Privacy Policy
How we collect, use, store, and protect your personal information.
This Privacy Policy is drafted to meet the requirements of the Protection of Personal Information Act, No. 4 of 2013 (POPIA) as implemented by the Innestato Auctions platform. It should be reviewed by qualified legal counsel, and will be updated once the appointed Information Officer (Petro Niemand) has been formally registered with the Information Regulator via inforegulator.org.za.
Table of Contents
- 1.Who We Are (Responsible Party)
- 2.What Personal Information We Collect
- 3.How We Use Your Personal Information
- 4.Legal Basis for Processing
- 5.Who We Share Your Information With
- 6.Cross-Border Transfers
- 7.How Long We Keep Your Information
- 8.How We Protect Your Information
- 9.Your Rights
- 10.Cookies and Analytics
- 11.Children’s Information
- 12.Changes to this Policy
- 13.Contact & Complaints
1. Who We Are (Responsible Party)
1.1. In this Privacy Policy, “we”, “us”, or “Innestato” means Innestato Holdings (Pty) Ltd trading as Innestato Auctions, the registered legal entity that operates this auction platform and is the responsible party for your personal information under POPIA.
| Legal Entity | Innestato Holdings (Pty) Ltd |
| Trading Name | Innestato Auctions |
| Physical Address | Shop No. 5, Erf 459 Wilkoppies, 45 Buffeldoorn |
| info@innestato.co.za | |
| Telephone | 087 265 7835 |
1.2. This Privacy Policy explains what personal information we collect about you, how we use it, who we share it with, how long we keep it, how we protect it, and the rights you have under POPIA.
1.3. It applies to everyone who uses the Innestato Auctions website (the “Platform”), whether as a bidder, seller, buyer, or casual visitor.
2. What Personal Information We Collect
2.1. Information You Provide at Registration
When you register as a user, we collect the following information as required by Regulation 30 of the Consumer Protection Act (online auctions) and by FICA:
- full name and surname;
- email address and contact telephone number;
- date of birth (you must be 18 or older);
- South African ID number or passport number (verification document);
- physical residential address (street, city, province, postal code, country);
- account password (stored as a one-way hash — we never see your actual password).
2.2. Information We Collect Automatically
When you access the Platform, we automatically collect:
- your IP address at registration and each time you place a bid (as required by CPA Regulation 30);
- browser type, device type, and operating system;
- the date and time of your visits and actions (bids placed, lots viewed, logins);
- session cookies needed to keep you logged in.
2.3. Seller-Specific Information
If you register as a seller, we additionally collect:
- a legible copy of your ID or passport (for FICA customer due diligence);
- banking details for payouts (account holder name, bank, branch code, account number, account type);
- a declaration of ownership for each item consigned.
2.4. Transactional Information
As you use the Platform we record:
- bids placed, lots won or lost, orders created, payments made or received;
- communications and support requests you send us;
- WhatsApp opt-in status and consent timestamp, if you opt in to receive WhatsApp notifications.
2.5. Information We Do Not Collect
We do not collect payment card details. When you pay by card, you enter your card information directly into the Yoco payment gateway — we never see or store your card number, CVV, or PIN.
3. How We Use Your Personal Information
3.1. We process your personal information for the following specific, clearly defined purposes:
| Purpose | What it means in practice |
|---|---|
| Account creation & management | Creating your account, verifying your identity, authenticating logins, letting you manage your profile and banking details. |
| Running auctions | Accepting bids, notifying you when you win, sending checkout and collection reminders, processing payments. |
| Legal & regulatory compliance | Meeting our obligations under POPIA, FICA, the Consumer Protection Act, the Second-Hand Goods Act, and tax law. This includes maintaining the second-hand goods register that SAPS may inspect. |
| Fraud prevention | Detecting shill bidding, duplicate accounts, suspicious transactions, and reporting to the Financial Intelligence Centre where required. |
| Customer support | Responding to your enquiries and complaints. |
| Notifications | Sending you transactional emails (e.g. bid outbid, auction won, payment confirmation). If you opt in, we also send these over WhatsApp. |
| Service improvement | Monitoring platform performance, diagnosing errors, and improving the user experience. |
4. Legal Basis for Processing
4.1. POPIA requires us to have a lawful basis for processing your personal information. We rely on the following bases:
- Consent — given when you register an account and accept these terms, and separately for WhatsApp notifications (which you can withdraw at any time in your profile).
- Contractual necessity — we need your information to provide the services you’ve asked us for (bidding, payment, collection).
- Legal obligation — FICA, CPA Regulation 30, the Second-Hand Goods Act, and tax law require us to collect and retain certain information.
- Legitimate interest — for fraud prevention, security, and protecting our platform and users from misuse.
5. Who We Share Your Information With
5.1. We do not sell your personal information to anyone. We share it only with the following categories of recipients, and only to the extent necessary:
| Recipient | What they receive | Why |
|---|---|---|
| Yoco (payment gateway) | Order amount, reference, customer email | To process card payments securely. |
| WhatsApp / Meta (if opted in) | Phone number and notification content | To deliver the WhatsApp notifications you opted in to receive. |
| Email delivery provider | Your email address and the content of the email | To send transactional and support emails. |
| South African Police Service (SAPS) | Access to our second-hand goods register when requested | Statutory obligation under the Second-Hand Goods Act. |
| Financial Intelligence Centre (FIC) | Transaction and identification details where reporting is required | Statutory obligation under FICA. |
| Our hosting and infrastructure providers | Encrypted/hashed data at rest, logs | To run the website, database, session store, and email queue. |
| Qualified legal and accounting advisers | On a need-to-know basis | For audit, compliance, and dispute purposes. |
| Courts and regulators | Information compelled by law | Court order, subpoena, statutory investigation. |
5.2. We do not share your information for third-party marketing.
6. Cross-Border Transfers
6.1. Some of the service providers we use (notably Yoco’s upstream card processors and WhatsApp / Meta) may process personal information on servers outside South Africa.
6.2. In terms of Section 72 of POPIA, we only transfer personal information across borders where:
- the recipient is subject to a law, binding contract, or binding corporate rules that provide an adequate level of protection;
- you have consented to the transfer; or
- the transfer is necessary for the performance of a contract with you.
6.3. By using WhatsApp notifications, you consent to your phone number and message content being transferred to Meta’s servers.
7. How Long We Keep Your Information
7.1. We keep your personal information only for as long as we need it for the purposes described in this policy, or as required by law.
| Category | Retention period |
|---|---|
| Account & contact information | Duration of the business relationship, then 5 years after account closure (FICA minimum). |
| ID documents and verification records | 5 years after the end of the business relationship (FICA). |
| Transaction records, invoices, commission statements | 5 years (FICA / tax law). |
| Second-hand goods register entries | 5 years (Second-Hand Goods Act). |
| Server logs and IP addresses | Up to 12 months, then deleted or anonymised. |
| Email and WhatsApp message logs | 24 months for operational troubleshooting, then deleted or anonymised. |
| Marketing / WhatsApp opt-in consent records | Until you withdraw consent, then the withdrawal is retained for audit. |
7.2. Where a longer retention period is required by law (for example if you are party to pending litigation or a regulatory investigation), we will retain the relevant information for as long as the law requires.
8. How We Protect Your Information
8.1. We apply appropriate technical and organisational measures to protect your personal information from loss, misuse, unauthorised access, disclosure, alteration, or destruction:
- Encryption in transit — the Platform is served over HTTPS.
- Encryption at rest for sensitive identifiers — ID numbers and banking account numbers are encrypted using authenticated encryption (libsodium crypto_secretbox). A keyed HMAC-SHA256 hash of your ID number is stored to prevent duplicate registrations without ever needing to decrypt the original.
- Hashed passwords — we never store passwords in plain text; we only store a one-way hash.
- Rate limiting — on login, registration, password reset, bidding, and other sensitive endpoints, to slow down abuse.
- Access control — administrator access is limited to authorised staff; administrator actions on your account (e.g. impersonation for support) are logged for audit.
- Session security — sessions are stored server-side in Redis, not in the cookie.
- Backups — regular encrypted backups so we can recover your data if there is a failure.
8.2. If a security compromise affects your personal information, Section 22 of POPIA requires us to notify the Information Regulator and you as soon as reasonably possible. You will be told what happened, what information was affected, and what we are doing about it.
9. Your Rights
9.1. Under POPIA you have the following rights regarding your personal information:
- Right to be notified that we are collecting or that there has been a security compromise.
- Right of access — to ask what personal information we hold about you, and for a copy.
- Right to correction or deletion of personal information that is inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained. Deletion is subject to the legal retention periods set out in Section 7.
- Right to object to the processing of your personal information on reasonable grounds.
- Right to withdraw consent — at any time, for processing that is based on consent (e.g. WhatsApp notifications). Withdrawal does not affect the lawfulness of processing before the withdrawal.
- Right to lodge a complaint with the Information Regulator (see Section 13).
9.2. To exercise any of these rights, email us at info@innestato.co.za from the address linked to your account. We will respond within a reasonable time — typically within 30 days — and may need to verify your identity before acting.
9.3. Where required by the Promotion of Access to Information Act (PAIA), formal access requests may be made using Form 2 of PAIA and sent to the Information Officer at the address above.
10. Cookies and Analytics
10.1. We use a small number of cookies that are strictly necessary to make the Platform work:
- Session cookie — keeps you logged in while you use the site.
- CSRF token — protects you from cross-site request forgery attacks.
- Remember-me cookie (if you tick “remember me”) — so you don’t have to sign in every visit.
10.2. These cookies do not track you across other websites. We do not currently use third-party advertising or cross-site tracking cookies. If we introduce analytics or marketing cookies in the future, we will update this policy and request your consent where required.
11. Children’s Information
11.1. The Platform is not intended for anyone under the age of 18. You may only register if you are 18 or older. If you believe that a child has registered on the Platform, please contact us and we will delete the account and associated information.
12. Changes to this Policy
12.1. We may update this Privacy Policy from time to time — for example when we add a new feature, change a supplier, or where the law changes. The “Last updated” date at the top of this page shows when the policy was last revised.
12.2. Material changes will be communicated by email to registered users. Continued use of the Platform after the effective date of the change constitutes acceptance of the updated Policy.
13. Contact & Complaints
13.1. Information Officer
Privacy queries, access requests, corrections, and complaints are handled by our Information Officer:
| Information Officer | Petro Niemand |
| admin@innestato.co.za | |
| Postal address | Information Officer — Innestato Holdings (Pty) Ltd, Shop No. 5, Erf 459 Wilkoppies, 45 Buffeldoorn, South Africa |
| Telephone | 087 265 7835 |
13.2. Information Regulator
If we are unable to resolve your complaint, you may refer it to the Information Regulator of South Africa:
| Website | inforegulator.org.za |
| Email (general enquiries) | enquiries@inforegulator.org.za |
| Email (POPIA complaints) | POPIAComplaints@inforegulator.org.za |
| Postal address | JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 |