Privacy policy

PRIVACY POLICY

The Miracle Drive Trust – shop.chabadsouthafrica.org

Effective Date: February 2026

1. Introduction

This Privacy Policy (“Policy”) describes how The Miracle Drive Trust (Registration No. IT8635/02) (“we”, “us”, or “our”) collects, uses, stores, and protects personal information obtained through our online shop at shop.chabadsouthafrica.org (“the Website”).

We are committed to protecting your privacy and handling your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”) and other applicable South African legislation.

By using the Website, you acknowledge that you have read and understood this Policy and consent to the processing of your personal information as described herein.

2. Information Officer

In terms of POPIA, our designated Information Officer can be contacted as follows:

Email: rdm@chabad.org.za

Telephone: 011 440 6600

Address: 27 Aintree Avenue, Johannesburg, Gauteng, 2090, South Africa

3. Personal Information We Collect

We may collect the following categories of personal information when you interact with the Website:

3.1 Information You Provide

• Full name and surname

• Email address

• Telephone or mobile number

• Physical and/or delivery address

• Billing address

• Account login credentials (if you create an account)

• Order details and transaction history

• Donation amounts and records

• Event ticket purchase details

• Any additional information you voluntarily provide to us (e.g. through enquiry forms, correspondence, or customer support requests)

3.2 Information Collected Automatically

• IP address

• Browser type and version

• Device type and operating system

• Pages visited, time spent on the Website, and navigation patterns

• Referring website or source

• Cookie and tracking data (see Section 8 below)

3.3 Payment Information

Credit card and payment information is processed directly by our payment gateway provider, PayGate, and is not stored on our servers. PayGate processes payment data in accordance with the Payment Card Industry Data Security Standard (PCI DSS).

4. Purpose of Processing

We process your personal information for the following purposes:

1. To process and fulfil orders for goods, event tickets, and donations.

2. To communicate with you regarding your orders, deliveries, and account.

3. To create and manage your user account (where applicable).

4. To process returns and refunds.

5. To issue donation receipts or acknowledgements.

6. To send you marketing and promotional communications (only where you have given your explicit prior consent).

7. To improve the Website, our products, and our services.

8. To comply with legal and regulatory obligations.

9. To detect and prevent fraud.

10. For internal record-keeping and administration.

5. Legal Basis for Processing

We process your personal information on the following legal grounds under POPIA:

• Consent: Where you have given us your voluntary, specific, and informed consent (e.g. for marketing communications).

• Contract: Where processing is necessary to perform a contract with you (e.g. to fulfil an order).

• Legal obligation: Where processing is necessary to comply with a legal obligation.

• Legitimate interest: Where processing is necessary for our legitimate interests, provided such interests do not override your rights and freedoms.

6. Sharing of Personal Information

We may share your personal information with the following categories of third parties:

• Payment processors: PayGate, for the purpose of processing payments.

• Delivery and courier services: For the purpose of delivering physical products.

• Customer relationship management: Your information is stored in our customer relationship management system (Salesforce) for the purposes of order management, communication, and record-keeping.

• Email and marketing platforms: Where you have consented to receive marketing communications, we may use third-party email marketing platforms to send you such communications.

• Analytics providers: Google Analytics, for the purpose of analysing Website usage (see Section 8).

• Professional advisors: Legal, accounting, or other professional advisors where necessary.

• Law enforcement and regulatory authorities: Where required by law or to protect our rights.

We will not sell, rent, or trade your personal information to third parties for their own marketing purposes.

7. Data Storage and Security

We take reasonable technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Secure encrypted connections (SSL/TLS) on the Website.

• Restricting access to personal information to authorised personnel only.

• Use of reputable third-party service providers that maintain appropriate security standards.

Your personal information is stored on servers operated by Shopify (our e-commerce platform) and Salesforce (our CRM system). These providers may store data outside of South Africa. By using the Website, you consent to the transfer of your information to jurisdictions outside of South Africa, subject to appropriate safeguards as required by POPIA.

Notwithstanding our security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of your personal information.

8. Cookies and Tracking Technologies

8.1 What Are Cookies

Cookies are small text files placed on your device when you visit the Website. They help us to improve your experience, analyse Website usage, and deliver relevant content.

8.2 Types of Cookies We Use

• Essential cookies: Required for the Website to function correctly (e.g. shopping cart, checkout, session management).

• Analytics cookies: Google Analytics cookies that collect anonymised information about how visitors use the Website, including pages visited and time spent.

• Shopify cookies: Cookies set by Shopify to manage your shopping session, cart contents, and login state.

8.3 Managing Cookies

You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Website. By continuing to use the Website without adjusting your cookie settings, you consent to the use of cookies as described in this Policy.

9. Marketing Communications

We will only send you marketing or promotional communications where you have given your explicit prior consent (opt-in). You may withdraw your consent at any time by:

• Clicking the “unsubscribe” link in any marketing email.

• Contacting us at rdm@chabad.org.za.

Withdrawal of consent for marketing communications will not affect the lawfulness of processing carried out prior to withdrawal. Transactional communications (such as order confirmations and delivery notifications) are not marketing communications and will continue to be sent as necessary.

10. Your Rights Under POPIA

In terms of POPIA, you have the following rights in respect of your personal information:

• Right of access: You may request confirmation of whether we hold personal information about you and request access to such information.

• Right to correction: You may request that we correct or update inaccurate or incomplete personal information.

• Right to deletion: You may request the deletion of your personal information, subject to any legal or contractual obligations that require us to retain it.

• Right to object: You may object to the processing of your personal information on reasonable grounds.

• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time.

• Right to lodge a complaint: You may lodge a complaint with the Information Regulator if you believe that your personal information has been processed in violation of POPIA.

To exercise any of these rights, please contact our Information Officer at the details provided in Section 2 above. We will respond to your request within a reasonable time and in any event within the timeframes prescribed by POPIA.

11. Information Regulator

If you are not satisfied with how we have handled your personal information, you may lodge a complaint with the Information Regulator:

Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Email: enquiries@inforegulator.org.za

Website: www.justice.gov.za/inforeg/

12. Retention of Personal Information

We will retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. In determining the appropriate retention period, we will consider the nature and sensitivity of the information, the purposes of processing, and applicable legal requirements.

Transaction records will be retained for a minimum period required by applicable tax and commercial legislation, after which they will be securely destroyed or de-identified.

13. Children’s Information

The Website is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us, and we will take steps to delete such information.

14. Changes to This Policy

We reserve the right to amend this Policy at any time. Any changes will be posted on the Website with an updated effective date. Your continued use of the Website after the posting of changes constitutes your acceptance of the amended Policy.

Where material changes are made to this Policy that affect how we process your personal information, we will use reasonable efforts to notify you by email or by placing a prominent notice on the Website.

15. Contact

If you have any questions, concerns, or requests relating to this Policy or our handling of your personal information, please contact us at:

The Miracle Drive Trust

27 Aintree Avenue, Johannesburg, Gauteng, 2090, South Africa