Skip to Content


Craftovus Privacy & Data Protection Policy

Last updated: 03 June 2025

Craftovus (Pty) Ltd (“Craftovus”, “we”, “our”, “us”) is a Cape Town–based creative hub and e-commerce brand that celebrates heritage craft through modern technology. Protecting your personal information and honouring your creative expression is central to our promise of an open, inspiring space.

This policy explains:

  • What personal information we collect

  • Why we collect it and the legal grounds that allow us to do so

  • How we use, store, share, and secure it

  • The rights you enjoy under POPIA, GDPR and comparable privacy laws

  • How to contact us or lodge a complaint

1. Who we are & how to reach us

Craftovus (Pty) Ltd

PO Box 723 Garsfontein, Pretoria 0040

privacy@craftovus.com

2. Scope of this policy

This policy applies to:

  • craftovus.com, sub-domains, and any microsites we host

  • Social-media channels we manage (@craftovus on Instagram, YouTube, TikTok, Facebook, X, LinkedIn)

  • In-person interactions at the Craftovus Hub, pilot studio, pop-ups, and events

  • Newsletter sign-up, CRM records, e-commerce orders, ticket sales, and filming/content production activities

  • DIY kit customers, workshop participants, newsletter subscribers, suppliers, job applicants, staff, and franchise prospects

3. Information we collect

Category

Examples

Collection point

Identity & Contact

Name, surname, preferred name, billing & shipping address, email, phone, social-handle, identity/passport No. (if required for safety or regulatory reasons)

Website forms, Odoo checkout, workshop sign-in, supplier onboarding

Profile & Account

Username, encrypted password, purchase history, wish-lists, membership tier, workshop bookings, loyalty points

Craftovus account portal, POS

Transactional

Payment token, last 4 digits of card, bank & EFT details, VAT, order value, kit serial no., invoices, refunds

Stripe, PayGate, EFT, Odoo ERP

Technical & Usage

IP address, browser type, device IDs, log files, cookie IDs, interaction timestamps, referral URLs, heat-maps

Cookies, analytics scripts (Matomo/GA4), server logs

Marketing & Preferences

Newsletter opt-in status, preferred crafts, feedback survey answers, communication channels, cookie consent choices

Sign-up forms, cookie banner, email footers

Visual & Audio

Photos, video, voice, livestream footage of workshops or events (only if you have signed a release form)

On-site filming/photography, user-generated content uploads

Sensitive

Accessibility requirements, allergy info, next-of-kin for workshop safety; limited to what you voluntarily provide and processed with extra care

Pre-workshop safety questionnaire

We do not knowingly collect data about children under 16 without verifiable parental/guardian consent.

4. How and why we use your data

4.1 Purposes

Purpose

Typical processing activities

Legal basis (GDPR Art 6)

POPIA justification

Service delivery

Create/maintain your Craftovus account, process orders, reserve workshop slots, issue e-tickets, ship DIY kits

Contract performance (Art 6 (1)(b))

Contract; Sec 11(1)(b)

Safety & insurance

Verify age where required (18+ classes), keep incident logs, maintain public liability coverage

Legal obligation (Art 6 (1)(c))

Law; Sec 11(1)(c)

Filming & content creation

Record, edit, publish video/photo/audio content featuring you

Consent (Art 6 (1)(a)) via signed release

Consent; Sec 11(1)(a)

Marketing & community

Send newsletters, show you new kits, run competitions, retarget ads

Consent or Legitimate Interest* (Art 6 (1)(a)/(f))

Consent / Legitimate Interest

Analytics & UX improvement

Aggregate site metrics, A/B tests, troubleshoot bugs

Legitimate Interest (minimal privacy impact)

Legitimate Interest

Compliance & anti-fraud

VAT/TAX reporting, invoice archiving, KYC checks, refund audits

Legal obligation

Law

4.2 Cookies & similar tech

We use:

  • Essential cookies – site security, cart memory, session login

  • Analytics cookies – anonymised traffic stats via Matomo Cloud (EU)

  • Marketing cookies – Meta Pixel, Google Ads, TikTok Pixel (only with opt-in)

You decide which non-essential cookies run via our banner and preference centre. Your choices are honoured through Consent Mode / IAB TCF signals.

5. Filming, photography & user-generated content

  • You will always be offered a clear Release Form before we record audio, video, or still images where you are identifiable.

  • The form lists intended uses (e.g., YouTube series, behind-the-scenes Instagram Reels, printed marketing, future franchise training).

  • Withdrawal of consent: You may revoke future use at any time by emailing privacy@craftovus.com. Content already lawfully published may remain available but we will stop further distribution where practical.

  • Crowd scenes at public events may be captured under legitimate interest provided no single individual is the focus and signage is displayed.

6. How we share data

We never sell your personal information. We share it only with:

Recipient

Reason

Safeguards

Service providers (e.g., Odoo SaaS, AWS, Stripe, PayGate, Wise, Matomo, Google Workspace, Mailjet)

Hosting, payments, analytics, email dispatch, video editing

DPAs/SCCs, access controls, encryption

Artisans & facilitators

If they must know dietary or accessibility needs for your booked session

Confidentiality clauses, purpose-limiting instructions

Content partners & social platforms

Publication of filmed material with your signed release

Platform-specific licences; public availability

Regulators & law enforcement

VAT, POPIA, GDPR, SARS, or court orders

Only what is legally required

Franchisees

Only aggregated or pseudonymised analytics unless you transact directly with that franchise

Inter-company agreements, SCCs/Approved IDTA/Binding Corporate Rules

Cross-border transfers outside South Africa/EU/UK occur only where:

  • The destination is deemed adequate, or

  • We have Standard Contractual Clauses (EU) or s72 POPIA agreements and supplementary security measures, or

  • You give explicit, informed consent (e.g., optional cloud backup of your video projects).

7. Data retention

Record type

Retention rule

Workshop bookings, POS receipts

5 years from tax year-end (SA Companies Act & SARS)

Newsletter & marketing consents

Until you unsubscribe + 2 years for audit log

Release forms & published media

Perpetual unless consent withdrawn, then 30 days to suppress further use

Incident & insurance records

7 years post-event

Unsuccessful job applications

12 months unless longer agreed

All retention periods are reviewed annually.

8. Security measures

  • ISO 27001-aligned cloud infrastructure (AWS eu-west-1, af-south-1)

  • TLS 1.3 encryption in transit; AES-256 at rest

  • Role-based access control, MFA, audit logging

  • Quarterly penetration testing; monthly patch cycles

  • Vendor DPAs with sub-processor audit rights

  • Staff & artisan privacy training plus NDA/IP clauses

If a breach likely impacts your rights we will notify you and the relevant regulator within 72 hours (GDPR Art 33; POPIA Sec 22).

9. Your rights

Depending on where you live, you may have (among others):

Right

POPIA

GDPR / UK GDPR

CCPA/CPRA / other US state laws

Access & confirmation

✓ Sec 23

✓ Art 15

✓ (“Right to Know”)

Correction/Rectification

✓ Sec 24

✓ Art 16

Erasure / De-index (“delete me”)

Conditional Sec 24

✓ Art 17

✓ (“delete”)

Restrict or object to processing

✓ Sec 14

✓ Art 18/21

Data portability

✓ Art 20

Withdraw consent

✓ Sec 11(2)(b)

✓ Art 7(3)

Automated decision-making objections

✓ Sec 71

✓ Art 22

Opt-out of “sale” or targeted ads

✓ (CPRA §1798)

To exercise any right, email privacy@craftovus.com. We will verify your identity and respond within:

  • 30 calendar days (POPIA)

  • 1 month (GDPR)

  • 45 days (CCPA/CPRA), extendable by +45 days if needed

10. Children

Our workshops and kits are designed for adults and teens aged 16+. If we learn that a child under 16 has provided personal data without guardian consent we will delete it promptly.

11. Marketing communications

  • Opt-in: We send newsletters only if you tick the opt-in box or double-confirm via email.

  • Opt-out: Click “Unsubscribe” in any email or adjust Account > Preferences.

  • Segmenting: You may receive craft-specific updates based on your stated interests or past purchases. We do not run fully automated profiling that produces legal or similarly significant effects without human review.

12. Third-party links

Our site or socials may link to external creators, suppliers, or tutorials. Once you leave Craftovus domains, their privacy statements apply.

13. Changes to this policy

We review this notice at least once per year. Material changes will be highlighted on our website home page and, where appropriate, emailed to registered users 14 days before taking effect.

14. Complaints

  • South Africa: Information Regulator (PAIA & POPIA), JD House, 27 Stiemens St, Braamfontein, Johannesburg 2001. complaints.IR@justice.gov.za

  • EU: Your local Data Protection Authority – list at https://edpb.europa.eu

  • UK: Information Commissioner’s Office (ICO) – ico.org.uk
    We would appreciate the chance to address your concerns first.