Privacy Policy

1. Responsible party

The responsible party (controller) for your personal information is:

Our Information Officer (IO) can be reached at the email address above. Any POPIA-related query or access request must be directed to the IO.

2. What personal information we collect

We collect personal information only when it is necessary to fulfil a legitimate purpose. The primary collection point is our trade vetting form (/onboarding).

2.1 Vetting form (wholesalers and contractors)

• Contact details — full name, email address, phone number (WhatsApp-capable), business address.
• Business identity — company/trading name, CIPC registration number, VAT number, B-BBEE level.
• Trade profile — persona (wholesaler / contractor / specifier / solar installer), monthly volume estimate, current brands stocked or specified, number of branches.
• Project details (for contractors) — project type, scale, timeline, whether specifying or buying, site-visit request.
• Credit information — credit application intent and trade references (collected only when explicitly requested by the applicant).
• Communication preferences — preferred contact channel (WhatsApp / call / email), best time to reach, free-text notes.

2.2 Quote basket

The quote basket (/quote) is stored entirely in your browser's localStorage. No basket data is transmitted to our servers unless you submit the vetting form or initiate a WhatsApp conversation. We do not receive or store your basket until you take a deliberate action to share it.

2.3 Website analytics and logs

Our hosting provider (Vercel) and CDN (Cloudflare) collect standard server-access logs including IP addresses and user-agent strings. These are retained by third parties under their own policies and are used only for security and performance purposes. We do not use third-party advertising or behavioural tracking cookies.

3. Lawful basis for processing

Under POPIA, we process your information on these grounds:

4. How we use your information

• Evaluate your application for a trade account or project pricing.
• Contact you via your preferred channel (WhatsApp, phone, or email) to discuss your requirements.
• Send product specifications, pricing schedules, and stock availability to approved trade accounts.
• Process credit applications with TransUnion Business or XDS if requested (P3 portal only; you will be separately notified).
• Comply with legal or regulatory requirements (e.g. SARS VAT invoicing records).

We do not sell, rent, or share your personal information with any third party for marketing purposes.

5. Third-party processors

We use the following third-party processors for limited, purpose-specific processing:

• Make.com — receives vetting form submissions via a secure webhook and routes them to Airtable. No data is persisted on Make servers beyond the single-run automation.
• Airtable — stores lead records for Mphatso's CRM workflow. Access is restricted to EBB SA team members.
• Vercel — hosts this website and processes form submissions server-side before forwarding to Make. All data in transit uses TLS 1.3.
• Cloudflare — provides CDN, DDoS protection, and bot management. Cloudflare may log IP addresses for abuse prevention; this data is not shared with us.
• Hostinger / Titan Mail — email infrastructure for mailboxes at ebb-si.co.za. Standard email server log retention applies.

6. Retention

We retain personal information only as long as necessary for the purpose for which it was collected, or as required by law.

• Vetting records — retained for 5 years after the last trade transaction (SARS requirement for VAT-registered suppliers), then securely deleted.
• Leads that do not progress to an account — retained for 12 months in Airtable, then deleted unless renewed contact occurs.
• Quote basket (localStorage) — stored in your browser only; cleared when you clear your browser data. Not stored on our servers.
• Email correspondence — retained for 3 years from the last reply, then archived or deleted.

7. Your rights under POPIA

As a data subject you have the right to:

• Access — request a copy of the personal information we hold about you.
• Correction — request that inaccurate or incomplete information be corrected.
• Deletion — request erasure of your personal information, subject to legal retention obligations.
• Objection — object to processing based on legitimate interest; we will cease processing unless we can demonstrate compelling grounds.
• Withdraw consent — withdraw any previously given consent for marketing communications at any time by emailing us.
• Complaint — lodge a complaint with the Information Regulator of South Africa if you believe we have processed your information unlawfully.

To exercise any of these rights, email our Information Officer at sales@ebb-si.co.za. We will respond within 30 days.

8. Security measures

We apply reasonable technical and organisational safeguards to protect your personal information:

• All data in transit encrypted via TLS 1.3.
• No payment card data is ever collected or stored on this site.
• Form submissions include honeypot fields and rate-limiting to prevent automated abuse.
• Airtable access restricted to named EBB SA team members; shared links are disabled.
• Environment secrets (webhook URLs, API keys) are stored in Vercel environment variables, never in the public source repository.
• Vercel deployment follows OWASP secure-headers guidelines (Content-Security-Policy, HSTS, X-Frame-Options).

9. Cookies and localStorage

This website uses the following client-side storage:

• localStorage key ebb-quote — stores your product basket as a JSON array of SKU slugs. No personal information. Persists until you clear browser data or remove it manually.
• Strictly necessary session cookies — set by Vercel and Cloudflare for routing, security, and bot-management. These do not require consent under POPIA (they are necessary for the site to function).

We do not use advertising or analytics cookies. No data is shared with Google Ads, Meta Pixel, or similar advertising networks.

10. Cross-border data transfers

Vercel, Cloudflare, Make.com, and Airtable are US-headquartered companies with global infrastructure. By submitting your information you acknowledge that it may be processed in servers located outside South Africa. Each of these processors is bound by standard contractual data-protection clauses or operates under an adequacy determination accepted by the Information Regulator.

11. Changes to this policy

We may update this policy as our services evolve or as legislation requires. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated via email to registered trade accounts at least 14 days in advance.