Store Policy

This Privacy Policy describes how your personal information is collected, used, and shared when you visit or make a purchase from www.nomihandmade.co.za (the “Site”). 

​

Personal Information We Collect 

​

When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site and information about how you interact with the Site.

 

We refer to this automatically-collected information as “Device Information”. 

​

We collect Device Information using the following technologies: 

​

- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org. 

​

- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps. 

​

- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site. 

​

Additionally, when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information (including credit card numbers, Snapscan and Paypal]), email address, and phone number. We refer to this information as “Order Information”. 

​

When we talk about “Personal Information” in this Privacy Policy, we are talking both about Device Information and Order Information. 

​

How Do we use your Personal Information?

 

We use the Order Information that we collect generally to fulfil any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to: 

​

- Communicate with you; 

​

- Screen our orders for potential risk or fraud; and 

​

- When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services. 

​

We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns). 

​

Sharing your Personal Information 

​

We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Wix to power our online store-.

Wix.com provides us with the online platform that allows us to sell our products and services to you. Your data may be stored through Wix’s data storage, databases and the general Wix applications. They store your data on secure servers behind a firewall.  

 

All direct payment gateways offered by Wix.com and used by our company adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.

 

We also use Google Analytics to help us understand how our customers use the Site -- you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout. 

​

Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful requests for information we receive, or to otherwise protect our rights. 

​

Behavioural Advertising 

​

As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work. 

​

You can opt-out of targeted advertising by using the links below: 

​

- Facebook: https://www.facebook.com/settings/?tab=ads 

​

- Google: https://www.google.com/settings/ads/anonymous 

​

- Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads 

​

Additionally, you can opt-out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at http://optout.aboutads.info/. 

​

Do not Track 

​

Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser. 

​

Your Rights 

​

If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below. 

​

Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above.

 

Additionally, please note that your information will be transferred outside of Europe, including to Canada and the United States. 

​

Data Retention 

​

When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information. 

​

Terms and Conditions of Use for the Website

​

Introduction

​

Welcome to the Website, owned and operated by the Company. These Terms and Conditions of use set out the terms that regulate the use of the Website by the user.

 

Acceptance of Terms

​

These Terms take effect as soon as you access the Website and is a binding agreement between the Company and yourself. The current version of these Terms will govern both the Company’s and your rights and obligations each time you access this Website. If you do not agree with any provision contained in these Terms, you must immediately stop using the Website. Your failure to do so, and your continued use of the Website, will mean that you have read, understood, and agree to the
provisions of these Terms.

​

Use of the Website

​

By accessing the Website, you warrant that your use of the Website is for lawful purposes, you are over 18 years of age, and you can legally conclude an agreement with the Company.

You further warrant that you will not contravene any South African or international laws by using the Website, any services offered on the Website, or any information provided to you by the Company through your use of the Website. Except as expressly authorised by these Terms, you may not use, alter, copy, distribute, or transmit any content contained on this Website.

​

Use of Information

​

The Company conducts its business in accordance with South African legislation applicable to its business. One aspect of such legal compliance relates to data protection. The Company values the privacy of your information and will protect your personal information in accordance with laws and regulations. This includes the Protection of Personal Information Act no 4 of 2013 (POPIA).

​

By using the Website, you acknowledge, agree and consent to the Company and our suppliers, or any person authorised on our behalf, using your personal information, for any purpose necessary for you to use the Website, or for the Company to render any service to you via the Website.

​

Amendment of Terms

​

The Company reserves the right to amend these Terms at any time. Whenever the Company concludes any amendments to these Terms, the amended Terms will be posted on this page, together with an indication at the bottom of the page as to the date upon which the Terms were last revised. You agree to review these Terms for any such amendments whenever you visit the Website. Should you not agree to any amendments to these Terms, you must immediately stop using the website.

​

Content of Users (If applicable)

​

There are certain areas on the Website that allow users of the Website to upload questions, data, and other information. As a user, you are responsible for the content that you upload, display, and add to the Website. The Company will not review any user content.

​

You agree not to add any user content that contains any information that is not legally permitted, you do not have a right to make available under any law, or under contractual relationships and you know is incorrect. You agree that any user content that you add to the Website does not violate any third-party rights.

​

Copyright and Intellectual Property Rights

​

For purposes of these Terms, Intellectual Property Rights means all intellectual property rights including, patents, designs, copyright, trademarks, trade secrets and know-how, applications and registrations, renewals, and extensions.

​

Unless the contrary is specified in these Terms, all content contained on the Website, or incorporated or embedded in any service offered on the Website, including software, images, text, graphics, illustrations, logos, branding, photographs, and all Intellectual Property Rights in such content, belongs exclusively to the Company. You agree that you will at no time lay claim to the Company content, and to any Intellectual Property Rights subsisting in such content.

​

Except as explicitly provided herein, nothing in these Terms shall be deemed to create a license to any Intellectual Property Rights belonging to the Company, and you agree that you will not:

​

Modify, port, translate, localise, or create derivative works of the Company content.

Decompile, disassemble, reverse engineer, or attempt to reconstruct, identify, or discover any source code, underlying ideas, underlying user interface techniques or algorithms contained or incorporated in any Company content.

​

Disclose any of the Company content.

​

Sell, lease, license, sublicense, copy, market, reproduce, transmit or distribute the Company content.

​

Knowingly take any action that would cause any of the Company content to be placed in the public domain.

​

You understand and acknowledge that you may be exposed to user content that is inaccurate, misleading, and offensive. You agree that the Company will not be liable for any damages you allege to incur because of exposure to such user content.

​

Disclaimer of Warranties and Liabilities

​

The Company does not make any warranties, statements, or guarantees, regarding the Website and any services offered on the Website. These are provided on an 'as is" basis. Use of the Website, any Company content and any service offered is entirely at your own risk.

​

The Company makes no warranties or conditions about the quality, accuracy, reliability, completeness, or timeliness of any of the foregoing. The Company does not take any responsibility for any errors, omissions or inaccuracies on the Website, the content and any service that may be offered.

​

Neither the Company nor its shareholders, directors, or employees (Indemnified Parties), shall be responsible for any loss, harm, damage, and expense which may be suffered by you or any third-party, which may be attributable to your access and use of the Website, or any information contained on or received via the Website.

​

The Indemnified Parties shall not be liable for any loss of business, data or profits, failure, or unavailability of the Website for any reason, and failure by any third-party service provider to render any service which are necessary to ensure the availability of the Website.

You hereby indemnify the Indemnified Parties against any loss, liability, harm, damage, or expense which may be suffered by you or any third-party because of or which may be attributable to any of the above.

​

Indemnity

​

In addition to the warranties and indemnities set out above, you hereby agree to hold harmless the Indemnified Parties from any claims, damages, obligations, losses, liabilities, costs or debt, and expenses arising from:

​

• Your violation of any provision of these terms.

​

• Your violation of any third party right including any Intellectual Property Right, or other property or privacy right.

​

• Any claim that the user content caused damage to a third-party.

​

External Links

​

External links may be provided for your convenience; however, the Company makes no representations whatsoever about any third-party Website or its content. Use of any external links provided is entirely at your own risk. It is your responsibility to ensure that you obtain all relevant information and that you read the privacy and security policy displayed on any third-party Website. The Company has no control over such third-party websites and will not be liable for any loss or damage that you may suffer, because of your use of third-party websites.

​

Governing Law

 

These Terms shall be governed in accordance with the laws of the Republic of South Africa, and you hereby submit to the jurisdiction of the South African courts. If any provision of these Terms is found to be unlawful, void, or for any reason unenforceable by a competent court in the Republic of South Africa, then that provision shall be severable from these Terms and shall not affect the validity and enforceability of any remaining provisions.

​

Data Breach Notification

 

Name of Information Officer: Thandie Dowery

Email Address of Information Officer: thandie(at)nomihandmade(dot)co(dot)za

Date: 1 November 2023

 

Introduction

​

The POPI Act aims to protect the rights of individuals about whom data is obtained, stored, processed, or supplied. POPIA requires that the Company takes appropriate security measures against unauthorised access, alteration, disclosure or destruction of Personal Information and data.

​

The POPIA places obligations on employees to report actual or suspected data breaches and our procedure for dealing with breaches is set out below. All employees are required to familiarise themselves with its content and comply with the provisions contained in it. Training will be provided to all employees to enable them to carry out their obligations within this Process.

​

Data Operators will be provided with a copy of this Process and will be required to notify the Company of any data breach without delay after becoming aware of the data breach. Failure to do so may result in termination of the Processing Agreement.

​

Breach of this Process will be treated as a disciplinary offence which may result in disciplinary action, including summary dismissal depending on the seriousness of the breach.

​

Changes to data protection legislation will be monitored and amendments may be required to this Process to remain compliant with legal obligations.

 

Responsibility

​

The Information Officer has overall responsibility for breach notification within the Company.

​

The Information Officer is responsible for ensuring Breach Notification Processes are adhered to by all employees and are the designated point of contact for personal data breaches.

​

The Information Officer is responsible for overseeing this Process and developing data-related Policies and Guidelines.

​

Please contact the Information Officer with any questions about this Process or the POPI Act, or if you have any concerns that this Process has not been followed.

​

The Information Officer’s contact details are set at the start of this document.

​

A Personal Data Breach

​

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information or Special Category Information transmitted, stored, or otherwise processed.

​

Examples of a data breach could include the following:

​

• Loss or theft of data or equipment on which data is stored, for example loss of a laptop or a paper file (this includes accidental loss).

​

• Inappropriate access controls allowing unauthorised use.

​

• Equipment failure.

​

• Human error (for example sending an e-mail or SMS to the wrong recipient).

​

• Unforeseen circumstances such as a fire or flood.

​

• Hacking, phishing, and other attacks where Information is obtained by deceiving whoever holds it.

​

Reporting a Data Breach

​

The Company must notify the Information Officer of a data breach where it is likely to result in a risk to the rights and freedoms of individuals.

​

 Examples of where the breach may have a significant effect includes:

​

• Potential or actual financial loss.

​

• Potential or actual loss of confidentiality.

​

• Risk to physical safety or reputation.

​

• Exposure to identity theft.

​

• The exposure of the private aspect of a person’s life becoming known by others.

​

• Potential or actual discrimination

​

If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the individuals must also be notified directly.

​

Managing and Recording the Breach

​

On being notified of personal data breach, the Information Officer will take immediate steps to establish whether a personal data breach has in fact occurred. If so, the Information Officer will take steps to:

​

• Where possible, contain the data breach.

​

• As far as possible, recover, rectify, or delete the data that has been lost, damaged, or disclosed.

​​

• Assess and record the breach in the Company’ Register.

​

• Notify the Information Regulator.

​

• Notify data subjects affected by the breach.

​

• Notify other appropriate parties to the breach.

​

• Take steps to prevent future breaches.

​

Notifying the Information Regulator

​

The Information Officer will notify the Information Regulator when a personal data breach has occurred, which is likely to result in a risk to the rights and freedoms of individuals.

​

This will be done, where possible, within 72 hours of becoming aware of the breach. If the Company is unsure of whether to report a breach, the assumption will be to report it.

​

Where the notification is not made within 72 hours of becoming aware of the breach, written reasons will be recorded as to why there was a delay in referring the matter to the Information Regulator.

​

Notifying Data Subjects

​

Where the data breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the Information Officer will notify the affected individuals, the likely consequences of the data breach and the measures the Company intends to take to address the breach.

​

When determining whether it is necessary to notify individuals directly of the breach, Management will cooperate with and seek guidance from the Information Officer, the Information Regulator, and any other relevant authorities (such as the police).

​

If it would involve disproportionate effort to notify the Data Subjects directly (for example, by not having contact details of the affected individuals) then the Company will consider alternative means to make those affected aware, for example, by making a statement on the Company’s website.

​

Assessing the Breach

​

Once initial reporting procedures have been carried out, the Company will carry out all necessary investigations into the breach.

​

The Company will identify how the breach occurred and take immediate steps to stop or minimise further loss, destruction, or unauthorised disclosure of personal data. The Company will identify ways to recover correct or delete data, for example notifying our insurers or the police if the breach involves stolen hardware or data.

​

Having dealt with containing the breach, the Company will consider the risks associated with the breach. These factors will help determine whether further steps need to be taken, for example notifying the Information Regulator or Data Subjects.

​

These factors include:

​

• What type of data is involved and how sensitive it is?

​

• The volume of data affected.

​

• Who is affected by the breach?

​

• The consequences of the breach on Data Subjects and whether further issues are likely to materialise?

​

• Are there any protections in place to secure the data?

​

• What has happened to the data?

​

• What could the data tell a third-party about the Data Subject?

​

• What are the likely consequences of the personal data breach on the Company?

​

• Any other consequences which may be applicable.

​

Preventing Future Breaches

​

Once the data breach has been dealt with, the Company will consider its security processes with the aim of preventing further breaches. To do this, the Company will:

​

• Establish what security measures were in place when the breach occurred.

​

• Assess if technical or organisational measures can be implemented to prevent the breach happening again.

​

• Consider if there is adequate employee awareness of security issues.

​

• Consider whether it is necessary to conduct a privacy or data protection impact assessment.

​

• Consider whether further audits or data protection steps need to be taken.

​

• To update the Information Incident Register.

​

Reporting Data Protection Concerns

​

Prevention is always better than dealing with data protection as an after-thought. Data security concerns may arise at any time, and we would encourage you to report any concerns that you may have, to the Information Officer.

​

Reporting a Data Breach

​

If you know or suspect a personal data breach has occurred or may occur, you should:

​

• Complete a POPIA Incident / Event Notification Form, which can be obtained from the Information Officer.

​

• Email the completed form to the Information Officer.

​

Breach reporting is encouraged throughout the Company and employees are expected to seek advice from the Information Officer, if they are unsure as to whether the breach should be reported and could result in a risk to the rights and freedom of individuals.

​

Once reported, you should not take any further action in relation to the breach. The Information Officer will acknowledge receipt of the POPIA Incident / Event Notification Form and take appropriate steps to deal with the report.

​

Changes

​

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. 

​

Contact Us 

​

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e‑mail thandie(at)nomihandmade(dot)co(dot)za.