Privacy Policy

who we are

Responsible Party:                          BoxClvr (Pty)Ltd

Registration Number:                     2025 / 647632 / 07

Registered Address:                       Building 4 Riverlands Mall, 51 Gogosoa Street, Observatory, Cape Town

Website & App:                                boxclvr.co.za and the BoxClvr web application (mobile-first PWA).

Information Officer (POPIA):           Graham Michael Rodger, Director

Contact (privacy):                           privacy@boxclvr.co.za | 083 661 7698

scope & applicability

  • This Policy applies to our website(s), the BoxClvr web app, landing pages, embedded forms, and marketing properties we control (collectively, “Services”).
  • It describes how we collect, use, share, and secure personal information about users, prospects, and website visitors.
  • It covers cookies, pixels, SDKs, and similar tracking technologies used on our properties.

key definitions (popia)

  • “Personal information” means information relating to an identifiable, living, natural person (and where applicable, identifiable juristic persons).
  • “Special personal information” includes information relating to children, religious/philosophical beliefs, race/ethnic origin, trade union membership, political persuasion, health/sex life, biometric and criminal behaviour (as defined in POPIA).
  • “Responsible party” means the person (company) that determines the purpose and means of processing personal information.
  • “Operator” means a third party that processes personal information for the responsible party in terms of a contract.

personal information we collect

We collect the following categories of personal information (as applicable):

  • Identity & Contact: name, surname, email address, phone number, and (if applicable) company, job title.
  • Account & Authentication: username, password, role/permissions, activity timestamps.
  • Content You Add: item photos, descriptions, boxes/rooms/locations, QR code associations, checklists, labels, and shared access settings you configure (e.g., family, guests, teammates). Avoid adding sensitive personal information to item photos or notes.
  • Transactional: plan selections, subscription status, invoices, payment confirmations (processed by our payment provider).
  • Support & Communications: live chat transcripts, email correspondence, survey responses, and feedback.
  • Device/Usage/Telemetry: IP address, device type, OS and browser, language, pages viewed, time on page, referrals, UTM parameters, app events (e.g., QR usage thresholds), and error logs.
  • Marketing & Lead Capture: form submissions, lead magnet downloads, ad campaign parameters, consent preferences, and unsubscribe status.

We do not intentionally collect special personal information. Please do not upload or store sensitive personal information in the Services.

sources of personal information

  • Directly from you (account sign-up, forms, app use).
  • Automatically via cookies, pixels, and analytics when you use our Services.
  • From partners and service providers who assist with hosting, analytics, payments, and marketing (see “Who we share your data with”).

purposes & lawful justification (popia condition 2 & 4)

We process personal information for the following purposes, on the following justification grounds permitted by POPIA:

  • Provide and operate the Services: create accounts, enable inventory capture with QR codes and photos, enable sharing/roles, and deliver core features. (Necessary to perform/fulfil a contract with you.)
  • Customer support and service communications. (Contract and/or your request.)
  • Product improvement, analytics, and troubleshooting (e.g., app usage, error logs). (Our legitimate interests balanced with your rights; minimal and proportionate, with opt-out where feasible.)
  • Security, fraud prevention, and abuse monitoring. (Our legitimate interests; protection of your and our rights.)
  • Marketing and lead generation (e.g., delivering lead magnets you requested; sending onboarding tips; remarketing). (Consent where required; you may withdraw at any time; we honour POPIA restrictions on direct electronic marketing.)
  • Compliance with legal obligations (tax, accounting, record-keeping) and to establish, exercise, or defend legal claims.
  • Business changes (merger, acquisition, financing, or transfer) subject to appropriate safeguards.

children

Our Services are not directed at children under 18. If you are a parent/guardian and believe your child provided personal information, please contact us so we can take appropriate steps.

who we share your data with (operators/processors)

We use operators that help us deliver the Services. We require contracts that obligate them to process personal information only on our instructions and with appropriate security. Operators may include:

  • Zoho (CRM, Forms, Campaigns, SalesIQ, PageSense; workflow automation via Zoho Flow) — for lead capture, email journeys, chat/visitor engagement, A/B testing, and automation.
  • Hosting and infrastructure providers (e.g., cloud hosting, content delivery).
  • Analytics & Advertising: Google (Analytics/Ads/YouTube) and Meta (Facebook/Instagram) — for analytics, conversion tracking, and remarketing where permitted by law and your preferences.
  • Email & Messaging providers — for service and marketing communications.
  • Payment Processor: [Stripe/PayFast/PayPal/Paystack/Other] — we receive confirmations/tokens but do not store full card data on our systems.
  • Professional advisers and auditors — for compliance and legitimate business purposes.
  • Partners/Resellers — only when you opt-in or initiate engagement (e.g., co-branded offers).

 

We will disclose information when required by law, or to protect rights, safety, and security.

cross border transfers

Your personal information may be processed in countries other than South Africa. Where we transfer information across borders, we will ensure that the recipient is subject to a law, binding corporate rules, or binding agreements that provide an adequate level of protection; or we will obtain your consent or rely on contractual necessity, in accordance with POPIA.

retention

We keep personal information only for as long as necessary for the purposes set out in this Policy, unless a longer period is required or permitted by law. We apply the following default periods:

  • Account data: retained while your account is active; if inactive for 24 months, we may anonymise or delete.
  • Lead/marketing records: 24 months from last meaningful interaction.
  • Support tickets & chat logs: 24 months after closure.
  • System logs & telemetry: 12–24 months for security and diagnostics.
  • Billing/transaction records: up to 7 years for tax and accounting.

 

When we no longer need personal information, we irreversibly anonymise or securely delete it.

your rights (popia condition 8)

Under POPIA, you may have the right to:

  • Request access to your personal information we hold about you.
  • Request correction, update, or deletion of your personal information where appropriate.
  • Object to certain processing (including direct marketing) and withdraw consent at any time.
  • Lodge a complaint with the Information Regulator (South Africa).

To exercise your rights, contact us at the details under “Who We Are”. We will respond in accordance with POPIA timelines and requirements.

direct marketing

We comply with POPIA’s rules on direct electronic marketing. Where required, we obtain your prior consent before sending promotional communications. You may opt out at any time by using unsubscribe links in emails or contacting us. Service, transactional, and security notices are not marketing and will continue as necessary.

security

We implement appropriate, reasonable technical and organisational measures to protect personal information, including encryption in transit, access controls based on roles, regular backups, least-privilege access, and staff confidentiality obligations. No system is perfectly secure; if you suspect an issue, please contact us immediately.

data breach management

We maintain processes to detect, investigate, and remediate security incidents. Where a breach creates a real risk of harm, we will notify affected individuals and the Information Regulator in accordance with POPIA.

automated decision making & profiling

Questions, requests, or complaints can be directed to our Information Officer at [privacy@yourdomain.co.za]. You may also lodge a complaint with the Information Regulator (South Africa).

cookie & tracking technologies policy

We use cookies, pixels, tags, SDKs, local storage, and similar technologies (“cookies”) to operate and improve our Services. You can manage non-essential cookies via our banner or through your browser settings.

Types of Cookies We Use

  • Strictly Necessary: enable core functions such as page navigation, session management, and security. (Always on.)
  • Analytics & Performance: help us understand how the Services are used and improve usability (e.g., page views, device info).
  • Advertising & Remarketing: enable us to show relevant ads and measure campaign performance (e.g., Meta Pixel, Google Ads).
  • Chat & Personalisation: power live chat, user guidance, and A/B testing (e.g., Zoho SalesIQ, Zoho PageSense).
  • Functional: remember settings such as language or layout preferences. 

 

Specific Cookies & Pixels

Depending on your region and choices, we may use the following providers:

  • Google Analytics / Ads (e.g., cookies such as _ga, _gid, _gcl_au; GA4 events).
  • Meta (Facebook/Instagram) Pixel for conversion tracking and remarketing.
  • Zoho SalesIQ for live chat and visitor engagement; Zoho PageSense for A/B testing and heatmaps.
  • First-party preferences and session cookies set by our site/app.

Links to each provider’s privacy policy and cookie details will be included on our website’s cookie banner or preferences centre.

Managing Cookies

  • Consent: Non-essential cookies are used only after you provide consent via our banner or settings (region-specific).
  • Preferences: You can change or withdraw your consent at any time via the cookie settings on our site.
  • Browser Controls: Most browsers let you block or delete cookies. Blocking essential cookies may impact functionality.
  • Do Not Track: We respond to local legal requirements; however, not all tracking can be disabled if strictly necessary for the Services.

international users (EEA/UK/other juridictions)

If you are in the EEA/UK, you may have additional rights under GDPR, including data portability and restriction of processing. Where applicable, we will honour those rights and rely on appropriate transfer mechanisms for cross-border data flows.

your responsibilities

  • Keep your account credentials confidential and enable security features we provide.
  • Ensure you have the right to share information with us (e.g., if you upload photos or share access with others).
  • Avoid uploading sensitive personal information or third-party data without permission.

changes to this policy

  • We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, where appropriate, notify you via email or in-app notices.

contact

  • Questions, requests, or complaints can be directed to our Information Officer at [privacy@yourdomain.co.za]. You may also lodge a complaint with the Information Regulator (South Africa).