Privacy Policy
Last updated: 21 June 2026
This Privacy Policy explains how Oppad ("we", "us") collects, uses, stores, shares and protects your personal information. It is written in line with the South African Protection of Personal Information Act, 4 of 2013 ("POPIA"). By using https://oppad.ai you confirm that you have read this policy and that you consent to the processing described below where consent is required.
1. Who we are (Responsible Party)
The Responsible Party for the personal information you provide is Oppad (Pty) Ltd, operating the Oppad Community Delivery Marketplace at https://oppad.ai.
You can contact our Information Officer at privacy@oppad.ai.
2. What personal information we collect
- Account data — name, email address, profile picture (from Google Sign-In).
- Contact data — phone number and WhatsApp number (vendors and drivers).
- Delivery data — delivery addresses and geographic coordinates of the drop-off point.
- Order data — items ordered, prices paid, tips, delivery fee, status history.
- Driver data — real-time location while on an active delivery, online/offline status, earnings.
- Device & technical data — IP address, browser type, session identifiers, cookies needed for authentication.
- Payment data — handled by the payment service provider; we never see or store full card numbers.
3. Why we collect it (purpose & lawful basis)
- Contract performance — to create your account, process orders, dispatch drivers, deliver goods, pay vendors and drivers, handle refunds.
- Legal obligation — to keep transaction records for tax and accounting law in South Africa.
- Legitimate interest — to prevent fraud, secure the platform, debug issues, and improve the service. We have weighed this interest against your rights and consider it proportionate.
- Consent — for optional marketing communications and non-essential cookies. You can withdraw consent at any time.
4. Who we share information with (Operators & third parties)
- The vendor preparing your order — your first name, order items, delivery address and your phone (if you provided one).
- The driver delivering your order — your first name, pickup and drop-off coordinates, phone (if provided).
- Payment service providers (e.g. Stripe, PayFast, Yoco, Peach) — to charge your card and refund you.
- WhatsApp / Meta Platforms — only when we send order notifications to a vendor or customer who has provided a WhatsApp number.
- Hosting & infrastructure (Operators) — Emergent (application hosting), MongoDB Atlas / equivalent (database), Cloudflare/Emergent (CDN, TLS).
- Law enforcement — only on lawful written request.
We do not sell your personal information to anyone, ever.
5. Cross-border transfers
Some of our Operators host servers outside South Africa (e.g. the European Union or the United States). Where this happens we ensure that the destination country has comparable data-protection laws, or that contractual safeguards (Standard Contractual Clauses, binding corporate rules or your express consent) are in place, as required by section 72 of POPIA.
6. How long we keep it (retention)
- Account & profile data — until you delete your account, plus 5 years where required by tax/financial law.
- Order & transaction records — 5 years (section 29 of the Tax Administration Act).
- Driver location pings — deleted from active storage 24 hours after the delivery is completed; aggregated, non-identifying analytics may be retained longer.
- Sessions / authentication tokens — auto-expire after 7 days.
7. How we protect your information (security safeguards)
- All traffic is encrypted in transit via HTTPS/TLS.
- Delivery addresses, phone numbers and WhatsApp numbers are encrypted at rest using authenticated symmetric encryption (Fernet / AES-128-CBC + HMAC).
- Strict role-based access control on every API endpoint and real-time channel.
- Independent rate-limiting and security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy).
- Background staff and contractors only access personal information on a documented need-to-know basis.
8. Your rights as a data subject
POPIA gives you the right to:
- Be notified about the collection of your personal information.
- Access a copy of the personal information we hold about you.
- Correct or delete inaccurate, out-of-date or unlawfully held information.
- Object to processing on grounds relating to your particular situation.
- Object to direct marketing.
- Lodge a complaint with the Information Regulator (see §10).
To exercise any of these rights email privacy@oppad.ai — we will respond within 30 days. We may ask you to verify your identity first.
9. Cookies & similar technologies
We use only essential cookies needed to keep you signed in (an HttpOnly session cookie) and to maintain your cart between visits (a non-personally-identifying local-storage entry containing product IDs and quantities only). We do not use third-party advertising or tracking cookies.
10. Complaints & the Information Regulator
If you believe we have processed your personal information unlawfully you can complain to the South African Information Regulator:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
POPIAComplaints@inforegulator.org.za
https://inforegulator.org.za
11. Changes to this policy
We may update this policy. Material changes will be notified via in-app banner and email (where you have provided one) at least 14 days before they take effect.