MR. D.I.Y. (South Africa) Proprietary Limited and its affiliated companies (“MR. D.I.Y.”, “we,” “our” or “us”), respect your privacy and treat your personal information with the utmost care. This privacy policy (“Privacy Policy”) explains how we collect, use, and disclose your personal information generally through our retail operations, as well as through our website, customer support and other services (collectively referred to as “Services”), as well as any other third-party services or products that link to the Website and/or this Privacy Policy, so as to comply with the Protection of Personal Information Act 4 of 2013 (“POPIA”) and the General Data Protection Regulation (“EU GDPR”) of the European Union, and to the extend applicable and necessary, other data protection legislation globally. 

By agreeing to this Privacy Policy by using our Website and/or Services or providing or inputting any of your personal information to us, or any other third-party services or products that link to the Website and this Privacy Policy, you consent to the processing of your personal information as set forth in this Privacy Policy.

It is important that you read this Privacy Policy together with our other terms and conditions, privacy notices or policies we may provide from time to time when we collect or use your personal information.

1. Personal information we collect

At MR. D.I.Y., we believe that you can have great products and great privacy. This means that we strive to collect only the personal information that we need. We may collect a variety of personal information, including:

• Contact information. We will need your contact information such as your name, email address and phone number in respect of paragraph 5.

• Other information you provide to us. Details such as those listed in clause 8.

You warrant that the personal information you have provided to us is accurate, current, true and correct and that does not impersonate or misrepresent any person or entity or falsely state or otherwise misrepresent your affiliation with anyone or anything.

There are four ways we collect your information with your consent:

We may collect the following personal information that you provide to us directly, including your name, contact phone number and email address.

We may collect your devices’ information automatically within the necessary scope, including location information of the device, Wi-Fi List Information, Mac address, CPU information, memory information, SD card information and operating system version.

You can also choose to change the scope of consent or withdraw your authorisation at any time. After the authorisation is withdrawn, we will no longer collect personal information related to these permissions, and we will not be able to continue to provide you with corresponding Services.

However, your decision to withdraw consent or authorisation will not affect our previous collection and use of personal information based on your authorisation. When we want to use the information for other purposes not specified in this Privacy Policy, we will ask for your prior consent.

MR. D.I.Y. uses personal information to provide our Services and to comply with applicable law. We may also use personal information for other purposes with your consent.

MR. D.I.Y. may use your personal information under the following legal bases:

• Performance of a contract: Much of our processing of personal information is to meet our contractual obligations to our users when they purchase our products through the Website, or to take steps at users’ requests in anticipation of entering into a contract with them. For example, we handle personal information on this basis to allow you to use our Services.

• Consent: Where required by law, and in some other cases, we handle personal information on the basis of your express consent.

• Legitimate interests: In many cases, we handle personal information on the ground that it furthers our legitimate interests in commercial activities in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals. These legitimate interests include but not limited to: operating our business and services; providing security for our websites, products, software, or applications; marketing; receiving payments; preventing fraud; and knowing the customer to whom we are providing services.

• Legal compliance: We need to use and disclose personal information in certain ways to comply with our legal obligations (such as our obligation to share data with tax authorities).

We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.

We may use personal information and other information about you to create de-identified and/or aggregated information, such as de-identified demographic information, de-identified location information, information about the device from which you access our Services, or other analyses we create.

We may process your personal information to comply with our legal obligation in certain circumstances including but not limited to:

• To law enforcement authorities, government or public agencies or officials, regulators, and/or any other person or entity with appropriate legal authority or justification for receipt of such information, if required or permitted to do so by law or legal process;

• When we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity;

• When the information is required for the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, or for the enforcement of civil law claims.

The personal information that we collect from you will be processed primarily in South Africa. We retain personal information only for so long as necessary to fulfil the purposes for which it was collected, including as described in this Privacy Policy or in our service-specific privacy notices, or as required by law. We will retain your personal information for the period necessary to fulfil the purposes outlined in this Privacy Policy and our service-specific privacy summaries. When assessing retention periods, we first carefully examine whether it is necessary to retain the personal information collected and, if retention is required, work to retain the personal information for the shortest possible period permissible under applicable law.

By using the Services, you hereby give your consent to MR. D.I.Y. and their duly authorised agents to process your personal information for purposes of direct marketing by means of electronic communication regarding products, services promotions and events of MR. D.I.Y..  You may opt-out of having your personal information used by MR. D.I.Y. for direct marketing at any time by accessing the “unsubscribe” link at the bottom of each email or following other specific instructions. Once you opt out, you will no longer be notified of MR. D.I.Y. products, services, promotions and events until you subscribe again. You may still see MR. D.I.Y. ads on other platforms, but which are not displayed on the basis of your personal information collected by MR. D.I.Y..

We will not share your personal information with any company, organisation or individual other than MR. D.I.Y., except in the following cases:

a. Sharing with explicit consent: After obtaining your explicit consent, we will share your personal information with other parties.

b. Fulfilling legal obligations: We may share your personal information externally in accordance with laws and regulations or the mandatory requirements of government authorities.

c. Disclosures to protect us or others: We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal processes, such as a court order or subpoena; protect your, our, or other individuals rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

d. Disclosure in the event of merger, sale, or other asset transfers: If we are involved in a merger, acquisition, financing due diligence, reorganisation, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.

e. Sharing with our affiliates: Where permitted by applicable law, we may share your personal information with our affiliates in order to provide you with MR. D.I.Y. services. We will only share necessary personal information and subject to the purposes stated in this Privacy Policy. If the affiliated company wants to change the purpose of processing personal information, it will ask for your authorisation again.

f. Sharing with authorised partners: Some of our Services will be provided by authorised partners only for the purposes stated in this Privacy Policy. We may share some of your personal information with our partners to provide better customer service and user experience. We will only share your personal information for legal, legitimate, necessary, specific and explicit purposes, and only share personal information necessary to provide services. Our partners are not authorised to use the shared personal information for any other purpose. 

We will not transfer your personal information to any company, organisation or individual unless we obtain your express consent, or when a merger, acquisition or bankruptcy liquidation is involved, if the transfer of personal information is involved, we will require a new holder of your companies and organisations with personal information continue to be bound by this Privacy Policy, otherwise we will require the company and organisation to seek your authorisation and consent again. By accessing and using our website, you consent to us transferring your personal information outside of South Africa as set out, and within the conditions prescribed in POPIA.

• Request access to your personal information

You have the right to obtain a copy of the personal information we hold about you and certain information relating to our processing of your personal information.

• Request correction of your personal information

You are entitled to have your personal information corrected if it is inaccurate or incomplete. You can update your personal information at any time by logging into your account and updating your details directly, or by emailing us at [email protected].

• Request the erasure of your personal information

This enables you to request that MR. D.I.Y. delete your personal information, where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

• Request restriction of processing of your personal information

You have a right to ask MR. D.I.Y. to suspend the processing of your personal information in certain scenarios, for example, if you want us to establish the accuracy of the data, or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. Where the processing is restricted, we are allowed to retain sufficient information about you to ensure that the restriction is respected in the future.

• Request the transfer of your personal information

You have the right to obtain a digital copy of your personal information or request the transfer of your personal information to another company. Please note though that this right only applies to automated data which you initially provided consent for us to use or where we used the data to perform a contract with you. 

• Object to processing of your personal information

You have the right to object to the processing of your personal information where we believe we have a legitimate interest in processing it (as explained above). You also have the right to object to our processing of your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms.

• Withdraw your consent

You have the right to withdraw your consent to the use of your personal information. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the services.

• Request human intervention for automated decision-making and profiling

You have the right to request human intervention where we are carrying out automated decision-making when processing your personal data. This form of processing is permitted where it is necessary as part of our contract with you, providing that appropriate safeguards are in place or your explicit consent has been obtained. We will try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. We may need to request specific information from you to help us confirm your identity and ensure your right to exercise any of the above rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. 

• Right to lodge a complaint

If you have any concerns or complaints regarding the way in which we process your personal information, please email us directly at [email protected]. You also have the right to make a complaint to the Information Regulator of South Africa or any other competent authority. The contact details of the Information Regulator are available on its website at: https://justice.gov.za/inforeg/. We would, however, appreciate the chance to deal with your concerns before you approach such regulators, so please do contact us in the first instance.

If you wish to exercise any of these rights, please email us at [email protected].

Cookies are small text files that are sent to or accessed from your web browser or your computer’s hard drive. Cookies typically contain the name of the domain (internet location) from which the cookies originated, the “lifetime” of the cookies (i.e., when it expires) and a randomly generated unique number or similar identifier. Cookies also may contain information about the device used, such as user settings, browsing history, and activities conducted while using the Services. Our Services use session cookies, which are temporary files stored in your browser to enhance your experience during the session. These cookies:

• do not collect personal information;

• are deleted when you close your browser; and 

• help in providing smoother navigation and page loading

You can disable cookies through your browser settings if you wish, though this may impact your Website experience.

We take steps to ensure that your personal information is treated securely and in accordance with this Privacy Policy. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any personal information you provide to us. We have taken appropriate safeguards to require that your personal information will remain protected and require our third-party service providers and partners to have appropriate safeguards as well. To the fullest extent permitted by applicable law, we do not accept liability for unauthorised disclosure. By using our Website or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system breach, we may attempt to notify you electronically by posting a notice on our Services, by mail or by sending an email to you. Should you disclose your personal information to any third party other than us, we shall not be liable for any loss or damage arising or suffered by you as a result of the disclosure of such personal information to any third party. This is because we do not regulate or control how that third party uses your personal information. You should always ensure that you read the privacy policy of any third party.

The Services and Website may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.

We may revise this Privacy Policy from time to time at our sole discretion. If there are any material changes to this Privacy Policy, we will notify you as required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use our Services after the new Privacy Policy takes effect. If at any time you find either this Privacy Policy unacceptable, you must immediately cease accessing the Website and Services. Unless MR. D.I.Y. obtains your express consent, any revised Privacy Policy will apply only to information collected by MR. D.I.Y. after the revised Privacy Policy takes effect, and not to information collected under any earlier versions of the Privacy Policy.

We welcome feedback and are happy to answer any questions you may have about your personal information. You may contact us electronically at: [email protected].