Stalletjie

Privacy Policy

Last updated: May 2026

Written to comply with POPIA (South Africa), GDPR (EU/EEA), UK GDPR and the CCPA/CPRA (California).

Introduction

Stalletjie ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard your information when you use our marketplace for stallholders and event organisers. Stalletjie is operated from South Africa and serves users globally. We comply with the Protection of Personal Information Act (POPIA), the EU General Data Protection Regulation (GDPR), the UK GDPR and the California Consumer Privacy Act (CCPA/CPRA). For the purposes of GDPR, Stalletjie is the data controller of your personal data.

Information We Collect

Account information: name, email address, phone / WhatsApp number, password and the role you sign up as (stallholder or organiser).

Stall profile: stall name, category, product descriptions, photos, languages, travel radius, facility requirements and supporting documents you upload.

Event listings: event name, venue, dates, expected attendance, stall fees, organiser logo and images.

Applications & messages: the applications you submit, the information you share with the other party and any contact details exchanged through the platform.

Usage data: pages viewed, search filters used, devices, browser type and rough location for analytics and security.

Payment information: processed securely through Paystack. We do not store your full card number, CVV or banking PIN.

How We Use Your Information

  • To create and operate your account
  • To match stallholders with relevant events (and vice versa)
  • To process applications and let the two parties contact each other
  • To process subscription payments and prevent fraud
  • To send you transactional emails (account, billing, applications) and — only if you opt in — newsletters or product updates
  • To improve, secure and personalise the Service
  • To comply with our legal, tax and accounting obligations

When We Share Information

We never sell your personal information. We share it only:

  • With the other party in a transaction (e.g. an organiser sees the contact details of stallholders who apply to their event, and vice versa) — this is the whole point of the marketplace
  • With our trusted service providers (Paystack for payments, Resend for email, Lovable Cloud for hosting and database)
  • When required by law, court order or to protect the rights and safety of users
  • If we are involved in a merger, acquisition or sale of assets — in which case we will give you prior notice

Data Storage & Security

Your data is stored on secure cloud infrastructure with encryption in transit (TLS) and at rest. Access is protected by Row Level Security policies so that one user cannot read another user's private records. We follow industry-standard practices for password hashing, secret rotation and audit logging. No system is 100% secure — please use a strong, unique password and tell us immediately if you suspect your account has been compromised.

Third-Party Services

  • Paystack — payment processing (R199/year subscription)
  • Resend — transactional and outreach email delivery
  • Lovable Cloud / Supabase — database, authentication and file storage
  • Google — optional social sign-in

Each of these has their own privacy policy. We encourage you to review them.

Your Rights Under POPIA

As a South African resident you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Request deletion of your personal information
  • Object to processing of your personal information
  • Lodge a complaint with the Information Regulator

Legal Basis for Processing (GDPR / UK GDPR)

If you are in the EEA, UK or Switzerland, we process your personal data on the following legal bases:

  • Contract (Art. 6(1)(b)) — to create your account, host your listings, process subscriptions and deliver the Service
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud, run anonymised analytics and improve product quality
  • Consent (Art. 6(1)(a)) — for marketing emails and any optional features that involve personal data; you may withdraw consent at any time
  • Legal obligation (Art. 6(1)(c)) — to meet tax, accounting and regulatory requirements

Your Rights Under GDPR & UK GDPR

If you are in the EEA, UK or Switzerland you have the following rights:

  • Access — obtain a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure ("right to be forgotten") — request deletion of your data
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaint with your local supervisory authority

We will respond to verifiable requests within 30 days, free of charge unless the request is manifestly unfounded or excessive.

Your Rights Under CCPA / CPRA (California)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccuracies, to opt out of any "sale" or "sharing" of personal information, and to limit the use of sensitive personal information. Stalletjie does not sell your personal information and does not share it for cross-context behavioural advertising. You may exercise these rights by contacting us; we will not discriminate against you for doing so.

International Data Transfers

Stalletjie operates globally. Your personal data may be transferred to, stored and processed in countries outside your country of residence, including South Africa, the European Union and the United States, where our infrastructure and sub-processors operate. Where personal data is transferred out of the EEA, UK or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum and the EU-US Data Privacy Framework where applicable.

Cookies & Tracking

We use a small number of strictly necessary cookies and local-storage entries to keep you signed in and remember your preferences. These do not require consent. Any analytics or non-essential tracking is loaded only after you accept. You can change or withdraw your choice at any time by clearing site data.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. You may request deletion of your account and associated data at any time by emailing us. Some information may be retained for legal, tax or accounting compliance (typically up to 5 years for financial records).

Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

Contact Us

For questions about this Privacy Policy, or to exercise any of your rights, email privacy@stalletjie.co.za.

Supervisory authorities: South Africa — Information Regulator; EU/EEA — your national Data Protection Authority; UK — ICO.