Legal
Privacy Policy
Last updated: 5 April 2026
Shipcro (Pty) Ltd, e-mail address privacy@shipcro.co.za, processes the data of persons who use the secure escrow and locker-to-locker delivery platform at shipcro.co.za (hereinafter “the Platform” or “Shipcro”).
GENERAL PROVISIONS
Shipcro ensures that the processing of personal data complies with personal data protection and security legislation, including the South African Protection of Personal Information Act 4 of 2013 (“POPIA”), any other applicable personal data protection legislation, and good business practices.
Shipcro considers the privacy of individuals and the protection of personal data a priority and takes all reasonable measures to guarantee the security and safety of the Platform.
It is important that you read this Privacy Policy together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are fully aware of how and why we are using your personal information. This Privacy Policy supplements those notices and is not intended to override them.
DEFINITIONS
- User means a person who creates an account on the Platform or uses the services offered on the Platform.
- Processing of personal data means viewing, collecting, recording, storing, modifying, transmitting or receiving personal data and other operations related to personal data.
- Platform means the secure escrow and locker-to-locker delivery service offered at shipcro.co.za.
- Services means the services provided by Shipcro through the Platform for account creation, management, escrow payment processing, locker-to-locker delivery, and other services described in the Terms & Conditions.
- Terms means the Terms and Conditions of the User Agreement which a User accepts to join the Platform.
1. HOW PERSONAL DATA IS COLLECTED
We use different methods to collect personal information from and about you, including through:
Direct interactions
You may share your personal information with us directly by using our services or by corresponding with us through the Platform or email. This includes personal information you provide when you:
- Register for and use our services;
- Create a listing or complete a purchase on the Platform;
- Contact us for support;
- Request information to be sent to you;
- Give us feedback.
Automated technologies or interactions
As you interact with our Platform, we may automatically collect technical data and usage data about your equipment, browsing actions and patterns. We collect this personal information through session cookies and server logs. Please see our Cookie Policy for further details.
Third parties
We may receive personal information about you from the following third parties:
- Delivery service providers (Bobgo and Pudo);
- Banks and financial institutions;
- Payment service providers (Paystack).
2. LAWFUL BASIS FOR PROCESSING PERSONAL DATA
Shipcro processes personal data that is necessary for the administration of the Platform, the creation of user accounts, and the facilitation of secure payment and delivery transactions.
Shipcro processes personal data under one or more legal bases as provided under POPIA. In general, Shipcro will process personal data as is necessary for the performance of a contract entered into with the participation of the User — i.e. for the provision of a service or for taking measures prior to entering into a contract in accordance with the User’s request. In some cases, where processing is necessary for the purposes of legitimate interests, Shipcro will ensure those interests are not overridden by the User’s own rights and interests.
3. PERSONAL DATA COLLECTED AND REASON FOR PROCESSING
We collect and use your personal data to enable you to use our Platform, provide our services, and perform our contract with you — in particular to facilitate secure escrow transactions, coordinate locker-to-locker delivery, and communicate with you. To use these services, you need a Shipcro account, which you register for with your email address and a password.
Most of your personal data is necessary for the performance of a contract with you. If you do not provide us with this data, we will not be able to enter into or perform that contract. Some personal data is necessary to comply with our legal obligations. If you do not provide it, we may not be able to provide our services to you.
| Processing operation | Data category | Goal | Legal basis |
|---|---|---|---|
| Account creation and profile information | Email address, hashed password, first name, last name, cellphone number | Creating and managing your Shipcro account and enabling the Services | Performance of the contract |
| Contact details | First and last name, cellphone number, email address | Ensuring communication with the User regarding transactions, delivery PINs, and service updates | Performance of the contract |
| Bank account details | Bank account holder's name, account number, bank name | Releasing escrowed funds to the Seller after order completion | Performance of the contract |
| Listing information | Product title, description, price, images, selected Pudo locker | Creating a secure listing link that can be shared with a Buyer | Performance of the contract |
| Delivery information | Pudo locker selection (sender and recipient), parcel dimensions and weight, waybill data, tracking history | Coordinating locker-to-locker delivery via Bobgo and Pudo | Performance of the contract; Legitimate interests |
| Payment information | Payment confirmation data received from Paystack (card/EFT details are processed by Paystack directly and not stored by Shipcro) | Confirming that payment has been received and holding funds in escrow | Performance of the contract |
| Transactional notifications | Email address, cellphone number | Sending order updates, collection PINs, and payment confirmation notifications | Performance of the contract |
| User support | Name, email address, content of support messages, transaction information | Responding to enquiries, resolving disputes, and improving the Service | Performance of the contract; Legitimate interest |
| User dispute resolution | Dispute-related information about the transaction, communications, and the User | Resolving disputes and complaints, ensuring the security and fairness of the Platform | Legitimate interest; Legal obligation |
| Platform usage and technical data | Session cookies, server logs, device and browser type, IP address | Maintaining Platform security, diagnosing errors, and improving the User experience | Legitimate interest |
| Income data (if applicable) | Transaction history and amounts | Reporting to SARS or accountants as required by applicable law | Compliance with legal obligations |
Your personal data may be used to create aggregated and anonymised statistics that we use to improve the Service. Where data is fully anonymised, it falls outside the scope of POPIA. If we combine anonymised data with personal information in a way that re-identifies you, we will treat that combined data as personal information in accordance with this Privacy Policy.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another compatible reason. If we need to use your data for an unrelated purpose, we will notify you and explain the legal basis for doing so.
4. PERSONAL DATA COLLECTED TO ENSURE PLATFORM SECURITY
To ensure that transactions on the Platform comply with the law and the Terms, Shipcro has the right to use technical solutions to detect fraud, prohibited activities, or the attempted sale of prohibited items through the Platform.
The legal basis for this collection and use of personal data is our legitimate interest in protecting the Platform and our Users from possible fraud and illegal conduct.
5. MARKETING ACTIVITIES
Shipcro does not currently send marketing or promotional emails to Users. If we introduce such communications in the future, we will obtain your explicit consent before doing so, and you will always have the right to withdraw consent and unsubscribe at any time.
6. COMPLIANCE WITH LEGAL OBLIGATIONS
In certain cases, we need to process personal data in order to comply with legal obligations. This includes:
- Accounting obligations (reporting and document storage);
- Responding to requests from public authorities;
- Complying with AML/CTF obligations under the Financial Intelligence Centre Act 38 of 2001 (FICA);
- Oversight of potential or confirmed breaches of applicable law.
In such situations, the legal basis for processing personal data is a legal obligation imposed on us.
7. WHO HAS ACCESS TO MY PERSONAL DATA?
Access to personal data is strictly needs-based and is limited to fulfilment of Shipcro employees’ obligations. In certain cases, limited access may also be granted to partners and service providers who provide specific services to us (for example, accounting services, IT services, authentication infrastructure, and delivery service providers).
8. TO WHOM DOES SHIPCRO TRANSFER MY PERSONAL DATA?
Shipcro transfers or shares personal data with service providers only to the extent necessary and permitted in accordance with applicable laws. We may share your personal information with the following parties:
- Supabase — authentication and database hosting. Your account credentials and data are stored on Supabase’s infrastructure.
- Paystack — payment processing. Paystack processes your card or EFT details directly; Shipcro receives only payment confirmation data.
- Bobgo and Pudo — delivery logistics. Your name, cellphone number, and locker selection are shared with these providers to generate waybills and send collection PINs.
- South African government authorities — pursuant to our adherence with legislative requirements, such as SARS tax obligations and FICA compliance.
- Professional advisers — lawyers, auditors, and insurers who provide consultancy, legal, insurance, and accounting services as required.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information in accordance with our instructions and standards.
9. INTERNATIONAL TRANSFERS
We may share and process your personal information outside of South Africa for the purpose of cloud storage and/or to engage with software providers and contractors based outside of South Africa (for example, Supabase infrastructure may be hosted in foreign data centres).
If we transfer your personal information out of South Africa, we will ensure a similar degree of protection is afforded to it by ensuring that:
- We will only transfer your personal information to countries or providers that have appropriate data protection measures in place; and/or
- Where we use service providers, we will use specific contracts or data processing agreements which ensure personal information is processed and secured lawfully.
10. HOW DOES SHIPCRO ENSURE THE SECURITY OF MY PERSONAL INFORMATION?
We have implemented technical, organisational, and physical security measures to protect personal data. Access to any personal data is strictly needs-based and is regulated by user access controls.
Personal data is stored in a protected information system (Supabase) that requires authentication with a secure credential and where access is regulated by row-level security policies.
All data transmitted between your device and our Platform is encrypted in transit using TLS. Passwords are hashed using bcrypt and are never stored in plain text.
Our Platform may contain links to other websites controlled by third parties. If you navigate to such websites on your own initiative, data processing is beyond our control. We recommend that you review the privacy policies of those third parties.
11. HOW LONG WILL MY DATA BE STORED?
We will keep your personal information for the lifetime of your account. We will only retain personal data for as long as necessary to fulfil the purposes for which we collected it, including to comply with legal, accounting, or reporting obligations or to resolve disputes.
Financial and transaction data required for accounting purposes are stored in accordance with applicable legislation — generally for at least 5 years from the end of the relevant business relationship, but not longer than 10 years.
Information related to user accounts and activity on the Platform is retained until the end of the life of the account and for up to 7 years after deletion of the account, for the protection of legal interests.
Information collected through technical means (such as session cookies and server logs) is stored for the minimum period necessary, as described in our Cookie Policy.
You can ask for more detailed information about data retention by sending an enquiry to privacy@shipcro.co.za.
12. WHAT ARE MY DATA PROTECTION RIGHTS?
In connection with the processing of personal data by Shipcro, you have the following data protection rights under POPIA:
| Right | What does this mean and when can this right be exercised? |
|---|---|
| Right to be aware of processing and to access personal data | You have the right to request information about whether and what personal data we process about you, on what legal basis, and in what way. You also have the right to request a copy of the personal data processed about you. |
| Right to request correction of personal data | You can exercise this right if the personal data we process about you is incomplete, outdated, or incorrect. |
| Right to request erasure of personal data | You can request deletion if: the data is no longer necessary for the purposes of processing; you withdraw the consent on which processing is based; or your rights and interests outweigh Shipcro's legitimate interests. |
| Right to restrict processing | You can request restriction of processing if: you contest the accuracy of the data; you object to processing on the basis of legitimate interest; there appears to be no legal basis for processing but you do not want deletion; or you need the data to establish, exercise, or defend a legal claim. |
| Right to object | Where the legal basis for processing is legitimate interest, you have the right to object. You also have the right to object to any automated decision-making. |
| Right to data portability | Where we process your data on the basis of consent or a contract, you have the right to request that we provide you with the relevant personal data in a structured, commonly used, and machine-readable format. |
| Right to withdraw consent | If the legal basis for processing is consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. |
Please note: Data protection rights are not absolute. For each request, we must assess whether, and to what extent, applicable laws and the rights of other data subjects allow us to fulfil your request.
13. QUESTIONS AND COMPLAINTS
If you have any questions or complaints related to the processing of personal data, please contact us at privacy@shipcro.co.za. We will respond to enquiries within one month of receipt. If it is not possible to respond within one month, we may extend the deadline by up to two months by notifying you of the extension and the reason within one month of receipt.
You have the right to make a complaint at any time to the Information Regulator’s Office of South Africa. We would, however, appreciate the chance to deal with your concerns before you approach any regulator, so please contact us in the first instance.
14. CHANGES TO THIS PRIVACY POLICY
We are constantly striving to ensure that both our data processing and the related documentation are simple, clear, and transparent, and comply with all legal requirements and best data protection practices. Accordingly, we regularly update and improve this Privacy Policy and notify all Users of material updates via the contact details provided to us or via the Platform.
The most up-to-date version of this Privacy Policy will always be available at shipcro.co.za/privacy. Your continued access to or use of our Services constitutes your acceptance of this Privacy Policy as amended. It is your responsibility to review this document periodically to ensure you are aware of any changes. It is important that the personal information we hold about you is accurate and current — please keep us informed if your personal information changes.