Privacy Policy
Last updated: 23 June 2026
This Privacy Policy explains how StockBox Technologies collects, uses, shares, and protects your personal information when you use StockBox (the “Platform”) via our website at www.stockbox.xyz or our mobile apps on Google Play and the Apple App Store.
1. Who we are
StockBox Technologies (“we”, “us”, “our”) is the Responsible Party (as defined in the Protection of Personal Information Act 4 of 2013, “POPIA”) for the personal information processed through the Platform.
- Address: 346 Main Street, Waterkloof, Pretoria, South Africa
- Contact: [email protected]
For any privacy query, or to exercise the rights set out in section 8, contact us at [email protected].
2. The purpose of this policy
This policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, and the rights you have. We process personal information lawfully and in line with the eight conditions for lawful processing set out in POPIA.
3. What personal information we collect
StockBox is a marketplace, so we process both the data needed to run your account and the data needed to facilitate transactions between buyers and sellers.
| Category | Examples |
|---|---|
| Identity & contact data | Name, email address, mobile number, username |
| Account & profile data | Login credentials, profile details, preferences |
| Marketplace content | Listings you post, descriptions, images, and related details (visible to other users) |
| Transaction & payment data | Purchases, sales, amounts, and payment status. Card and payment details are processed by our payment provider, Peach Payments — we do not store your full card details |
| Device & technical data | Device type, operating system, unique device and push-notification identifiers, IP address, app version, and similar technical data |
| Usage data | Features used, screens viewed, in-app actions, and session information (collected via Google Analytics) |
| Approximate location | An approximate location derived from your device or IP address |
| Communications | Support queries, feedback, and correspondence with us |
We do not knowingly collect special personal information (such as health, biometric, or religious data) through the Platform.
4. How we collect personal information
- Directly from you — when you register, set up a profile, create a listing, buy or sell, or contact support.
- Automatically — through the Platform and the tools embedded in it, including Google Analytics and the Google and Apple push-notification services, which collect device, usage, and approximate-location data.
- From third parties — such as the Google Play and Apple App Stores, and our payment provider Peach Payments (for example, transaction confirmation and status).
5. Why we process your personal information
We process personal information only where we have a lawful basis under POPIA — your consent, the performance of a contract with you, compliance with a legal obligation, or the protection of a legitimate interest.
| Purpose | Lawful basis |
|---|---|
| Create and manage your account | Performance of contract |
| Operate the marketplace and display your listings | Performance of contract |
| Facilitate transactions and hold and transfer funds between buyers and sellers | Performance of contract |
| Process payments via Peach Payments | Performance of contract / legal obligation |
| Improve the Platform, fix bugs, and analyse usage | Legitimate interest |
| Send service messages (e.g. account, security, transaction updates) | Performance of contract / legitimate interest |
| Send direct marketing | Consent (opt-in) — see section 9 |
| Detect and prevent fraud or abuse | Legitimate interest |
| Comply with law and respond to lawful requests | Legal obligation |
6. Sharing and disclosure
We do not sell your personal information. We share it only with:
- Other users — your profile and listing information is visible to other users of the marketplace, and relevant details are shared with the other party to a transaction so it can be completed.
- Operators (service providers processing on our behalf under written contract):
- DigitalOcean — cloud hosting (servers located in the European Union);
- Peach Payments — payment processing;
- Google — analytics (Google Analytics) and Android push notifications;
- Apple — iOS push notifications.
- Third parties where required by law, court order, or a lawful request from a competent authority.
- Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this policy.
We require all operators to apply security safeguards consistent with POPIA.
7. Cross-border transfers
Some personal information is processed outside South Africa. In particular, our servers are hosted by DigitalOcean in the European Union, and Google (Analytics and Android push) may process data in other countries. Where we transfer personal information across borders, we do so on a basis permitted by section 72 of POPIA — typically because the recipient is subject to a law or binding agreement that provides an adequate level of protection (the EU, for example, applies the GDPR), because the transfer is necessary to perform our contract with you, or with your consent.
8. Your rights
Subject to POPIA, you have the right to:
- Be notified that we are collecting your information, and request access to the information we hold about you;
- Request that we correct, update, or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained;
- Object, on reasonable grounds, to the processing of your personal information;
- Object at any time to processing for direct marketing;
- Withdraw consent where processing is based on consent (without affecting prior lawful processing);
- Not be subject to a decision based solely on automated processing that significantly affects you; and
- Lodge a complaint with the Information Regulator.
To exercise any of these rights, contact us at [email protected]. We may need to verify your identity. These channels are free of charge and accessible, and we will inform you of your right to object when we collect your information.
9. Direct marketing
We will only send you direct marketing by electronic communication (email, SMS, push, or instant messaging) where you have given your consent (opt-in), or where you are an existing customer and we are marketing similar products, as permitted by section 69 of POPIA. You can withdraw consent or opt out at any time using the unsubscribe mechanism in the message, your notification settings, or by contacting us. Providing an opt-out alone does not amount to consent — we obtain opt-in consent before sending unsolicited electronic marketing.
10. Security safeguards
We take appropriate, reasonable technical and organisational measures to protect personal information against loss, damage, unauthorised access, and unlawful processing, as required by section 19 of POPIA. These include encryption in transit, access controls, secure hosting, and secure development practices. Payment card details are handled by our PCI-compliant payment provider, Peach Payments, and are not stored by us. No system is completely secure, and we cannot guarantee absolute security.
If a security compromise affects your personal information, we will notify you and the Information Regulator as soon as reasonably possible, as required by POPIA.
11. Data retention
We keep personal information only for as long as necessary to fulfil the purposes in this policy, or as required by law. Transaction and financial records are retained for the periods required by South African tax and financial legislation (generally up to five years). Account and profile data is deleted or de-identified within a reasonable period after you close your account, unless we are required to keep it for longer.
12. Children
The Platform is intended for users aged 18 and older. We do not knowingly collect the personal information of children. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.
13. Cookies, analytics, and tracking technologies
The Platform uses technologies such as device identifiers, push-notification tokens, Google Analytics, and (on our website) cookies to operate the service, remember your preferences, and understand usage. You can manage some of these through your device settings, browser settings, and app-store privacy controls (such as App Tracking Transparency on iOS).
14. Changes to this policy
We may update this policy from time to time. We will post the updated version on the Platform with a revised “Last updated” date, and where changes are material we will notify you through the Platform or by email.
15. How to contact us and the Regulator
For any privacy query or to exercise your rights, email [email protected] or write to us at 346 Main Street, Waterkloof, Pretoria.
If you are not satisfied with how we have handled your personal information, you may lodge a complaint with:
The Information Regulator (South Africa)
Website: www.inforegulator.org.za
POPIA complaints: [email protected]
Complaints portal: eservices.inforegulator.org.za