Chameleon Inflatables

Privacy Policy

Version 2.1Updated: 04 May 2026

1. Introduction


Chameleon Inflatables ("we," "us," or "our") is committed to protecting your personal information. This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, and the rights you have under the Protection of Personal Information Act 4 of 2013 ("POPIA").


This policy applies to customers, website visitors, prospective customers, suppliers' contacts, and anyone who interacts with us through our website, contact forms, phone, WhatsApp, email, or in person at our workshop.


For our full internal POPIA compliance framework, see our Data Protection / POPIA Compliance Policy. For detailed retention periods, see our Data Retention & Deletion Policy.


2. Contact Information


Business Address: 14 Pommery Road, Nietgedacht, Fourways, Gauteng
Email: sales@chameleoninflatables.co.za
Phone: +27 83 589 0574

Our Information Officer, responsible for POPIA compliance, is the Director of Chameleon Inflatables. The Information Officer's registration with the Information Regulator of South Africa is in progress and will be confirmed here once complete.


3. Information We Collect


We collect the following categories of personal information, limited to what is necessary for the purposes set out in section 4:


3.1 From website visitors


Information you voluntarily submit through a contact form, enquiry form, quote request, repair enquiry, custom-design enquiry, or blog comment (name, email, phone, message, product details).
Information required to register a customer account on our portal (name, email, phone, delivery address).
Technical information automatically collected by our website (session cookies, CSRF tokens, IP address, browser, referring page, pages visited). See section 10 and our Cookie Policy.

3.2 From customers


Order details, delivery address, contact numbers, and billing information needed to fulfil your order.
Payment information — handled directly by our payment gateway providers; we do not store card numbers on our systems.
Serial numbers and repair history of products we have manufactured for you.
Correspondence (emails, WhatsApp messages, phone notes) tied to your customer record.

3.3 From suppliers' contacts


Contact name, role, phone, email, and business correspondence.

3.4 From Facebook and Instagram users (social-media messaging)


When you send our Facebook Page or our Instagram Business account a direct message, reply to one of our stories, mention us in a story, or react to one of our replies, Meta Platforms Ireland Ltd shares the following with us so we can respond:


A page-scoped user identifier ("PSID") — this is not your real Facebook / Instagram user ID; it is a pseudonymous identifier that only works between our Page/Account and you.
Your public display name and profile picture, if visible to us under Meta's rules.
The text, attachments, stickers, reactions, and story references that form part of your message.
The timestamp of the message.

We do not receive your email address, phone number, friends list, or other profile data from Meta. We do not scrape or infer personal information from your Facebook / Instagram profile.


Messages on Facebook and Instagram are subject to Meta's own privacy policy, in addition to this one, while they are in transit through Meta's systems. Once a message arrives in our admin inbox it is governed by this Privacy Policy.


4. Purposes for Which We Process Your Information


We use personal information only for the following purposes:


Fulfilling orders — quoting, confirming, manufacturing, dispatching, collecting, and billing for products you have ordered.
Customer support — answering enquiries, handling complaints, performing warranty and out-of-warranty repairs, tracking service plan claims.
Account management — keeping your customer account accurate and secure.
Legal and tax compliance — retaining records required by SARS (tax, VAT where applicable), the Companies Act, the Consumer Protection Act, the BCEA (for employment-related records), COIDA (for injury-on-duty where a customer is involved), and the Protection of Personal Information Act.
Security and fraud prevention — authenticating account holders, protecting systems from abuse.
Direct marketing — only where you have opted in under POPIA section 69. We do not currently send marketing emails or SMS, and will not begin doing so without explicit opt-in. You may withdraw consent at any time.
Operational analytics — understanding aggregate usage of our website and admin systems to improve them.

We do not process your personal information for purposes other than those listed above without obtaining your consent.


5. Legal Basis for Processing


Under POPIA, we process personal information on one of the following grounds:


Consent you have given.
Performance of a contract with you (e.g. fulfilling an order).
Compliance with a legal obligation (e.g. SARS record keeping).
Protection of a legitimate interest of ours or a third party (e.g. fraud prevention), provided this is balanced against your rights.

6. Operators We Share Information With


We use trusted third-party Operators to carry out parts of our service. Each has an operator agreement under POPIA section 21 requiring them to process your information only on our instructions and to maintain appropriate security. Current operator categories are:


Courier companies (e.g. The Courier Guy, Kyle on Call) — receive name, delivery address, contact phone, item details, to deliver your order.
Payment gateways (PayFast, Peach Payments, DPO, PayPal) — process card payments on their PCI-compliant hosted pages. We do not store your card details.
Accounting service providers — receive invoices, credit notes, bank records, and supplier details needed for tax compliance.
Website and email hosting providers — host our website infrastructure and transactional email (order confirmations, quotes, repair updates).
IT and software providers — maintain the admin systems in which customer data is stored, under confidentiality and security obligations.
Legal, labour, and regulatory advisors (e.g. LWO 086 110 1828) — receive information limited to the matter in hand.
Meta Platforms Ireland Ltd — transports Facebook and Instagram direct messages, story interactions, and reactions between you and our Page / Business account. Meta acts as the operator for the messaging channel; we receive only the message content and a page-scoped pseudonymous identifier (see section 3.4). Meta's own handling of your data is governed by their privacy policy.

We do not sell or rent your personal information. We do not share your information with third parties for their own marketing purposes.


7. Cross-Border Transfers


Where an operator processes your information outside South Africa (for example a cloud hosting provider), we ensure the transfer meets POPIA section 72 safeguards: binding contract with adequate protections, or lawful consent, or the necessary performance of a contract with you.


8. Retention


We retain personal information only for as long as necessary. Retention periods follow our Data Retention & Deletion Policy. In summary:


Customer order and repair records: 5 years after last activity, archived thereafter.
Tax and financial records: 5 years from the end of the relevant tax period (SARS).
BCEA / employee-related records (where the data subject is an employee): 3 years after end of employment.
COIDA records: 4 years after the relevant incident.
Website enquiries without a resulting account: 24 months.
Quotes not converted: 24 months.
Marketing consent records: 2 years after consent withdrawn.
Session logs: rolling 90 days.

Personal information that is no longer needed for any lawful purpose is deleted in the next backup rotation cycle (approximately 30 days) or anonymised for aggregate analytics.


9. Security


We protect personal information through reasonable technical and organisational measures, including:


HTTPS / TLS for all website traffic.
Encrypted password storage (bcrypt).
AES-256 encryption at rest for sensitive configuration data.
Role-based access controls and unique accounts for staff (no shared logins).
Secure off-site backup of our admin systems.
Locked physical filing for paper records.
Operator agreements with each third party that processes data on our behalf.

Multi-factor authentication for admin accounts is being rolled out.


If a security compromise occurs that poses a real risk of harm to data subjects, we will notify the Information Regulator and affected subjects as soon as reasonably possible, in accordance with POPIA section 22.


10. Cookies and Tracking


Our website uses a small number of essential cookies (session, CSRF protection) and local storage (cart state, theme preferences). These are necessary for the website to function and are exempt from consent under POPIA.


We do not currently use analytics, advertising, or third-party tracking cookies. If we introduce them, a consent banner will appear before any non-essential cookie is set. See our Cookie Policy for details.


11. Your Rights Under POPIA


Subject to the exemptions in POPIA, you have the right to:


Access — request a copy of the personal information we hold about you.
Correct — request correction of inaccurate or incomplete information.
Delete — request deletion of information we are no longer entitled to hold.
Object — object to processing you believe is not lawful, including objecting to direct marketing at any time.
Withdraw consent — where our processing is based on your consent.
Complain to the Information Regulator (www.inforegulator.org.za, enquiries@inforegulator.org.za) if you believe we have not complied with POPIA.

To exercise any of these rights, email sales@chameleoninflatables.co.za or call +27 83 589 0574. We will acknowledge your request within 7 working days and respond substantively within 30 days (or sooner where practicable).


We do not charge a fee for the first request in any 12-month period. A reasonable fee may be charged for repeated requests.


11.1 Deleting your Facebook / Instagram social-messaging data


If you have messaged our Facebook Page or Instagram Business account and would like us to delete your social-media record, you have two routes:


Via Meta: remove our app from your Facebook or Instagram account settings. Meta will send us a signed deletion request, and we will soft-delete the social-identity record for your page-scoped identifier within 30 days. You will receive a confirmation code from us that you can quote if you contact us.
Directly: email sales@chameleoninflatables.co.za asking us to delete your social-media record.

Historical message content tied to your page-scoped identifier may be retained where required by South African law (for example SARS record-keeping and POPIA audit obligations), but the link between your Meta account and those records is severed, and your name and profile picture are deleted.


12. Marketing Communications


We do not currently send marketing emails or SMS.


If we begin to do so, it will be on an opt-in basis: you must give explicit consent (typically through a tick-box at account creation, a double-opt-in email, or a signed consent form). Every marketing message will include an unsubscribe link, and you may withdraw consent at any time by emailing us.


13. Children


We do not knowingly collect personal information from children under 18 without parental consent. If you believe we have inadvertently collected a child's information, contact us and we will delete it.


14. Changes to This Policy


We may update this policy from time to time to reflect operational or legal changes. The version number and date at the foot of this policy track changes. Material changes will be highlighted on our website. Continued use of our services after an update constitutes acceptance of the revised policy.


15. Complaints and Contact


Internal contact: Director (Information Officer) — sales@chameleoninflatables.co.za / +27 83 589 0574
External — the Information Regulator of South Africa: www.inforegulator.org.za, enquiries@inforegulator.org.za, +27 10 023 5200


*Version 2.1, effective 2026-04-20.*