1. Purpose
This Data Protection Policy sets out how Chameleon Inflatables collects, processes, stores, shares, and protects personal information. It ensures our compliance with the Protection of Personal Information Act, 2013 (POPIA) and sets out the rights of customers, employees, and other data subjects whose information we hold.
This policy complements our customer-facing Privacy Policy and our internal Data Retention & Deletion and Information Security policies.
2. Scope
This policy applies to all personal information processed by Chameleon Inflatables, including that of:
•Customers — individuals and business contacts who buy, enquire about, or interact with our products and services
•Suppliers — contacts at our supplier and service-provider organisations
•Employees — current, former, and prospective staff
•Website visitors — anyone using our website or customer portal
3. Our Commitments
Chameleon Inflatables commits to:
•Processing personal information lawfully, fairly, and transparently
•Collecting only the information we genuinely need
•Using personal information only for the purposes it was collected for
•Keeping information accurate and up to date
•Keeping information secure
•Respecting the rights of data subjects
•Being accountable for our data processing
4. Definitions
•Personal Information — information that identifies or can be linked to an identifiable person (e.g. name, email, phone, address, ID number, employment details)
•Special Personal Information — a subset with higher protection, including religious beliefs, health information, biometric data, sexual orientation, and criminal record
•Processing — any action involving personal information, including collecting, storing, using, sharing, or deleting it
•Data Subject — the individual to whom the personal information relates
•Responsible Party — the organisation that decides why and how personal information is processed (Chameleon Inflatables, in this context)
•Operator — a third party that processes personal information on behalf of the Responsible Party (e.g. couriers, accountants, payment gateways)
•Information Officer — the statutory role accountable for POPIA compliance within Chameleon Inflatables
5. Information Officer
Under POPIA, every organisation has an Information Officer who is accountable for POPIA compliance.
•By default, the Information Officer is the CEO, owner, or head of the organisation
•The Information Officer must be registered with the Information Regulator of South Africa
•The Information Officer may delegate specific tasks but retains overall accountability
Responsibilities
•Ensuring Chameleon Inflatables complies with POPIA
•Handling data subject requests and complaints
•Dealing with the Information Regulator as required
•Developing, implementing, and monitoring our data protection programme
•Training staff on POPIA obligations
Contact
•Email: sales@chameleoninflatables.co.za
•Phone: +27 83 589 0574
Current Status
Chameleon Inflatables is in the process of formally registering its Information Officer with the Information Regulator. Registration is a required next step and is tracked on our Policy To-Do list.
6. Categories of Personal Information We Process
Customers
•Name, email address, phone number, physical/delivery address
•Order history, quote history, payment records (card numbers are not stored — see Payment Security Policy)
•Communication history (emails, WhatsApp messages, calls)
•Customer portal login credentials (passwords are stored encrypted, never in plain text)
•Marketing preferences (once marketing communications are introduced)
Suppliers
•Contact names, company details, email, phone
•Banking details for supplier payment
•Invoice and transaction history
Employees
•Name, ID number, contact details, address
•Employment contract, job title, salary, banking details, tax information
•Timesheet, leave, and performance records
•Emergency contact information
•Disciplinary records (where applicable)
Website Visitors
•Essential session cookies (see Cookie Policy)
•Form submission content (contact enquiries, repair requests)
7. How We Collect Personal Information
We collect personal information:
•Directly from the data subject — when they fill in a contact form, place an order, request a quote, register for a customer account, or apply for a job
•From interactions — emails, calls, WhatsApp messages, in-person meetings
•From third parties with consent — for example, referrals where the referrer has confirmed the referee's consent
We do not purchase marketing lists or harvest contact information from public sources for our own marketing.
8. Purposes of Processing (POPIA Principle: Purpose Specification)
We process personal information only for specific, explicitly defined purposes:
•Fulfilling orders and quotes — taking orders, manufacturing, invoicing, delivery
•Customer support — responding to queries, repairs, warranty claims, complaints
•Account management — maintaining the customer portal and communication history
•Employment administration — payroll, HR records, legal compliance (BCEA, SARS, UIF)
•Supplier management — procurement, payments, quality management
•Legal and regulatory compliance — tax records, SARS filings, COIDA reporting, consumer protection obligations
•Marketing — only once opt-in is obtained, and only in line with our Cookie Policy and Privacy Policy
Where we wish to use personal information for a new purpose beyond these, we will obtain fresh consent.
9. Lawful Basis for Processing (POPIA Principle: Processing Limitation)
We process personal information only where we have a lawful basis:
•Consent — the data subject has agreed to the specific processing
•Contract — processing is necessary to fulfil a contract (e.g. an order)
•Legal obligation — we are required by law to process (e.g. SARS, UIF, COIDA)
•Legitimate interests — we have a genuine business interest that does not override the data subject's rights (e.g. keeping basic records for account management)
We do not process personal information where no lawful basis exists.
10. Sharing Personal Information (POPIA Principle: Processing Limitation)
We share personal information only where necessary and with appropriate safeguards.
Operators We Use
| Operator Type | Purpose | Data Shared |
| --- | --- | --- |
| Courier services | Delivering orders | Recipient name, address, phone |
| Payment gateways (PayFast, Peach, DPO, PayPal) | Processing online payments | Transaction details; we do not share card data |
| Accountants / tax professionals | Financial records, tax compliance | Financial records, invoice data, supplier/payroll info |
| Email service providers | Sending transactional emails | Email address, transaction details |
| Cloud hosting / backup providers | Storing our systems and data | Encrypted backup data |
Principles for Sharing
•We share only the minimum necessary for the operator to perform their task
•Operators must have their own POPIA-compliant practices
•Where required, a written Operator Agreement is in place
•We do not sell personal information to anyone
•We do not share personal information for marketing purposes without the data subject's consent
•We do not transfer personal information outside South Africa without ensuring appropriate protections are in place (POPIA Section 72)
Legal Disclosures
We may disclose personal information where required to do so by law (e.g. court order, SARS enquiry, SAPS investigation). Where legally permitted, we will notify the data subject of such disclosures.
11. Security Safeguards (POPIA Principle: Security Safeguards)
We take reasonable steps to protect personal information from loss, damage, unauthorised access, and unauthorised destruction.
•Our website and customer portal use HTTPS encryption
•Customer account passwords are hashed (not stored in plain text)
•Sensitive credentials (payment gateway keys, email server passwords) are stored encrypted
•Access to our admin system is password-protected and role-based
•Cross-site request forgery (CSRF) protection is applied to state-changing requests
•Regular software updates are applied to our systems
•Physical access to our workshop offices is controlled
Full details are in our Information Security Policy.
12. Data Retention (POPIA Principle: Information Quality)
Personal information is retained only for as long as it is needed for the purposes for which it was collected, or as required by law.
•Customer and order records: retained indefinitely while relationships are active; archived thereafter
•Supplier records: retained for the duration of the relationship plus 5 years for tax/audit purposes
•Employee records: retained for the duration of employment plus 3–5 years depending on record type (longer for some statutory records such as payroll)
•Website form submissions: retained for 12 months if not converted to customer account/order
•Email communications: retained subject to ongoing relationship
Full retention rules are set out in the Data Retention & Deletion Policy.
13. Data Subject Rights (POPIA Principle: Data Subject Participation)
Under POPIA, data subjects have the following rights:
Right of Access
•To know what personal information we hold about them
•To receive a copy of the information in a reasonable format
Right to Correction
•To request correction of inaccurate or outdated information
•To request deletion of information that is inaccurate, irrelevant, excessive, outdated, or unlawfully obtained
Right to Object
•To object to processing in specified circumstances (e.g. direct marketing)
•To withdraw consent where processing is based on consent
Right to Complain
•To lodge a complaint with the Information Regulator if they believe we have breached POPIA
How to Exercise Rights
To exercise any of these rights:
•Email: sales@chameleoninflatables.co.za
•Phone: +27 83 589 0574
We will:
•Acknowledge the request within 7 working days
•Verify the identity of the requester (to prevent unauthorised disclosure)
•Respond substantively within 30 days (the POPIA statutory timeframe), or explain any delay
•Not charge a fee for reasonable requests
14. Direct Marketing (POPIA Section 69)
Direct marketing by electronic means (email, SMS, WhatsApp) requires the data subject's prior consent (opt-in), unless the data subject is an existing customer and the communication relates to similar products/services they already have.
•Once we begin direct marketing, an easy opt-out will be provided in every communication
•We will maintain a do-not-contact register for those who opt out
•We will not share contact details with third-party marketers
15. Information Relating to Children
We do not knowingly collect personal information from children under the age of 18 without parental consent. Orders and accounts are intended for adults. Where we become aware that we have collected information from a child without appropriate consent, we will delete it.
16. Data Breach Handling
In the event of a data breach — actual or reasonably suspected — we will:
1. Contain the breach and secure affected systems
2. Assess what information was compromised and the risk of harm
3. Where there is a real risk of harm to data subjects, notify them as soon as reasonably possible
4. Notify the Information Regulator as required by POPIA Section 22
5. Document the breach and take steps to prevent recurrence
See the Information Security Policy for operational details.
17. Training & Awareness
•New employees are informed of this policy and their responsibilities under POPIA during induction
•Refresher training is provided periodically
•Staff who handle personal information routinely receive more detailed guidance
18. Accountability (POPIA Principle: Accountability)
•The Information Officer is accountable for POPIA compliance within Chameleon Inflatables
•This policy is reviewed at least annually
•Our data processing activities are periodically reviewed to ensure they remain lawful and necessary
•Where new systems or processes are introduced, data protection considerations are built in from the start ("privacy by design")
19. Review
This policy is reviewed:
•At least annually
•When significant changes are made to our systems or processes
•When POPIA or related regulation changes
•Following any data breach or significant complaint
20. Contact
For any questions about this policy, data protection, or to exercise your rights:
Chameleon Inflatables
•Email: sales@chameleoninflatables.co.za
•Phone: +27 83 589 0574
•Address: 14 Pommery Road, Nietgedacht, Fourways
Information Regulator of South Africa
•Website: https://inforegulator.org.za
•Email: POPIAComplaints@inforegulator.org.za
•Address: SALU Building, 316 Thabo Sehume Street, Pretoria
