request that we correct or update any personal information we hold about you that is inaccurate, incomplete, or outdated. Right to Deletion: You may request the deletion or destruction of your personal information where there is no longer a lawful basis for us to retain it, subject to certain legal and regulatory obligations. Right to Object to Processing: You may object, on reasonable grounds, to the processing of your personal information where such processing is not required by law, contract, or legitimate interest. Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before its withdrawal. Right to Lodge a Complaint: If you believe we have processed your personal information unlawfully or infringed your rights under POPIA, you have the right to lodge a complaint with the Information Regulator at: Website: https://www.inforegulator.org.za Email: complaints.IR@justice.gov.za Telephone: 010 023 5200
Information We Collect through Cookies
We also automatically collect certain information about your interaction with the Services ("Usage Data"). To do this, we may use cookies, pixels and similar technologies ("Cookies"). Usage Data may include information about how you access and use our Site and your account, including device information, browser information, information about your network connection, your IP address and other information regarding your interaction with the Services.
Information We Obtain from Third Parties
Finally, we may obtain information about you from third parties, including from vendors and service providers who may collect information on our behalf, such as:
- Companies who support our Site and Services, such as Shopify.
- Our payment processors, who collect payment information (e.g., bank account, credit or debit card information, billing address) to process your payment in order to fulfill your orders and provide you with products or services you have requested, in order to perform our contract with you. When you visit our Site, open or click on emails we send you, or interact with our Services or advertisements, we, or third parties we work with, may automatically collect certain information using online tracking technologies such as pixels, web beacons, software developer kits, third-party libraries, and cookies. Any information we obtain from third parties will be treated in accordance with this Privacy Policy. We are not responsible or liable for the accuracy of the information provided to us by third parties and are not responsible for any third party's policies or practices. For more information, see the section below, Third Party Websites and Links.
In certain circumstances, BioStrata may transfer your personal information to third parties or service providers located outside the borders of the Republic of South Africa. These transfers may be necessary for the purposes of data hosting, order processing, analytics, or other services related to the functioning and improvement of our website and operations. In compliance with Section 72 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”), we will only transfer personal information across South African borders if one or more of the following conditions are met:
The recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection for personal information in line with the principles set out in POPIA; You have provided explicit consent to the transfer; The transfer is necessary for the performance of a contract between you and BioStrata, or for the implementation of pre-contractual measures taken at your request; The transfer is for your benefit and it is not reasonably practicable to obtain your consent, and if it were, you would be likely to give it; The transfer is otherwise permissible under any applicable law or regulation. BioStrata takes all reasonable steps to ensure that any party receiving your personal information provides an adequate level of protection and processes your data in a manner consistent with this privacy policy.
How We Use Your Personal Information
Providing Products and Services
We use your personal information to provide you with the Services in order to perform our contract with you, including to process your payments, fulfill your orders, to send notifications to you related to your account, purchases, returns, exchanges or other transactions, to create, maintain and otherwise manage your account, to arrange for shipping, facilitate any returns and exchanges and to enable you to post reviews.
Marketing and Advertising
We use your personal information for marketing and promotional purposes, such as to send marketing, advertising and promotional communications by email, text message or postal mail, and to show you advertisements for products or services. This may include using your personal information to better tailor the Services and advertising on our Site and other websites.
Security and Fraud Prevention
We use your personal information to detect, investigate or take action regarding possible fraudulent, illegal or malicious activity. If you choose to use the Services and register an account, you are responsible for keeping your account credentials safe. We highly recommend that you do not share your username, password, or other access details with anyone else. If you believe your account has been compromised, please contact us immediately.
BioStrata takes the security of your personal information seriously and implements appropriate, reasonable technical and organisational measures to protect it from loss, misuse, unauthorised access, disclosure, alteration, or destruction, as required under Section 19 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”). The safeguards we have put in place include, but are not limited to:
Technical Measures: Encryption of data during transmission. Secure hosting environments and firewalls to prevent unauthorised access. Regular software updates to our systems and plugins. Password protection for data access. Organisational Measures: Staff training on data privacy and security practices. Confidentiality agreements with all employees. Controlled access to physical and digital data storage areas. Routine audits and assessments of our data protection measures. While we take all reasonable precautions to protect your information, no system can be guaranteed 100% secure.
Communicating with You
We use your personal information to provide you with customer support and improve our Services. This is in our legitimate interests in order to be responsive to you, to provide effective services to you, and to maintain our business relationship with you.
In accordance with Section 11 of the Consumer Protection Act, 68 of 2008 (“CPA”), you have the right to refuse or opt out of any direct marketing communications from BioStrata at any time. We may send you marketing communications from time to time to inform you about new products, special offers, or company updates. These communications may be sent via email, SMS, or other digital platforms, but only where:
You have provided your express or implied consent; or You are an existing customer and the communication relates to similar products or services previously purchased. You can opt out of receiving direct marketing communications at any time by:
Clicking the “unsubscribe” link included in all email communications; or Contacting us directly and requesting to be removed from our marketing list. We will process opt-out requests as soon as reasonably possible and will ensure that your preferences are respected. Please note that even if you opt out of marketing communications, we may still contact you for transactional or service-related purposes, including but not limited to, order confirmations, shipping notifications, or updates to our terms and policies.
Cookies
Like many websites, we use Cookies on our Site. For specific information about the Cookies that we use related to powering our store with Shopify, see https://www.shopify.com/legal/cookies. We use Cookies to power and improve our Site and our Services (including to remember your actions and preferences), to run analytics and better understand user interaction with the Services (in our legitimate interests to administer, improve and optimize the Services). We may also permit third parties and services providers to use Cookies on our Site to better tailor the services, products and advertising on our Site and other websites. Most browsers automatically accept Cookies by default, but you can choose to set your browser to remove or reject Cookies through your browser controls. Please keep in mind that removing or blocking Cookies can negatively impact your user experience and may cause some of the Services, including certain features and general functionality, to work incorrectly or no longer be available. Additionally, blocking Cookies may not completely prevent how we share information with third parties such as our advertising partners.
How We Disclose Personal Information
In certain circumstances, we may disclose your personal information to third parties for legitimate purposes subject to this Privacy Policy. Such circumstances may include:
- With vendors or other third parties who perform services on our behalf (e.g., IT management, payment processing, data analytics, customer support, cloud storage, fulfillment and shipping).
- With business and marketing partners, including Shopify, to provide services and advertise to you.
- When you direct, request us or otherwise consent to our disclosure of certain information to third parties, such as to ship you a product or through your use of social media widgets or login integrations, with your consent.
- With our affiliates or otherwise within our corporate group, in our legitimate interests to run a successful business.
- In connection with a business transaction such as a merger or bankruptcy, to comply with any applicable legal obligations (including to respond to subpoenas, search warrants and similar requests), to enforce any applicable terms of service, and to protect or defend the Services, our rights, and the rights of our users or others. We have, in the past 12 months, disclosed the following categories of personal information and sensitive personal information (denoted by *) about users for the purposes set out above in "How we Collect and Use your Personal Information" and "How we Disclose Personal Information": | Category | Categories of Recipients | |---|---| | Identifiers such as basic contact details and certain order and account information | Vendors and third parties who perform services on our behalf (such as Internet service providers, payment processors, fulfillment partners, customer support partners and data analytics providers), Business and marketing partners, Affiliates | | Commercial information such as order information, shopping information and customer support information | Vendors and third parties who perform services on our behalf (such as Internet service providers, payment processors, fulfillment partners, customer support partners and data analytics providers), Business and marketing partners, Affiliates | | Internet or other similar network activity, such as Usage Data | Vendors and third parties who perform services on our behalf (such as Internet service providers, payment processors, fulfillment partners, customer support partners and data analytics providers), Business and marketing partners, Affiliates | We do not use or disclose sensitive personal information for the purposes of inferring characteristics about you. We have “sold” and “shared” (as those terms are defined in applicable law) personal information over the preceding 12 months for the purpose of engaging in advertising and marketing activities, as follows. | Category of Personal Information | Categories of Recipients | |---|---| | Identifiers such as basic contact details and certain order and account information | Business and marketing partners | | Commercial information such as records of products or services purchased and shopping information | Business and marketing partners | | Internet or other similar network activity, such as Usage Data | Business and marketing partners | We may share your personal information with third-party service providers to facilitate the delivery of our products and services, ensure the security of our operations, and enhance your customer experience. These third parties are contractually obligated to protect your information and use it solely for the purposes specified by us. Categories of third-party service providers include:
Payment Processors: To process transactions securely and efficiently. Shipping and Logistics Partners: To deliver your orders to your specified address. Customer Support Services: To assist with inquiries, complaints, and other customer service needs. Marketing and Advertising Agencies: To manage marketing campaigns and communications, subject to your marketing preferences. IT and Data Hosting Providers: To host our website, manage data storage, and ensure cybersecurity. Analytics and Performance Monitoring Tools: To analyse website usage and improve our services. Each of these third-party service providers is contractually obligated to protect your personal information and to use it only for the specific purposes for which it was shared. We do not authorise any of our service providers to use your personal information for their own marketing purposes.
User Generated Content
The Services may enable you to post product reviews and other user-generated content. If you choose to submit user-generated content to any public area of the Services, this content will be public and accessible by anyone. We do not control who will have access to the information that you choose to make available.