Privacy Policy

At Phepha Recycling (Pty) Ltd, we are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, as well as your rights under GDPR and POPIA.

Our Privacy Commitment

Effective Date: 26 May 2026  |  Last Updated: 26 May 2026

This Privacy Policy is issued by Phepha Recycling (Pty) Ltd in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), the General Data Protection Regulation (GDPR) (where applicable), and other applicable privacy legislation. By using our website or services, you acknowledge that you have read and understood this policy.

1. What Information We Collect

Personal Information

We collect personal information when you visit our website, register, place an order, subscribe to our newsletter, or engage with our services. This may include:

  • Name
  • Email Address
  • Phone Number
  • Mailing Address
  • Payment Information
  • Identity or registration number (where legally required)
  • Company name and VAT number (for business customers)

Non-Personal Information

We also collect non-personal information, such as:

  • Browser and Device Information
  • IP Address
  • Pages Visited
  • Time Spent on Pages
  • Referral Source

In line with POPIA's minimality principle, we only collect personal information that is adequate, relevant, and not excessive relative to the purpose for which it is collected.

2. How We Collect Information

Directly from You

We collect information directly when you:

  • Register on our website
  • Place an order
  • Subscribe to our newsletter
  • Fill out a form (e.g., quote request or contact form)
  • Contact us via phone, email, or in person

Automatically

We collect information automatically through:

  • Cookies and Tracking Technologies (e.g., Google Tag Manager, Google Analytics, LinkedIn Insights Tag, X Ads Tag, Facebook Pixel)
  • Server logs and website monitoring tools

Third-Party Sources

We may receive information from third-party sources, such as social media platforms (e.g., LinkedIn, Facebook) and marketing partners, only where permitted by law and where such parties have obtained your consent or have another lawful basis for sharing your information with us.

3. How We Use Your Information

We use your information only for the specific, explicitly defined, and lawful purposes for which it was collected. These purposes include:

  • Providing and maintaining our services, including processing orders for products, parts and/or services
  • Processing transactions and payments
  • Communicating with you, including responding to inquiries and sending newsletters
  • Improving our website and services
  • Personalising your experience with tailored content and offers
  • Conducting marketing and promotional activities (subject to your consent or opt-out rights)
  • Complying with legal and regulatory obligations under POPIA, GDPR, tax laws, and other applicable legislation
  • Preventing and detecting fraud, abuse, or other unlawful activities
  • Maintaining accurate business records as required by law

We will not process your personal information for purposes that are incompatible with the original purpose of collection without your consent.

Under GDPR

We process personal information based on:

  • Consent: When you explicitly agree to our data processing (e.g., newsletter subscription)
  • Performance of a Contract: To fulfil orders or service agreements
  • Legal Obligation: To comply with applicable laws
  • Legitimate Interests: To improve our services and marketing efforts, provided your rights are not overridden

Under POPIA

We process personal information in accordance with POPIA's conditions for lawful processing (Chapter 3, Conditions 1–8), including:

  • Accountability: We are responsible for ensuring processing complies with POPIA at all times
  • Processing Limitation: We process only with your consent, or where permitted by law
  • Purpose Specification: Personal information is collected for specific, explicitly defined, and lawful purposes
  • Further Processing Limitation: We do not further process information in a manner incompatible with the original purpose
  • Information Quality: We take reasonable steps to ensure information is complete, accurate, and up to date
  • Openness: We maintain documentation of all processing operations and notify you about our processing activities
  • Security Safeguards: We implement appropriate security measures (see Section 8)
  • Data Subject Participation: We respect and facilitate your rights under POPIA (see Section 14)

5. Cookies and Tracking Technologies

Cookies

We use cookies to enhance your experience, track site performance, and provide personalised content. Cookies are text files placed on your device to collect standard internet log information and visitor behaviour information. Where required by law, we will request your consent before placing non-essential cookies. You can manage or withdraw cookie preferences at any time through your browser settings. For more information, visit allaboutcookies.org.

Cookie Type Purpose Consent Required?
Strictly Necessary Essential for website functionality (e.g., login sessions, cart) No
Performance / Analytics Track usage patterns to improve user experience (e.g., Google Analytics) Yes
Marketing / Advertising Serve targeted ads and measure campaign effectiveness (e.g., Facebook Pixel, LinkedIn Tag) Yes

Google Tag Manager

Google Tag Manager manages tags on our website, enabling efficient deployment of tracking tools. It does not collect personal information directly but triggers tags that may collect data.

Google Analytics

Google Analytics analyses website traffic and user behaviour, providing insights into pages visited, time spent, and referral sources to improve user experience and content. Data may be processed by Google LLC in the United States (subject to Google's Standard Contractual Clauses).

LinkedIn Insights Tag

LinkedIn Insights Tag tracks conversions, retargets visitors, and provides demographic insights for our LinkedIn ads, helping us tailor marketing strategies. Data may be processed by LinkedIn Corporation in the United States.

X Ads Tag

X Ads Tag tracks ad performance, user interactions, and conversion rates, optimising our advertising strategies on the X platform. Data may be processed by X Corp in the United States.

Facebook Pixel

Facebook Pixel tracks conversions and optimises our Facebook ads, measuring ad effectiveness and refining marketing efforts based on user actions. Data may be processed by Meta Platforms, Inc. in the United States.

6. Sharing Your Information

We only share your personal information where we are legally permitted or required to do so. We may share your information with:

  • Service Providers (Operators): Third parties performing services on our behalf, such as payment processors, IT service providers, or website analytics providers — subject to written data processing agreements as required by POPIA s.20–21
  • Business Partners: Partners collaborating on projects or marketing initiatives, only where you have consented or where we have a legitimate interest
  • Legal Authorities: Where required by law, court order, or to protect the rights, property, or safety of our company, employees, or the public
  • Successors in Business: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to this Privacy Policy

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

7. Operators and Third-Party Processors

Where we engage third parties (called operators under POPIA) to process personal information on our behalf, we ensure the following in compliance with POPIA sections 20 and 21:

  • Operators are bound by written data processing agreements that impose equivalent data protection obligations
  • Operators may only process personal information with our knowledge and authorisation
  • Operators are required to treat personal information as confidential
  • Operators must notify us immediately upon becoming aware of any compromise of personal information
  • Operators are prohibited from retaining personal information beyond what is necessary for the agreed purpose

We remain responsible and accountable for personal information processed by operators on our behalf.

8. Data Security

In accordance with POPIA section 19 and GDPR Article 32, we implement appropriate technical and organisational security measures to protect your personal information against:

  • Unauthorised access, loss, or disclosure
  • Unlawful processing or accidental destruction
  • Damage or alteration

Security measures include, but are not limited to:

  • Encryption of data in transit (SSL/TLS) and at rest
  • Access controls and authentication requirements
  • Regular security assessments and staff training
  • Physical security measures at our premises

While we take all reasonable precautions, no method of electronic transmission or storage is 100% secure. In the event of a security incident, we will take appropriate remedial action as required by law.

9. Data Breach Notification

In the event of a data breach that compromises the confidentiality, integrity, or availability of your personal information, we will act in accordance with POPIA section 22:

  • We will notify the Information Regulator of South Africa as soon as reasonably possible after becoming aware of the compromise
  • We will notify affected data subjects unless the identity of such persons cannot be established, or notification would impede a criminal investigation
  • Notification will include the nature of the breach, the information compromised, and the steps being taken to address the breach

If you believe your personal information has been compromised through your interactions with us, please contact our Information Officer immediately (see Section 18).

10. Special Personal Information

POPIA sections 26–32 impose heightened restrictions on the processing of special personal information, which includes information concerning:

  • Religious or philosophical beliefs
  • Race or ethnic origin
  • Trade union membership
  • Political persuasion
  • Health or sex life
  • Biometric information
  • Criminal behaviour

We do not ordinarily collect or process special personal information as part of our business operations. Where the processing of such information becomes necessary (e.g., for employment or legal compliance purposes), we will only do so:

  • With your explicit consent; or
  • Where required or permitted by law; or
  • Where processing is necessary to establish, exercise, or defend a right or obligation in law

11. Children's Personal Information

In accordance with POPIA sections 34 and 35, we do not knowingly collect or process personal information relating to children (persons under the age of 18) without the prior consent of a competent person (i.e., a parent or legal guardian).

Our website and services are not directed at children, and we do not intentionally market to or collect information from minors. If we become aware that personal information of a child has been collected without proper consent, we will take steps to delete such information promptly.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact our Information Officer (see Section 18).

12. Direct Marketing

We may use your personal information to send you direct marketing communications (including newsletters, promotional offers, and product updates) only:

  • Where you have given us your explicit consent to do so; or
  • Where you are an existing customer and the communication relates to similar products or services you have previously purchased from us, and you have been given the opportunity to opt out

Your Right to Object / Opt Out

In accordance with POPIA section 69, you have the right at any time to object to the processing of your personal information for direct marketing purposes, free of charge and without providing a reason. You may opt out by:

  • Clicking the "Unsubscribe" link in any marketing email we send you
  • Sending a written request to info@phepha.co.za
  • Contacting our Information Officer (see Section 18)

Once you have objected to direct marketing, we will cease processing your personal information for that purpose as soon as reasonably practicable.

13. Automated Decision-Making

We do not currently make decisions about you solely on the basis of automated processing (including profiling) that produces legal or similarly significant effects.

Where this position changes, we will update this Privacy Policy and, where required by law, obtain your explicit consent or provide you with the right to request human review of any automated decision.

14. Your Rights

Under POPIA

As a data subject under POPIA, you have the following rights, which you may exercise free of charge:

  • Right to Be Informed (s.18): To be notified of the purpose and details of processing when your personal information is collected
  • Right to Access (s.23): To request a record of the personal information we hold about you
  • Right to Correction or Deletion (s.24): To request correction or deletion of inaccurate, irrelevant, excessive, outdated, incomplete, misleading, or unlawfully obtained personal information
  • Right to Object (s.11(3)): To object to the processing of your personal information on reasonable grounds, unless the processing is required by law
  • Right to Object to Direct Marketing (s.69): To object at any time to the processing of your personal information for direct marketing purposes
  • Right to Complain (s.74): To submit a complaint to the Information Regulator of South Africa if you believe your rights have been infringed (see Section 19)
  • Right to Institute Civil Proceedings (s.99): To institute civil proceedings against us for any interference with the protection of your personal information

Under GDPR (where applicable)

Where GDPR applies to your data, you also have the following rights:

  • Right to Access: Obtain a copy of your personal information
  • Right to Rectification: Correct inaccurate or incomplete information
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal information
  • Right to Restriction of Processing: Restrict how we process your personal information
  • Right to Data Portability: Receive your personal information in a structured, machine-readable format
  • Right to Object: Object to the processing of your personal information
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Right to Lodge a Complaint: With a supervisory authority in your country of residence

How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to our Information Officer (see Section 18) or email us at info@phepha.co.za. We will respond within 30 days of receiving your request, or advise you of any lawful reasons that prevent us from complying. We may request proof of your identity before processing your request.

15. Data Retention

In accordance with POPIA section 14, we retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by law. Retention periods are determined by considering:

  • The purpose for which the information was collected (e.g., transactional records, customer service)
  • Legal and regulatory obligations (e.g., tax records — generally 5 years under South African tax law)
  • Any applicable statutes of limitation for legal claims

Once the retention period has expired, personal information will be destroyed, deleted, or anonymised in a secure manner. You may request that your information be deleted earlier where no legal obligation requires us to retain it (see Section 14).

16. International / Cross-Border Data Transfers

Your personal information may be transferred to and processed in countries outside South Africa or Namibia where our service providers operate (e.g., United States, European Union). In accordance with POPIA section 72 and applicable GDPR requirements, we will only transfer personal information cross-border if:

  • The recipient country has an adequate level of data protection as recognised by the Information Regulator; or
  • The recipient is subject to binding corporate rules, standard contractual clauses (SCCs), or another lawful transfer mechanism that provides substantially similar protections to POPIA and GDPR; or
  • You have consented to the transfer after being informed of the risks; or
  • The transfer is necessary for the performance of a contract to which you are a party

You may request details of the specific transfer safeguards in place by contacting our Information Officer (see Section 18).

17. Access to Information (PAIA)

The Promotion of Access to Information Act 2 of 2000 (PAIA) gives you the right to request access to records held by private bodies (including us), subject to the grounds for refusal set out in the Act.

Our PAIA Manual, as required by section 51 of PAIA, is available on request from our Information Officer. The manual sets out:

  • How to make a request for access to records
  • The categories of records we hold
  • Any applicable fees

Our full POPIA Policy and Manual is available for download below, or on request from our Information Officer (see Section 18).

To submit a PAIA or POPIA request, please contact our Information Officer (see Section 18).

18. Information Officer

In terms of POPIA section 55, we have designated an Information Officer who is responsible for encouraging compliance with POPIA, dealing with requests made to us under POPIA, and handling complaints.

Our Information Officer is registered with the Information Regulator of South Africa in accordance with POPIA section 55. For further information, visit www.inforegulator.org.za.

19. Information Regulator of South Africa

If you are dissatisfied with the way in which we have handled your personal information or have not adequately addressed your concerns, you have the right to lodge a complaint with the Information Regulator of South Africa in terms of POPIA section 74.

20. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will take reasonable steps to notify you (e.g., by posting a notice on our website or sending an email to registered users). We will revise the effective date at the top of this policy. This Privacy Policy was last updated on 26 May 2026.

We encourage you to review this policy periodically to stay informed about how we protect your personal information.

21. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise any of your rights, please contact us at: