Legal
Privacy Policy
How Noeva collects, uses, shares, and retains personal information. Issued under section 18 of POPIA.
Version: 0.1 · Last updated: 17 May 2026 · Operator: Noeva (Pty) Ltd, South Africa
1. About this policy
This Privacy Policy explains how Noeva collects, uses, shares, and retains personal information when you use the Noeva commerce platform (“Noeva”, “we”, “us”).
It is issued under section 18 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”). It applies to:
- Sellers — independent merchants who use Noeva to receive payments and ship parcels.
- Customers — people who pay for goods at the Noeva checkout.
- Visitors — anyone who interacts with our WhatsApp bot, our shareable product links, or our web pages.
We are the responsible party under POPIA for personal information we collect directly. For data we process on behalf of Sellers (e.g., their customer addresses for delivery), we act as the operator.
2. Information we collect
2.1 From Sellers
| Data | Purpose | Lawful basis |
|---|---|---|
| WhatsApp phone number | Account identifier, login proxy | Contract performance (s.11(1)(b)) |
| Name, business name | Account display, customer messaging | Contract performance |
| Collection address (lat/lng + raw) | Locker assignment, shipping origin | Contract performance |
| Bank name, account number, account holder name | Payout setup via Paystack | Contract performance + legal obligation (FICA via Paystack) |
| South African ID photo (Tier 2 only) | Identity verification for higher-volume sellers | Legal obligation under SA financial regulations |
| Sales records, GMV, settlement history | Service operation, tax reporting | Contract performance + legal obligation (SARS) |
| WhatsApp conversation state (Redis) | Continuity of the chat flow | Contract performance |
2.2 From Customers
| Data | Purpose | Lawful basis |
|---|---|---|
| WhatsApp phone number | Order tracking notifications, support | Contract performance |
| Name | Order processing, delivery addressing | Contract performance |
| Delivery address (raw + normalized) | Shipping fulfillment | Contract performance |
| Lat / lng of delivery address | Carrier rate lookup, locker assignment | Contract performance |
| Postal code | Shipping eligibility, carrier requirements | Contract performance |
| Payment metadata (card brand, last 4) | Reconciliation, refund processing | Contract performance |
| Order history | Repeat-purchase support, dispute resolution | Contract performance |
We do not ask for or store:
- Customer ID numbers
- Full card numbers, CVVs, or PINs (these are tokenized by Paystack)
- Date of birth
- Income or financial information beyond the transaction
2.3 Automatically
When you visit our checkout page or other web pages:
| Data | Purpose |
|---|---|
| IP address | Rate limiting, fraud prevention, geographic shipping cost estimation |
| User agent (browser/OS) | Compatibility debugging |
| Referrer | Understanding traffic sources |
| Cookies (minimal — session only) | Maintaining a single checkout session |
We do not use third-party analytics cookies, advertising trackers, or cross-site retargeting.
3. How we use your information
- Operate the platform — process orders, charge customers, pay sellers, ship parcels, send tracking updates.
- Communicate — send transactional WhatsApp messages (order confirmations, delivery updates, payout receipts).
- Verify identity — confirm bank account ownership via Paystack; request ID where regulations require.
- Prevent fraud — monitor for suspicious patterns (high-velocity same-phone orders, self-dealing, etc.) per our anti-AML obligations.
- Comply with law — respond to lawful requests from SARS, SAPS, FIC, or court orders.
- Improve the platform — anonymized usage data informs product decisions; we do not target individuals.
We do not sell your personal information. We do not share it with advertisers.
4. Who we share with
| Recipient | What we share | Why |
|---|---|---|
| Paystack South Africa | Customer payment details, seller bank details, transaction amounts | Payment processing |
| The Courier Guy (TCG) | Seller collection address, customer delivery address, parcel details | Shipping fulfillment |
| Meta (WhatsApp) | Phone numbers (sender + recipient), message contents | WhatsApp Business delivery channel |
| Google Maps Geocoding | Address strings entered at checkout | Resolving addresses to lat/lng |
| Supabase (database hosting) | All platform data | Cloud database operator (POPIA-compliant per DPA) |
| Railway (compute hosting) | All platform data passing through application code | Cloud compute operator |
| SARS, SAPS, FIC, courts | Limited disclosures as legally required | Legal obligation |
We have data-processing agreements in place with each service provider listed above. None are authorized to use your data for their own marketing.
5. Cross-border transfers
Some of our operators (Supabase, Railway, Meta) host data outside South Africa. Under POPIA s.72, we transfer personal data to these operators only where:
- The destination jurisdiction provides adequate protection comparable to POPIA, OR
- The operator is bound by binding corporate rules or contractual clauses that ensure equivalent protection.
6. Data retention
| Data | Retention |
|---|---|
| Active seller account data | Duration of account + 5 years after closure (SARS requirement) |
| Customer data (phone, name, address) | 90 days after last order in a terminal state |
| Order records (amounts, dates, items) | 5 years (SARS) |
| Payment records | 5 years (SARS + FICA via Paystack) |
| ID photos (Tier 2 verification) | Duration of account + 5 years (FICA) |
| WhatsApp conversation state | 12 hours (Redis TTL) |
| Outbound message audit (when enabled) | 30 days |
| Web server access logs | 30 days |
The customer 90-day retention is automatically enforced by a daily cron job that anonymizes recipient records meeting the criteria. The underlying order row is retained for accounting; the personally identifying fields (phone, name, address fields, postal code) are nulled and the recipient name is changed to “Former customer”.
7. Your rights under POPIA
You have the right to:
- Be informed about what data we hold and why (this notice).
- Access your data — we will provide a copy within 30 days.
- Correction of inaccurate data.
- Deletion of data we no longer have a lawful basis to hold.
- Object to processing (including direct marketing).
- Lodge a complaint with the Information Regulator (inforegulator.org.za).
To exercise any of these rights, email privacy@noeva.co.zafrom the address or WhatsApp number associated with your account, with the subject “POPIA request”.
8. Marketing
We send transactional messages (order confirmations, delivery updates, payout receipts) under our contract with you. These are not marketing.
We send a weekly summary to active sellers showing their sales stats. Sellers can opt out at any time by tapping the “Opt Out” button on a weekly summary or messaging stop to the bot.
We do not send marketing communications to customers.
9. Security
We use industry-standard security controls including:
- TLS encryption for all data in transit
- Encryption at rest provided by Supabase (AES-256)
- Bank account numbers redacted from our database within minutes of KYC completion (only last 4 digits retained)
- Bearer tokens for payment APIs never logged
- Webhook signature verification on every incoming payment event
- Rate limiting on customer-facing endpoints
- Audit trail of every outbound message (in test/staging) and every refund (production)
Despite these controls, no system is 100% secure. If we suffer a data breach affecting your personal information, we will notify the Information Regulator and affected data subjects within the time frame required by POPIA s.22.
10. Children
Noeva is not intended for use by anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with their data, please contact privacy@noeva.co.za and we will delete it.
11. Changes to this policy
We may update this policy. Material changes will be communicated by WhatsApp message to active users. The “Last updated” date at the top of this page tracks revisions.
12. Contact
- General privacy questions: privacy@noeva.co.za
- POPIA requests: privacy@noeva.co.za (subject: “POPIA request”)
- Information Regulator (South Africa): inforegulator.org.za · +27 10 023 5200