Privacy Policy

Effective Date: 29-Jan-2026

Last Updated: 29-Jan-2026

1. Introduction

Diplomat's Dog (Pty) Ltd ("we", "us", or "our") collects, stores, and uses personal information provided by you or generated when you use our website, mobile application, or related features (collectively, the "Services"). You agree that the information you provide to us is complete and accurate.

We will never sell your personal information to unauthorised third parties. We may disclose information when required by law, such as in response to lawful requests by courts, regulators, or law enforcement agencies.

This Privacy Policy explains how we collect, use, and protect your personal information in accordance with the Protection of Personal Information Act (POPIA), the EU General Data Protection Regulation (GDPR), and the UK GDPR.

By using our Services, you agree to the practices described in this policy.

2. Information We Collect

We collect two main categories of data: Personal Information and Usage Data.

2.1 Personal Information

We collect and store limited personal information to manage your account and provide our Services. This includes:

• Name and surname

• Email address

• Account identifiers such as your device identifiers (used to securely link your refresh tokens to your device)

• Delivery and billing addresses (when required to fulfill your orders)

• Communication preferences

This information is stored securely in our databases hosted in South Africa.

2.2 Usage Data and Diagnostics

To improve performance, reliability, and security, we collect anonymized and pseudonymous usage data using Microsoft Application Insights. This may include:

• Page views, app screens, and feature usage

• Device type, browser version, or app version

• Timestamps and performance metrics

• Pseudonymous user ID for debugging purposes

• Masked IP address for internal telemetry. (Certain third-party providers such as Google Maps may process your full IP address as part of their normal operation.)

We do not record names or other directly identifiable information in telemetry or performance analytics.

However, for security and account verification purposes, we temporarily log email addresses during login events (successful and failed) to detect unauthorized access and assist with customer support.

These authentication logs are stored securely, access is restricted, and all entries are automatically deleted after a defined retention period.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide and maintain your account

• To communicate essential service updates and notifications

• To monitor, diagnose, and improve application performance

• To analyze feature usage and enhance user experience

• To process payments securely through third-party vendors

• To comply with legal obligations and maintain system security

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal Basis for Processing

Our lawful basis for processing personal data under POPIA and GDPR are:

• Contractual necessity: managing user accounts, authentication, payments, delivery, and service communication.

• Legitimate interest: collecting pseudonymous telemetry and diagnostics to ensure reliability and security.

• Legal obligation: for record-keeping, fraud prevention, and compliance with applicable regulations.

5. Payments

We use Peach Payments (Pty) Ltd as our secure payment processor. When you make a purchase, payment details such as your card number, billing address, and transaction information are processed directly by Peach Payments in accordance with their privacy policy, available at: https://www.peachpayments.com/legal-doc/privacy-cookie-policy

We do not store or have access to your complete payment information — only transaction references necessary for billing and reconciliation.

6. Location and Mapping Services

Our services use Google Maps Platform APIs to display maps and provide location-based features. When you use these services, certain technical data (such as IP address, map interactions, and device identifiers) may be processed by Google in accordance with the Google Privacy Policy at: https://policies.google.com/privacy. We store your precise delivery address to ensure you get your dog's food. We do not store your precise location of where you access our website or applications.

Our services use Cartrack Platform to schedule deliveries, optimize routes, and allow customers to track progress in their delivery. We may provide certain basic information to Cartrack such as name, delivery address, contact details, and delivery preferences. When using these services data may be processed in accordance with Cartrack's privacy policy at: https://www.cartrack.co.za/support-and-legal/privacy-policy.

7. Data Location and Storage

All personal and diagnostic data are stored in South Africa in Microsoft Azure data centers or on premises. Microsoft acts as our data processor under a compliant Data Processing Agreement (DPA).

All data is encrypted at rest and in transit. Access to personal information is restricted to authorized personnel only.

8. Data Retention

• Personal Data: Personal information such as your name, email address, account details, and delivery addresses is retained for as long as your account remains active. Certain information, such as delivery addresses, may be retained for up to 12 months after account closure for fraud-prevention purposes (for example, to prevent repeated sign-ups using different accounts to obtain new-customer discounts). We do not use retained delivery addresses for profiling, marketing, or any purpose other than fraud prevention and account integrity.

• Authentication Logs: Login-related logs that may contain email addresses are retained for up to 90 days for security monitoring and then automatically deleted.

• Telemetry and Diagnostic Logs:Technical logs and analytics data (excluding authentication logs) are automatically deleted within 90 days.

9. Service Providers and Third Parties

We engage trusted third-party service providers to support essential parts of our operations, including cloud hosting, delivery services, analytics, communication, and customer support tools. These vendors may process limited personal data strictly on our behalf and only under binding confidentiality and data protection agreements. They are not permitted to use your information for their own purposes, including marketing.

Certain third parties provide core functionality that requires controlled data sharing, such as:

• Payment processing: handled by Peach Payments (Pty) Ltd, who process your payment details in accordance with their privacy policy.

• Mapping and location features:provided through the Google Maps Platform APIs, which may process technical data such as IP address and map interaction details in accordance with the Google Privacy Policy. We store only your delivery address to fulfill your order and do not store your real-time device location.

• Delivery and route management:provided through Cartrack, which we use to schedule deliveries, optimize routes, and enable delivery tracking. We may share limited information such as your name, delivery address, contact details, and delivery preferences. Cartrack processes this information in accordance with their privacy policy.

Whenever we share information with third parties to perform these essential services, we do so under lawful, contractual, and technical safeguards to ensure compliance with applicable data protection laws, including POPIA, GDPR, and UK GDPR.

10. Authentication and Session Management

We use JSON Web Tokens (JWTs) and refresh tokens to maintain your authenticated session.

• Access tokens are short-lived JWTs used to verify your identity during active use. These tokens contain only essential account identifiers (such as your user ID and session claims) and do not contain sensitive personal information such as your name, email, or address.

• Refresh tokens are long-lived tokens used to securely obtain new access tokens without requiring you to log in again.

• On the web, refresh tokens are stored in HTTP-only, Secure, SameSite-protected cookies to prevent access by JavaScript and reduce interception risks.

• On mobile, refresh tokens are stored in secure OS-level encrypted storage.

Refresh tokens are tied to your account and device and are used only for authentication continuity.

You may log out at any time, which invalidates all active tokens associated with your account. Tokens may also be revoked automatically after a period of inactivity or if suspicious activity is detected.

11. Your Rights

Depending on your jurisdiction (POPIA, GDPR, UK GDPR), you have the right to:

• Access your personal information

• Correct inaccurate or incomplete information

• Request deletion ("right to be forgotten")

• Object to or restrict processing

• Request a copy of your data (data portability)

To exercise these rights, contact us at privacy@diplomatsdog.co.za

We may require reasonable verification before fulfilling your request.

12. Data Security

We apply technical and organizational measures to protect data, including:

• Encrypted data storage at rest and in transit

• Secure APIs via HTTPS

• Role-based access control

• Regular audits and least-privilege access principles

While we take all reasonable precautions, no system is entirely immune to risks. You acknowledge that use of online services carries inherent risks.

13. International Data Transfers

We do not transfer your personal information outside South Africa. If a transfer becomes necessary (for example, for support or redundancy), it will be done under GDPR-compliant safeguards such as Standard Contractual Clauses (SCCs).

We store and process personal information primarily in South Africa. Some of our third-party service providers, such as payment processors, mapping services, and delivery partners, may process certain data in their own global or regional data centers.

Whenever personal information is transferred or accessed outside South Africa, we ensure that the transfer is protected by lawful safeguards, including Standard Contractual Clauses (SCCs), appropriate data processing agreements, or equivalent protections required under GDPR, UK GDPR, and POPIA.

14. Contact Information

For any privacy-related inquiries or to exercise your rights, contact:

Data Protection Officer

Diplomat's Dog (PTY) LTD

Email: privacy@diplomatsdog.co.za

Address: 263 Vonkprop Rd. | Unit 3 - Samcor Park | Silverton - Pretoria, 0184

Phone: +27 61 049 5598

If you are a South African resident and believe your rights under POPIA have been violated, you may contact the Information Regulator (South Africa) at https://inforegulator.org.za/.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available in-app or on our website. Continued use of the Service after updates constitutes acceptance of the revised policy.