Privacy Policy

Last Updated: 9 December 2025

Who We Are

Our website address is: https://www.highground.co.za

High Ground Marketplace (“High Ground”, “we”, “us”, or “our”) is a private, members-only marketplace connecting independent vendors with customers for smoking accessories and lifestyle products. We are committed to protecting your privacy in accordance with South Africa’s Protection of Personal Information Act (POPIA) and international best practices.

Contact Information:
Email: highground339@gmail.com
Physical Address: 2 Summerseat Close, Gardens, Cape Town, 8001
Phone: 082 678 3313
Business Type: Sole Proprietor trading as High Ground Marketplace

What Personal Data We Collect and Why We Collect It

The type of information we collect depends on your interaction with our Platform.

1. For All Visitors

When you visit our website, we automatically collect certain technical information:

  • IP address – Used for security, fraud prevention, and site analytics
  • Browser type and version – Used to optimize site performance
  • Operating system – Used to ensure compatibility
  • Pages visited and time spent – Used to improve user experience
  • Referral source – Used to understand how visitors find our site

Legal Basis: Legitimate business interest in operating and improving our website.

2. For Customers (Buyers)

When you register an account or place an order, we collect:

  • Name and surname – Required for order processing and account creation
  • Email address – Used for order confirmations, account management, and communication
  • Phone number – Used for order updates and delivery coordination
  • Shipping address – Required for product delivery coordination
  • Billing address – Required for payment processing
  • Payment information – Processed securely through our payment gateway (see Payment section below)
  • Order history – Stored to provide customer service and order tracking
  • Account preferences – Used to personalize your experience

Legal Basis: Contractual necessity to fulfill orders and provide services you’ve requested.

3. For Vendors (Sellers)

In addition to customer information above, we collect:

  • Business name and trading details – Required for vendor verification
  • Business registration information – Required for compliance and verification
  • Banking details – Required for payout processing
  • Tax/VAT information – Required for legal compliance
  • Product listings and inventory – Necessary to operate your store
  • Sales and transaction data – Required for commission calculation and payouts

Legal Basis: Contractual necessity to provide vendor services and legal compliance with tax regulations.

Comments

When visitors leave comments on the site, we collect:

  • The data shown in the comments form
  • The visitor’s IP address
  • Browser user agent string (to help with spam detection)

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to display your profile picture. The Gravatar service privacy policy is available here: https://automattic.com/privacy/

After approval of your comment, your profile picture is visible to the public in the context of your comment.

Comments and metadata are retained indefinitely to recognize and approve follow-up comments automatically instead of holding them in a moderation queue.

Legal Basis: Legitimate interest in managing site content and preventing spam.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

All uploaded files are publicly accessible once published.

Legal Basis: Legitimate interest in allowing users to share content on our platform.

Contact Forms

When you submit a contact form, we collect:

  • Your name
  • Email address
  • Message content
  • IP address and timestamp (for security purposes)

We retain contact form submissions for 6 months for customer service purposes. We do not use the information submitted through contact forms for marketing purposes without your explicit consent.

Legal Basis: Legitimate interest in providing customer support and responding to inquiries.

Cookies and Tracking Technology

Our website uses cookies and tracking technology to provide and improve our services.

What Are Cookies?

Cookies are small text files stored on your device that help us provide a better user experience.

Cookies We Use:

Essential Cookies (Required for site function):

  • Session cookies – Keep you logged in as you navigate the site (deleted when you close your browser)
  • Login cookies – Remember your login for two days, or two weeks if you select “Remember Me”
  • Cart cookies – Keep track of items in your shopping cart while browsing

Functional Cookies:

  • Comment cookies – Save your name, email, and website for one year if you opt-in when leaving a comment
  • Screen preference cookies – Remember your display choices for one year
  • Editor cookies – Track post IDs when editing content (expires after 1 day)

Analytics Cookies:

  • We use analytics to understand how visitors use our site, which pages are most popular, and how we can improve user experience
  • Analytics data is anonymized and aggregated
  • [IF USING GOOGLE ANALYTICS: We use Google Analytics. You can opt out by installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout]

Third-Party Cookies:

  • Payfast payment gateway – Sets cookies during payment processing for security
  • Social media embeds – May set cookies if you interact with embedded content from other platforms

Managing Cookies:

You can control cookies through your browser settings. However, disabling cookies may affect your ability to use certain features of our website, including placing orders.

Legal Basis: Essential cookies are necessary for the site to function. Analytics cookies are based on legitimate interest, and you can opt out.

E-Commerce Data Collection (WooCommerce/Dokan)

What We Collect and Store During Shopping:

While you browse our marketplace, we track:

  • Vendor stores you’ve viewed – To show you stores you’ve recently visited
  • Products you’ve viewed – To show you recently viewed items
  • Location, IP address, and browser type – For tax calculations, shipping estimates, and fraud prevention
  • Shopping cart contents – Kept in cookies while you browse

When You Make a Purchase:

We collect and store:

  • Name, billing address, shipping address
  • Email address and phone number
  • Payment details (processed securely through Payfast – we do not store full card details)
  • Order details – Products purchased, quantities, prices
  • Transaction records – For accounting and tax compliance

How We Use Purchase Information:

  • Process and fulfill your orders
  • Send order confirmations and shipping updates
  • Process refunds and handle customer service inquiries
  • Prevent fraud and unauthorized transactions
  • Calculate taxes and comply with legal obligations
  • Improve our marketplace offerings
  • Send marketing communications (only if you opt-in)

User Accounts:

If you create an account, we store your name, address, email, and phone number to:

  • Pre-populate checkout for faster future orders
  • Allow you to track order history
  • Manage your vendor store (if applicable)

All users can view, edit, or delete their personal information at any time through their account settings (except username, which cannot be changed).

Legal Basis: Contractual necessity and legal compliance (tax records, consumer protection laws).

Payments

Payment Gateway: Payfast by Network

We process payments through Payfast by Network, an approved payment gateway for all South African acquiring banks.

Payment methods accepted:

  • Visa
  • MasterCard
  • SID Secure EFT
  • Mobicred
  • Bank Transfer

What Payment Information Is Shared:

When processing payments, your data is passed to Payfast, including:

  • Purchase total and transaction details
  • Billing information
  • Name and email address

Security:

  • Payfast uses Secure Socket Layer 3 (SSL3) encryption – the strictest form of encryption
  • No card details are stored on our website
  • Card details are entered directly on Payfast’s secure payment portal
  • Customer details are stored by High Ground separately from card details

Payfast Privacy Policy: https://payfast.io/privacy-policy/

Legal Basis: Contractual necessity to process payments for orders.

Who We Share Your Data With

High Ground is built on a model of privacy and security for both Customers and Vendors.

1. Vendors (For Order Fulfillment)

To complete a transaction, we share limited anonymous order details with the Vendor:

  • What we share: Product name, quantity, order number
  • What we DON’T share: Your full name, surname, physical address, email, or phone number

For secure locker handoff, we share only a partially anonymized version of your first name (e.g., “Mike F.”) with the Vendor. All logistics are managed by High Ground through our secure dropoff locker network to ensure privacy and safety for all members.

2. Payment Processor (Payfast)

As described above, necessary payment information is shared with Payfast to process transactions securely.

Payfast Privacy Policy: https://payfast.io/privacy-policy/

3. Courier Services

We share minimal necessary information with our courier service provider:

  • Order reference number
  • Locker location
  • Pickup/dropoff confirmation codes

We do NOT share your full name, address, or contact details with couriers.

4. Service Providers

We may share data with trusted third-party service providers who assist us:

  • Web hosting provider – Stores website data on secure servers
  • Email service provider – Sends transactional emails (order confirmations, shipping updates)
  • Analytics services – Provides anonymized usage statistics
  • Anti-spam service (Akismet) – Protects against comment spam (see below)

All service providers are contractually obligated to protect your data and use it only for specified purposes.

5. Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or to:

  • Protect our legal rights
  • Prevent fraud or criminal activity
  • Protect the safety of our users or the public

6. Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner, who will be required to continue protecting it under the same terms.

What We Do NOT Do:

  • We do NOT sell your personal data to third parties
  • We do NOT use your data for advertising purposes without consent
  • We do NOT share your data with marketers or data brokers

Akismet Anti-Spam Service

We use Akismet to protect our site from comment spam.

Information Collected by Akismet:

When you leave a comment, Akismet collects:

  • Commenter’s IP address
  • User agent (browser information)
  • Referrer (how you arrived at the site)
  • Site URL
  • Information you provide directly (name, username, email, comment text)

This information is sent to Akismet’s servers for spam detection analysis.

Akismet Privacy Policy: https://automattic.com/privacy/

Legal Basis: Legitimate interest in protecting our site from spam and malicious content.

Embedded Content from Other Websites

Articles or pages on this site may include embedded content (e.g., videos, images, social media posts, etc.) from other websites such as YouTube, Twitter, or Instagram.

Important: Embedded content from other websites behaves as if you visited that website directly. These third-party websites may:

  • Collect data about you
  • Use cookies
  • Embed additional third-party tracking
  • Monitor your interaction with the embedded content (especially if you’re logged into their service)

We do not control these third-party websites. Please review their privacy policies for more information.

Legal Basis: Legitimate interest in providing rich content and user experience.

How Long We Retain Your Data

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law.

Data Retention Periods:

  • Inactive accounts: 3 years from last login
  • Pending orders: 3 months
  • Failed orders: 30 days
  • Cancelled orders: 1 year
  • Refunded orders: 3 years (for accounting and dispute resolution)
  • Completed orders: 7 years (required by South African tax law – minimum 5 years)
  • Contact form submissions: 6 months
  • Comments: Indefinitely (to prevent spam and allow follow-up discussions)
  • Analytics data: 1 year (anonymized)
  • Marketing consent records: Until consent is withdrawn, plus 3 years

Vendor Data Retention:

  • Active vendor accounts: Retained while account is active
  • Inactive vendor accounts: 3 years from last activity
  • Payout records: 7 years (tax compliance)
  • Product listings: Retained while vendor account is active

After these periods, data is securely deleted or anonymized.

Legal Basis: Legal compliance (tax law, consumer protection) and legitimate business interest.

What Rights You Have Over Your Data

Under South Africa’s Protection of Personal Information Act (POPIA), you have the following rights:

1. Right to Access

You can request a copy of all personal data we hold about you. We will provide this in a commonly used electronic format.

2. Right to Correction

You can request that we correct any inaccurate or incomplete personal data. You can update most information directly through your account settings.

3. Right to Deletion (Right to be Forgotten)

You can request that we delete your personal data, subject to certain exceptions:

  • We will delete: Your account, profile information, and order details (where legally permitted)
  • We must retain: Data required for legal compliance (tax records, dispute resolution) for the required retention periods

If you have an account or have left comments, you can request an exported file of your personal data or request erasure by contacting us at highground339@gmail.com.

4. Right to Object

You can object to processing of your personal data for:

  • Direct marketing purposes (opt-out anytime)
  • Legitimate interest purposes (we will stop unless we have compelling grounds)

5. Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

6. Right to Data Portability

You can request your data in a structured, machine-readable format to transfer to another service.

7. Right to Withdraw Consent

Where we process data based on consent, you can withdraw consent at any time.

8. Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your privacy rights have been violated:

Information Regulator South Africa
Website: https://inforegulator.org.za
Email: inforeg@justice.gov.za

How to Exercise Your Rights:

  • Email us: highground339@gmail.com
  • Account settings: Update most information directly in your account dashboard
  • Unsubscribe: Click unsubscribe links in marketing emails

We will respond to requests within 30 days as required by POPIA.

Where Your Data Is Sent and Stored

Data Storage Location:

Your data is stored on secure servers hosted in the Teraco Data Centre in Johannesburg, South Africa provided by our web hosting service.

International Data Transfers:

Some of our service providers may be located outside of South Africa. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Payfast by Network: Operates in South Africa under South African data protection laws
  • Other service providers: Bound by contractual agreements requiring adequate data protection standards equivalent to POPIA

Security Measures:

We use industry-standard security measures to protect your data:

  • SSL/TLS encryption for data transmission
  • Secure servers with firewall protection
  • Access controls – Only authorized personnel can access personal data
  • Regular security updates and monitoring
  • Secure payment processing through PCI-DSS compliant gateway
  • Data backup systems with encryption

However, no method of internet transmission or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

How We Protect Your Data

Technical Measures:

  • SSL/TLS encryption for all data transmitted between your browser and our servers
  • Encrypted database storage for sensitive information
  • Secure password hashing using industry-standard algorithms
  • Regular security updates and patches
  • Automated security monitoring and threat detection

Organizational Measures:

  • Access controls: Only authorized team members can access personal data
  • Staff training: Team members are trained in data protection practices
  • Confidentiality agreements: All staff and contractors sign NDAs
  • Regular security audits: Periodic review of security practices
  • Incident response plan: Procedures in place for potential data breaches

Payment Security:

  • No card storage: We do not store credit card details on our servers
  • PCI-DSS compliance: Payments processed through compliant gateway
  • Fraud detection: Monitoring systems to detect suspicious transactions

What Data Breach Procedures We Have in Place

In the event of a data breach that poses a risk to your rights and freedoms:

Our Response:

  1. Immediate containment: Stop the breach and secure systems
  2. Assessment: Determine scope, severity, and affected individuals
  3. Notification: Inform affected users within 72 hours as required by POPIA
  4. Reporting: Notify the Information Regulator if legally required
  5. Remediation: Fix vulnerabilities and prevent future breaches
  6. Documentation: Maintain records of the incident and response

What We’ll Tell You:

  • Nature of the breach
  • What data was affected
  • Potential consequences
  • Measures we’ve taken
  • Steps you should take to protect yourself

Reporting Security Issues:

If you discover a security vulnerability, please report it immediately to: highground339@gmail.com

Children’s Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

If you are under 18, please do not:

  • Register for an account
  • Make purchases
  • Submit any personal information

If we become aware that we have collected personal data from a child under 18, we will delete it promptly.

Age Verification: By using our Platform, you confirm that you are 18 years of age or older.

Marketing Communications

How We Use Your Information for Marketing:

We may send you marketing communications about:

  • New products and vendor stores
  • Special offers and promotions
  • Platform updates and features
  • Educational content related to our products

We will only send marketing emails if:

  • You have opted in to receive them, OR
  • You are an existing customer and we are marketing similar products (with easy opt-out)

Your Marketing Preferences:

You can control marketing communications:

  • Opt-out: Click “unsubscribe” in any marketing email
  • Account settings: Manage preferences in your account dashboard
  • Contact us: Email highground339@gmail.com to update preferences

Note: You cannot opt-out of transactional emails (order confirmations, shipping updates, account notifications) as these are necessary for providing our services.

Automated Decision Making and Profiling

What We Do:

We use limited automated decision-making for:

  • Fraud detection: Analyzing transactions for suspicious patterns
  • Product recommendations: Suggesting items based on browsing history
  • Pricing and promotions: Determining eligibility for offers

What We Don’t Do:

  • We do NOT use automated decision-making that produces legal or similarly significant effects without human oversight
  • We do NOT create detailed user profiles for advertising purposes
  • We do NOT sell profiling data to third parties

Your Rights:

You have the right to:

  • Request human review of automated decisions
  • Express your point of view
  • Contest automated decisions that significantly affect you

Third-Party Links

Our website may contain links to third-party websites, plugins, and applications. Clicking these links may allow third parties to collect or share data about you.

We do not control these third-party websites and are not responsible for their privacy practices. When you leave our site, we encourage you to read the privacy policy of every website you visit.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • Changes in applicable laws
  • New features or services
  • Feedback from users

When we make changes:

  • We will update the “Last Updated” date at the top
  • For significant changes, we will notify you by email (if you have an account) or by a prominent notice on our website
  • Your continued use of our services after changes constitutes acceptance

We encourage you to review this Privacy Policy periodically.

Your California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). Please contact us at highground339@gmail.com for information about your California privacy rights.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

High Ground Marketplace
Sole Proprietor Trading As: High Ground Marketplace
Email: highground339@gmail.com
Physical Address: 2 Summerseat Close, Gardens, Cape Town, 8001
Phone: 082 678 3313

Data Protection Officer: Not applicable (sole proprietor)

Response Time: We will respond to privacy inquiries within 30 days as required by POPIA.

Additional Information

For Vendors:

As a vendor on our platform, you are also a data controller for customer information you receive (limited order details). You must:

  • Handle data in compliance with POPIA
  • Maintain security of any data you receive
  • Not use customer data for unauthorized purposes
  • Delete data when no longer needed

Vendors are responsible for their own compliance with data protection laws regarding any customer interactions they have through our platform.

Industry Compliance:

We comply with:

  • Protection of Personal Information Act (POPIA) – South Africa
  • Electronic Communications and Transactions Act – South Africa
  • Consumer Protection Act – South Africa
  • PCI-DSS – Payment Card Industry Data Security Standard (through Payfast)

Consent

By using our website and services, you consent to our Privacy Policy and agree to its terms.

If you do not agree with this Privacy Policy, please do not use our website or services.

This Privacy Policy is effective as of 9 December 2025 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.