Privacy & Data Protection Policy

 

Regulatory Framework: POPIA (Act 4 of 2013) • ECTA • NCA • GDPR

 Legal@imaginethiscar.com

🔐 1. Introduction

At Imagine This Car ("ITC", "we", "us", "our"), we are committed to upholding the privacy, security, and integrity of your personal data. This policy outlines how we collect, use, store, disclose, and protect personal information in compliance with the Protection of Personal Information Act (POPIA), and other applicable South African legislation.

📥 2. What We Collect

We collect only the data necessary for lawful, legitimate purposes:

 

Data TypeExamplesIdentity DataFull name, ID number, date of birthContact DataPhone number, email, addressAccount DataUsername, password (hashed), rolesFinancial DataBank details, card info (tokenized)Transactional DataOrders, invoices, escrow recordsLocation DataGPS, delivery/collection addressesUsage & Device DataCookies, IP, browser/device metadataAudio/Visual DataCCTV (in-person hubs), call recordingsBiometric Data (limited)Face ID for test drives (opt-in only)

Note: We do not knowingly collect data from children under 18 without guardian consent.

🎯 3. Purpose of Processing

We process personal data for specific, lawful, and clearly defined purposes:

 

•              Account setup and authentication

•              Processing and securing transactions (including escrow and logistics)

•              Facilitating service delivery (e.g., test drives, insurance, repairs)

•              Detecting and preventing fraud or unlawful activity

•              Providing support, updates, and personalized experiences

•              Legal compliance (e.g., FICA, SARS reporting, court orders)

•              Marketing (only with opt-in consent under Section 69 of POPIA)

🔄 4. Lawful Basis for Processing

We rely on the following lawful bases:

PurposeLegal Basis (POPIA / Other)Escrow & billingPerformance of contract (POPIA §11(1)(b))Identity and FICA checksLegal obligation (FICA, NCA,

 

POPIA)Behavioral analyticsLegitimate interestMarketing & communicationsConsent (POPIA §11(1)(a), ECTA §45)Dispute mediation or enforcementLegitimate interest / Legal compliance

🤝 5. Data Sharing & Disclosure

We do not sell your data. We may share it under strict conditions:

5.1 Trusted Third Parties

•              Payment processors (e.g., PayFast, Peach Payments)

•              Logistics firms (e.g., DSV, RAM)

•              Certified service providers (inspectors, mechanics, etc.)

5.2 Legal Disclosures

We may disclose data to:

•              Regulators (e.g., SARS, NCR, FSCA,

 

SAPS)

•              Courts and legal authorities, as per warrant or subpoena

•              Insurers or banks in event of claims, fraud or breach

5.3 International Transfers

Cross-border transfers are permitted only when:

✅ The destination ensures adequate protection (e.g., EU, UK, USA under DPF)

✅ Contracts include Standard Contractual Clauses

❌ No transfers to blacklisted countries or embargoed territories

👤 6. Data Subject Rights

As a user, you have full control over your data:

RightActionTimelineAccessRequest a copy of your dataWithin 14 daysCorrectionRequest edits to incorrect

 

infoWithin 7 daysDeletionHave your data erased (unless legal obligation prevents this)Within 30 daysObjection to ProcessingOpt out of marketing, profilingWithin 48 hoursData PortabilityTransfer your data in readable formatOn request

To exercise any of the above:

📧 Email: legal@imaginethiscar.com

🔒 Verification: ID, OTP, or affidavit required

🧰 7. Security Measures

We apply enterprise-grade security across all systems:

7.1 Technical Controls

•              End-to-end encryption (AES-256 at rest, TLS 1.3 in transit)

•              Multi-factor authentication (MFA)

•              Role-based access restrictions

•              Secure biometric access for sensitive roles

 

•              Regular penetration testing (quarterly)

7.2 Administrative Controls

•              Registered POPIA Information Officer

•              Vendor DPAs and confidentiality clauses

•              Staff background checks and annual training

•              Breach simulation exercises (twice per year)

⛑️ 8. Data Breach Protocol

If a breach occurs:

StakeholderNotification DeadlineSouth African RegulatorWithin 72 hoursAffected UsersWithin 14 daysPayment GatewayImmediate (real-time APIs)

Contingency Measures:

•              Lock affected systems

•              Launch forensic audit

•              Offer identity theft monitoring for 12 months

 

📆 9. Data Retention

Data CategoryRetention PeriodReasonFinancial & escrow records5 years post-transactionTax Law (VAT Act)User account data3 years after inactivityCPA & audit obligationsCCTV / Test-drive footage90 daysPOPIA + Security ActWebsite cookies13 monthsPOPIA Reg 4(1)(a)

After the retention period, all data is anonymized or securely destroyed.

⚖️ 10. Platform Liability Disclaimer

To the maximum extent permitted by law, Imagine This Car shall not be liable for:

•              User-side breaches, such as password sharing or phishing

•              Vendor misuse of buyer information, where terms are violated

•              Force majeure events, including

 

cyberattacks or system outages beyond our control

•              Third-party errors, despite due diligence (e.g., courier mishandling or banking delays)

We take all reasonable precautions—but total immunity cannot be guaranteed.

📢 11. Updates & Notifications

•              Material Changes: You’ll be notified 30 days in advance

•              Consent Management: Real-time dashboard allows you to manage cookies, opt-outs

•              Version History: Archived at: [Link unavailable]

 

📧 legal@imaginethiscar.com | ☎ 067 989 8704

📍 Johannesburg, South Africa