Cookie Policy

Effective Date: Friday, May 10, 2025

Last Updated: Friday, May 10, 2025

SANDTONER (PTY) LTD ("we", "us", or "our") operates in full compliance with South Africa's Protection of Personal Information Act (POPIA) and international data protection standards, including the EU General Data Protection Regulation (GDPR). This policy details how cookies and similar technologies ("Cookies") are used to enhance your experience, secure transactions, and ensure transparency in data handling. By using our services, you acknowledge and consent to the practices described below.

Cookies are small text files stored on your device (computer, smartphone, or tablet) when you access our website or mobile application. They contain anonymized or pseudonymized identifiers and are designed to:

  • Authenticate Users: Verify login sessions and prevent unauthorized access.
  • Preserve Preferences: Retain user-specific settings (e.g., language, currency, shopping cart contents).
  • Track Interactions: Record pages visited, items viewed, and time spent to optimize performance.
  • Enable Security: Detect suspicious activities (e.g., repeated failed login attempts).
  • Deliver Targeted Content: Analyze browsing patterns to personalize ads and recommendations.
  • First-Party Cookies: Set directly by our domain for core functionalities.
  • Third-Party Cookies: Placed by trusted partners (e.g., analytics tools, ad networks) to extend services.
  • Session Cookies: Temporary files deleted after closing the browser.
  • Persistent Cookies: Remain on the device for predefined periods (up to 12 months).

We classify Cookies into four categories, with expanded details on scope and compliance:

Category Purpose Storage Duration Data Collected Third-Party Sharing Essential?
Strictly Necessary Enable core functions (login, checkout, payment processing). Session Session ID, transaction tokens No Yes
Performance Analyze traffic, page load speed, and user behavior (via Google Analytics). 12 months IP (anonymized), device type Yes (analytics partners) No
Functional Remember preferences (language, region) and enable localized services. 6 months User settings, geolocation No No
Advertising Serve personalized ads and measure campaign effectiveness (via Meta Ads). 12 months Browsing history, ad interactions Yes (ad partners) No
  • Granular Consent: Upon first visit, a pop-up allows you to accept/reject non-essential Cookies by category (e.g., "Analytics" or "Advertising").
  • Dynamic Preference Center: Accessible via the website footer ("Cookie Settings"), where you may:
    • Review active Cookie categories.
    • Withdraw consent retroactively.
    • Opt out of third-party tracking.

You may manually manage Cookies through browser settings:

  • Chrome: Settings > Privacy & Security > Cookies and Site Data.
  • Safari: Preferences > Privacy > Manage Website Data.
  • Firefox: Options > Privacy & Security > Enhanced Tracking Protection.
  • Mobile Devices: Enable "Limit Ad Tracking" (iOS) or "Opt out of Ads Personalization" (Android).
  • Right to Access: Request a report detailing Cookies stored on your device.
  • Right to Erasure: Demand deletion of non-essential Cookies and associated data.
  • Right to Object: Refuse profiling for marketing purposes.

Blocking non-essential Cookies may limit features (e.g., saved carts, recommendations). Essential Cookies cannot be disabled without disrupting service access.

  • Session Cookies: Deleted immediately after browser closure.
  • Persistent Cookies: Retained for no longer than 12 months, after which data is anonymized or purged.
  • Encryption: All Cookie data is transmitted via HTTPS and stored using AES-256 encryption.
  • Access Controls: Restricted to authorized personnel under a "need-to-know" basis.
  • Audits: Annual penetration testing and ISO 27001 certification for infrastructure.
  • Cross-Border Transfers: Data transferred outside South Africa (e.g., EU servers) adheres to GDPR safeguards, including Standard Contractual Clauses (SCCs).
  • Breach Notification: Users and regulators (e.g., SA Information Regulator) are notified within 72 hours of a confirmed breach.

We do not knowingly collect data from users under 13 years old (or higher thresholds per jurisdiction, e.g., 16 under GDPR).

  • Age Gates: Users attempting to create accounts must confirm they are 13+.
  • Parental Controls: Suspected minors' accounts are frozen until parental consent is obtained via verified email or documentation.

If underage usage is detected, all associated Cookies and personal data are erased within 48 hours. Parents may contact our Data Protection Officer (DPO) for immediate action.

Lodge complaints with the South African Information Regulator:

Material changes (e.g., new Cookie categories, third-party partners) will be notified via email or website banners 30 days prior to implementation. Continued use constitutes acceptance.