Privacy policy

POPIA  |  ECT Act  |  B2B & B2C  |  SADC Cross-Border

 

1. Who We Are and Scope of This Policy

All-Quip Industrial & Hardware CC ("All-Quip", "we", "us", "our") is a Cape Town-based B2B and B2C supplier of personal protective equipment (PPE), industrial workwear, safety footwear, and corporate and promotional products. We supply individual retail customers, SMEs, large corporates, government entities, mining and construction companies, and cross-border buyers in the SADC region.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information. It applies to:

• Individual consumers (B2C) purchasing through our Shopify online store at all-quip.co.za;

• Business customers (B2B) including procurement officers, safety managers, and company representatives placing orders on behalf of their organisations;

• Wholesale account holders accessing trade pricing through our Gorilla Wholesale platform;

• Visitors to our website, recipients of our marketing communications, and any person whose personal information we process in the course of our business;

• Employees, representatives, and contact persons of our business customers in South Africa and SADC countries.

This policy is compliant with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Electronic Communications and Transactions Act 25 of 2002 ("ECT Act"), and the Consumer Protection Act 68 of 2008 ("CPA"). For SADC customers, we additionally apply the SADC Model Law on Data Protection principles and respect the data protection laws of each country we operate in.

 

2. Information Officer

POPIA requires every responsible party to appoint an Information Officer who is accountable for ensuring compliance with this Act. All-Quip's Information Officer is:

All data subject access requests (DSARs), objections, correction requests, and privacy complaints must be directed to the Information Officer at the contact details above. We respond to all requests within 30 days of receipt.

 

3. What Personal Information We Collect

We collect the minimum personal information necessary to fulfil our obligations to you and to operate our business lawfully and effectively. The categories of personal information we process are set out below, with the specific context in which each category is collected.

3.1  Individual Customers (B2C)

3.2  Business Customers (B2B) and Wholesale Account Holders

When you represent a business or act as a contact person for a corporate account, we collect personal information about you as an individual, not just about the business entity. POPIA applies to natural persons and, in some respects, to juristic persons.

3.3  Information We Do Not Collect

We do not collect and do not want to receive the following categories of personal information unless strictly necessary for a specific, disclosed purpose:

• South African ID numbers, except where required for FICA compliance on credit accounts;

• Biometric information of any kind;

• Health or medical information (we supply PPE but do not administer workplace medical surveillance);

• Religious, political, or trade union information;

• Information about minors under the age of 18 — our services are not directed at children;

• Full payment card numbers — these are processed by our payment gateway (Shopify Payments / PayFast) and are never held by All-Quip.
  

4. Lawful Basis for Processing

POPIA s11 requires that personal information be processed on at least one lawful basis. We rely on the following bases for the processing activities described in this policy:

 

5. How We Use Your Personal Information

We use your personal information only for the purposes for which it was collected or for compatible further processing. The table below maps processing activities to their purpose and lawful basis.

5.1  No Selling of Personal Information

All-Quip does not sell, rent, or exchange your personal information with third parties for their own marketing or commercial purposes. We do not permit third parties to use your personal information for their own marketing without your explicit consent.

5.2  Automated Decision-Making

We do not make decisions that have a significant legal or material impact on you solely by automated means. Our systems may generate order risk scores for fraud detection, but all flagged orders are reviewed by a human before any action is taken.

 

6. Direct Marketing

POPIA s69 strictly regulates unsolicited electronic marketing communications. All-Quip complies with these rules in full.

6.1  Consent Requirement

We will only send you marketing emails, SMS messages, or WhatsApp messages if:

• You have given us your explicit, informed, and freely-given opt-in consent at the time of providing your contact details; or

• You are an existing customer and the communication relates to products or services similar to those you have previously purchased from us (the "existing customer" exception under POPIA s69(2)) — and you have not objected to receiving such communications.

6.2  Your Rights Regarding Marketing

• You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, replying STOP to any SMS or WhatsApp message, or contacting us at privacy@all-quip.co.za.

• Opting out of marketing will not affect your ability to receive transactional communications about your orders, accounts, or requests.

• We will process opt-out requests within 5 business days. You may continue to receive communications dispatched before we process your opt-out.

6.3  B2B Marketing to Business Contacts

Where we market to business representatives (procurement managers, safety officers, etc.) under the legitimate interest basis, we will:

• Always clearly identify All-Quip as the sender;

• Make it easy to unsubscribe or object in every communication;

• Honour objections promptly and permanently;

• Only contact representatives on work contact information related to their professional role.

 

7. Cookies and Website Tracking

Our Shopify-powered website uses cookies and similar technologies. POPIA and the ECT Act require that we obtain your consent for non-essential cookies.

7.1  Types of Cookies We Use

7.2  Managing Cookies

When you visit our website, a cookie consent banner will ask you to accept or decline non-essential cookies. You can:

• Accept all cookies;

• Accept only essential cookies;

• Customise your preferences by cookie category.

You can also manage or delete cookies through your browser settings. Disabling certain cookies may affect the functionality of our website (e.g. your basket may not persist between sessions).

7.3  Analytics and Conversion Tracking

We use Google Analytics to understand how visitors use our store, which products are most viewed, where traffic comes from, and where customers drop off in the purchase process. This data is used in aggregate and is not used to personally identify you unless you are logged into your Google account. We have enabled IP anonymisation in Google Analytics to reduce the identifiability of visitor data.

 

8. Who We Share Your Personal Information With

We do not share your personal information with third parties except as described below. All third parties with whom we share personal information are required to keep it confidential, use it only for the agreed purpose, and implement appropriate security measures.

8.1  Operators and Service Providers

We use the following categories of operators (third-party processors) to deliver our services. Each operator processes your data only on our instructions:

8.2  Legal and Regulatory Disclosures

We may disclose your personal information to law enforcement, regulatory bodies, or courts where required by law, including:

• SARS — for VAT and tax compliance;

• South African Police Service or other law enforcement — where required by court order or statutory obligation;

• South African Information Regulator — in connection with POPIA compliance investigations;

• South African customs and SADC country customs authorities — for cross-border shipment clearance.

8.3  Business Transfers

If All-Quip undergoes a merger, acquisition, business sale, or restructuring, your personal information may be transferred as part of that transaction. We will notify you of any such transfer and of any material changes to the way your information is processed.

 

9. Cross-Border Transfers of Personal Information

POPIA s72 restricts the transfer of personal information outside South Africa unless adequate protection is in place. As a business with SADC customers and global technology providers, we transfer personal information across borders in the following controlled circumstances.

9.1  Transfers to Technology Service Providers

Some of our operators are based outside South Africa, including Shopify (Canada/USA), Google (USA), Meta (USA), and Klaviyo/Mailchimp (USA). These transfers are justified because:

• The receiving parties are subject to laws that provide adequate protection (EU GDPR adequacy applies to several; US-based providers operate under Shopify's and Google's published data processing agreements which include standard contractual clauses);

• The transfers are necessary for the performance of the contract between you and All-Quip (e.g. your order cannot be processed without Shopify, which stores order data on its servers); or

• We have concluded data processing agreements with these providers that impose POPIA-equivalent obligations on them.

9.2  Transfers for SADC Deliveries

When we ship to customers in SADC countries, we share your personal information (name, business name, delivery address, contact number) with our courier partners and with customs authorities in the destination country. This is necessary for the performance of your contract with us and is required by the export and import laws of both South Africa and the destination country.

 

10. Security of Your Personal Information

POPIA s19 requires us to implement appropriate technical and organisational measures to safeguard personal information. All-Quip takes this obligation seriously.

10.1  Technical Measures

• All data transmitted through our website is encrypted via TLS/HTTPS — your browser will show a padlock icon.

• Payment data is tokenised by Shopify Payments (Stripe) or PayFast. All-Quip never holds your full card number in any system.

• Our Shopify store is hosted on Shopify's SOC 2 Type II certified infrastructure.

• Account passwords are hashed and salted — we cannot see your password in plain text.

• Access to customer data in our back-end systems is restricted to authorised personnel only, using role-based access controls.

• We use two-factor authentication on all internal systems that process personal information.

10.2  Organisational Measures

• All staff with access to customer data receive privacy and data protection training.

• We have a documented data breach response plan.

• Third-party operators are vetted for security compliance before onboarding and are bound by data processing agreements.

• We maintain a record of processing activities (ROPA) as required by POPIA.

• We conduct regular reviews of our privacy practices and this policy.

10.3  Data Breach Notification

POPIA s22 requires us to notify affected data subjects and the Information Regulator if a security compromise is reasonably likely to prejudice your interests. If a breach occurs:

• We will notify the Information Regulator as soon as reasonably possible after becoming aware of the breach;

• We will notify affected data subjects in writing (by email to the address on record) as soon as reasonably possible;

• Our notification will describe the nature of the breach, the personal information involved, the measures we have taken, and what you can do to mitigate any potential harm.

Despite our best efforts, no system is completely secure. If you believe your All-Quip account has been compromised, contact us immediately at info@all-quip.co.za.

 

11. Retention of Personal Information

POPIA s14 requires that we do not keep personal information longer than necessary for the purpose for which it was collected, unless a legal obligation requires longer retention.

When personal information reaches the end of its retention period, we delete it securely (digital data) or destroy it physically (paper records). We use secure deletion methods that prevent recovery.

 

12. Your Rights as a Data Subject

POPIA s5 grants you the following enforceable rights regarding your personal information. These rights apply to both individual consumers and to natural persons acting as representatives of juristic persons (business entities).

12.1  How to Submit a Data Subject Access Request (DSAR)

To exercise any of the rights above, submit a written request to privacy@all-quip.co.za including:

• Your full name and the email address associated with your All-Quip account;

• A clear description of the right you wish to exercise and the specific information concerned;

• Proof of identity (a copy of your ID or passport — this is to protect you against fraudulent access requests);

• For requests on behalf of a business: proof of your authority to act on behalf of the company.

We will acknowledge your request within 3 business days and respond in full within 30 days. If your request is complex or we receive multiple requests, we may extend this by a further 30 days and will notify you of the extension. We will process most requests free of charge; however, POPIA permits us to charge a reasonable fee for requests that are manifestly unfounded or excessive.

 

13. Business Customer (B2B) Specific Provisions

Our B2B relationships involve processing personal information about employees, representatives, and contacts of our business customers. This section clarifies how POPIA applies in this context.

13.1  Personal Information of Company Employees

When you place a branded uniform order and provide us with a list of employee names, sizes, and departments, we use that information solely to fulfil your order. We do not add employees to our marketing lists, share their information with third parties beyond what is necessary for production and delivery, or retain it beyond the period described in Section 11.

If you are a business providing employee information to All-Quip, you represent and warrant that:

• You have the authority or consent to share those employees' personal information with us;

• Your employees have been informed (directly or through your company's privacy policy) that their details may be shared with suppliers for uniform and PPE procurement purposes;

• You will direct any employees who wish to exercise their POPIA rights regarding the information shared with All-Quip to contact privacy@all-quip.co.za.

13.2  OHS and PPE Compliance Records

Some business customers provide the names and contact details of Health & Safety Officers for the purpose of receiving SABS certification documents, ATPV test reports, and product compliance data sheets. This information is processed exclusively for OHS compliance purposes. It is not used for marketing and is retained in accordance with the timeline in Section 11.

13.3  Procurement and Credit Account Data

For businesses on credit terms, we process financial and credit information. This is processed under the legal obligation basis (FICA, VAT Act) and the contract performance basis. Credit information is not shared with any third party except for the purposes of credit verification with approved credit bureaux, where applicable, or as required by law.

13.4  Gorilla Wholesale Account Holders

Wholesale customers accessing trade pricing through All-Quip's Gorilla platform provide account details that are stored in the Gorilla app and Shopify. These details are used exclusively for pricing tier management and B2B order processing. Gorilla's privacy practices are governed by their own privacy policy, which we recommend reviewing. All-Quip's obligations to you under POPIA remain unaffected by our use of Gorilla.

 

14. Shopify Platform Privacy

Our online store is built on Shopify. As an e-commerce platform provider, Shopify processes personal information as an operator on our behalf. Shopify is itself a responsible party for certain data it processes.

Key Shopify privacy points relevant to our customers:

• Shopify is GDPR-compliant and applies equivalent safeguards globally.

• Shopify Payments (powered by Stripe) processes all card transactions — card data never passes through All-Quip's systems.

• Shopify stores order, account, and transaction data on servers primarily in North America, within the US and Canada.

• Shopify's full privacy policy is available at shopify.com/legal/privacy. All-Quip's data processing agreement with Shopify obliges them to process your data in accordance with POPIA-equivalent standards.
  

15. POPIA Eight Conditions — How All-Quip Complies

POPIA's eight conditions for lawful processing (s8–s25) represent the foundational principles of this policy. The table below summarises how All-Quip implements each condition.

16. Third-Party Links

Our website may contain links to third-party websites, including our supplier partners, certification bodies, and other industry resources. This Privacy Policy applies only to All-Quip's own operations. We are not responsible for the privacy practices of third-party websites and encourage you to read their privacy policies before sharing personal information with them.

 

17. Children's Privacy

Our website and services are not directed at children under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information without appropriate parental consent, please contact info@all-quip.co.za immediately and we will take steps to delete that information promptly.

For branded uniform orders that include clothing items for minors (e.g. school uniforms, children's promotional items), the ordering business is responsible for ensuring appropriate consents are in place. All-Quip will not independently process children's sizing or personal information beyond what is strictly required to fulfil the order.

 

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in:

• South African or SADC data protection legislation;

• Our business practices, products, or technology platforms;

• Guidance from the South African Information Regulator;

• Court decisions or regulatory enforcement actions that affect our obligations.

We will notify you of material changes by:

• Posting the updated policy on our website with a new effective date;

• Sending an email notification to registered account holders where the change materially affects how we process their personal information.

We encourage you to review this policy periodically. Your continued use of our website and services after a change constitutes acceptance of the updated policy. If you do not accept a change, please stop using our services and request deletion of your account at info@all-quip.co.za.

 

19. Contact and Complaints