Last updated: 1 October 2025
Shop Yaga (Pty) Ltd, registration number 2018/579160/07, postal address 21st Floor, 22 Smit Street, Braamfontein, Gauteng, 2001, e-mail address support@yaga.co.za processes the data of persons who use the virtual shopping and selling platform online (https://www.yaga.co.za/) or in a mobile application (hereinafter the Platform or Yaga).
GENERAL PROVISIONS
Yaga ensures that the processing of personal data complies with personal data protection and security legislation (including the General Data Protection Regulation of the European Union ("GDPR") and the South African Protection of Personal Information Act 4 of 2013 (“POPIA”) ), any other applicable personal data protection legislation and good business practices.
Yaga considers the privacy of individuals and the protection of personal data a priority and takes all possible measures to guarantee the security and safety of the platform.
It is important that you read this Privacy Policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are fully aware of how and why we are using your personal information. This Privacy Policy supplements the other notices and is not intended to override them.
DEFINITIONS
User means a person who creates an account on the Platform or uses the services offered on the Platform.
Processing of personal data means viewing, collecting, recording, storing, modifying, transmitting or receiving personal data and other operations related to personal data.
Platform means virtual buying and selling environment offered at https://www.yaga.co.za/ and in the Yaga mobile application.
Services means the services provided by Shop Yaga through the Platform for account creation, management, mediation of purchase and sale transactions and other services described in the Terms.
Terms means the Terms and Conditions of the User Agreement which a User accepts to join the Platform.
1. How Personal Data is Collected
We use different methods to collect personal information from and about you, including through:
Direct interactions: You may share your personal information with us by using our services, or by corresponding with us through the Platform, email or otherwise. This includes personal information you provide when you:
- use our services;
- use our Platform;
- contract with us;
- provide any services to us as a service provider or independent contractor;
- request information to be sent to you;
- give us some feedback.
Automated technologies or interactions: As you interact with our Platform, we may automatically collect technical data and usage data about your equipment, browsing actions and patterns. We may collect this personal information by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other platforms employing our cookies.
Third parties: We may receive personal information about you from various third parties such as:
- delivery service providers;
- banks;
- analytics providers;
- marketing platforms;
- search information providers; and
- payment service providers.
2. Lawful Basis for Processing Personal Data
Yaga processes personal data that is necessary for the administration of the Platform, the creation of user accounts created on the Platform and the mediation of purchase and sale transactions.
Shop Yaga processes personal data under one or more legal bases for processing as found under either the GDPR or POPIA. In general, Shop Yaga will process personal data as is necessary for the performance of a contract entered into with the participation of the User, i.e. for the provision of a service or for taking measures prior to entering into a contract in accordance with the User's request. Or in some cases, where the processing of data is necessary for the purposes of legitimate interests provided that these interests are not overridden by the Users' own rights and interests.
3. Personal data collected and Reason for Processing
We collect and use your personal data to enable you to use our Platform, provide our services and perform our contract with you, and in particular to conduct business transactions, use the electronic payment system and communicate with other users through the Platform. To use these services, you need a Yaga account. For this, you need to register as a member on the Platform or Yaga’s application.
Yaga allows you to register an account using your existing Facebook, Google or Apple ID profile (only possible in the iOS application). The data received from Google, Facebook or Apple is used to set up your Yaga account. This means that we use the profile name of your Google, Facebook or Apple ID account as the profile name of your Yaga account so that it is visible to other users of the Platform.
Users can also add additional information to their profile, such as their location, social media accounts, or any other personalisation of their profile that they choose.
Most of your personal data is necessary for the performance of a contract with you. If you do not provide us with this personal data, we will not be able to enter into or perform in terms of the contract with you.
Some of your personal data is necessary to comply with our legal obligations when you become a member of our Platform. If you do not provide us with this personal data, we will not be able to comply with legal requirements or provide our services to you.
To ensure the security of the Platform, prevent fraud and the sale of counterfeit goods, we also automatically collect some data about your behaviour on the Platform. This data is also used to improve the Platform to improve the User experience.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. We may also process personal data for any other purpose that is compatible with the original purpose of collection, or where you have provided your consent.
Please contact us if you need details about the specific legal ground, we are relying on to process your personal data where more than one ground has been set out in the table below.
| Processing operation | Data category | Goal | Legal basis |
| Account creation and profile information | Google, Facebook or Apple ID, name, email address, profile photo, location with county and city accuracy |
Registering a User account on the Platform, managing a User account |
Performance of the contract |
| Contact details | First and last name, phone number | Ensuring communication with the User by providing the necessary information about the service, billing, subscriptions | Performance of the contract |
|
Data on the income generated on the Platform |
First and last name; birthdate; address; VAT number |
We forward the data to our accountants and/or SARS as is required under law. |
Compliance with legal obligations
|
| Bank account details | Bank account holder's name, account number |
Receiving payment for products sold |
Performance of the contract |
|
Data related to product delivery
|
Name, phone number, shipment tracking route |
Product delivery using shipping providers
|
Performance of the contract; Legitimate interests |
| Contracting with service providers and Sharing information with such service providers | Company information, courier details, shipping and delivery information including waybill or tracking and delivery history, payment history and preference | To integrate delivery service providers and payment gateways on the Platform | Performance of the contract; Legitimate interests |
| Transactional notifications | Email address or push notifications |
Notifications of orders and execution of the transaction or changes to our Terms or Privacy Policy or Services |
Performance of the contract |
| Messaging with other Users |
The name of the User who sent the message, the pictures sent, the date and time the message was sent, information about the device from which the message was sent, whether another User has seen the message, other information shared in the message |
Sharing information between Users to fulfil an order |
Performance of the contract; Legitimate Interests |
| Providing User support |
Name, e-mail address, profile information, Platform usage information, transaction information, content and images of messages sent to customer support, messages exchanged with other Users |
Processing of requests forwarded to the help desk |
Performance of a contract; Legitimate interest |
| User dispute resolution | Dispute-related information about the transaction and the User | Resolving disputes and complaints, ensuring the honesty and security of the service and Platform |
Legitimate interest; Fulfilment of legal obligations |
| Information about activities on the Platform | Technical information about how our services and Platform are used, including feedback provided |
To support and improve the Platform and the Services we offer |
Legitimate interest |
|
Technical data collected automatically |
Information collected by website cookies according to User preferences |
We use cookies on the Platform |
Assent |
| Data analysis, testing, system maintenance, support, reporting and hosting of data | Technical information and User information such as name, contact information and usage data that is collected automatically | Administer and protect our company and our Platform |
Legitimate interests; Legal obligation |
Your personal data may be used to aggregate and anonymise information about you and your use of the Service to create aggregate statistics that we may use to provide certain features of the Service and to promote and improve the Service based on our legitimate interests. In cases where the User and/or statistical data is anonymised, we ensure that no personal data is added (meaning that no individual can be identified) and therefore the provisions of the GDPR and/or POPIA do not apply to such processing. However, if we combine or connect aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this Privacy Policy.
To the extent required by the applicable data protection regulation, you have the right to object to the processing of your personal data based on legitimate interest.
Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules and where required or permitted by law.
4. Personal data collected to ensure the security of the Platform
To ensure that transactions on the Platform comply with the law and the Terms, we have the right to use technical solutions to detect fraud or prohibited activities and the sale of prohibited items on the Platform.
For advertisements of items added to the Platform, we may collect the data provided in the advertisement, including product description, images of the product.
The legal basis for such collection and use of your personal data is our legitimate interest in protecting the Platform and our Users from possible falsification.
We may share photos of advertisements or other certificates of authenticity with brand owners without your personal information to verify the authenticity of certain items.
5. Marketing activities
You can sign up for our newsletter and other marketing emails ("direct marketing"). When you register, we ask for permission to use your email address to send you direct marketing that includes the latest information about our products and services, in particular about the goods, special offers and marketing campaigns available on the Platform. If you do not give your consent during registration, you can change your mind at any time and agree to receive direct marketing by changing your account settings.
Direct marketing information collection and use is based on your consent.
6. Compliance with legal obligations
In certain cases, we need to process personal data in order to comply with legal obligations. This includes, for example:
- accounting obligations (reporting and document storage);
- responding to requests from public authorities;
- supervisory authorities of potential and fixed breaches.
In such situations, the legal basis for processing personal data is a legal obligation imposed on us.
7. Who has access to my personal data?
Access to personal data is strictly needs-based and related to the fulfilment of Yaga employees' obligations arising from the employment contract or job description. In certain cases, limited access to personal data may also be granted to partners and service providers who provide us with specific services (e.g. accounting services, IT services and delivery service providers).
8. To whom does Yaga transfer my personal data?
Yaga transfers or shares personal data with service providers only to the extent necessary and permitted in accordance with applicable laws. We may have to share your personal information with the parties set out below for the purposes set out above.
- Internal Third Parties including other entities or parties in the Yaga group and their respective directors and employees, acting as joint responsible parties or operators;
- External Third Parties including:
- Service providers and contractors providing their services to us and acting as processors of your personal data on instruction from us such as integrated delivery services and/or cloud and hosting services, IT security, maintenance and technical services, and communication services;
- South African or other national governments and/or their respective authorities pursuant to our adherence with legislative requirements; such as tax; and
- Professional advisers acting as operators or joint controllers or processors including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services as required.
- Third parties to whom we may choose to sell, transfer, or merge parts of our company or our assets. Alternatively, we may seek to acquire other organisations or merge with them. If a change happens to our company, we may continue to use your personal information in the same way as set out in this Privacy Policy.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information in accordance with our instructions and standards.
9. International Transfers
We may share and process your personal information outside of South Africa for the purpose of cloud storage, and/or to engage with software providers and contractors based outside of South Africa.
If we transfer your personal information out of South Africa, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal information to countries that have appropriate data protection legislation in place similar to that of South Africa; and/or
- Where we use service providers, we will use specific contracts/clauses which ensure personal information is processed and secured lawfully.
10. How does Yaga ensure the security of my personal information?
We have implemented information technology, organisational and physical security measures to ensure the security of personal data. Access to any personal data is strictly needs-based and workplace-based for personal data stored both physically and digitally.
Personal data is stored in a protected information system that requires logging in using a secure authentication tool, and access to personal data is regulated by user rights.
Our Platform may contain references and links to other websites, such as social media platforms, which are controlled by third parties. If you click on the relevant link or navigate to our group/profile on one of the social media platforms on your own initiative, you are located on a third-party website through which the data processing is beyond our control. Therefore, we recommend that you also familiarise yourself with the privacy policies and information regarding cookies of the respective third parties.
11. How long will my data be stored?
We will keep your personal information secure for the lifetime of your account. We will only retain personal data for as long as necessary to fulfil the purposes for which we collected it, including to comply with legal, accounting or reporting obligations or to resolve disputes.
The data required for accounting purposes are stored in accordance with applicable legislation and industry standards. Generally, at least 5 or 7 years from the end of our business relationship, respectively, but no longer than 10 years.
Information related to user account and activity on the Platform is retained until the end of the life of the account and for up to 7 years after the deletion of the account for the protection of legal interests.
Information collected through technical means such as cookies, web page counters and other analytical tools is stored for up to 3 years from the expiration of the cookie.
You can ask for more detailed information about the retention of data categories by sending a corresponding inquiry to support@yaga.co.za.
12. What are my data protection rights?
In connection with the processing of personal data by Yaga, you have the following data protection rights:
| Right | What does this mean and when can this right be exercised? |
| Right to be aware of the processing and to access the personal data being processed | You have the right to request information about whether and what personal data we process about you, on what legal basis and in what way. You also have the right to request the submission of a copy of the personal data processed about you. |
| Right to request correction of personal data | You can exercise this right if the personal data we process about you is incomplete, outdated or incorrect. |
| Right to request erasure of personal data | You can request the deletion of personal data if:· the personal data processed is no longer necessary for the purposes of the processing;· you withdraw the consent based on which the personal data is processed;· in the case of processing based on legitimate interest, your rights and interests outweigh those of Yaga; |
| Right to restrict the processing of personal data | You can request the restriction of the processing of personal data if:· you contest the accuracy of the personal data;· you object to the processing of personal data on the basis of legitimate interest;· it appears that there is no legal basis for processing personal data, but you do not want the personal data to be deleted;· you need personal data to establish, exercise or defend a legal claim. |
| Right to object | If the legal basis for processing your personal data is our legitimate interest, you have the right to object to the respective processing of personal data. You also have the right to object to any automated decision-making by us and to the processing of personal data related to direct marketing. |
| Right to portability of personal data | Where we process your personal data on the basis of consent or on the basis of a contract, you have the right to request that we provide you with the relevant personal data in a structured, commonly used and machine-readable format. If technically feasible, you also have the right to request that we transfer the personal data to another controller referred to by you. |
| Right to withdraw consent | If the legal basis for processing your personal data is consent, you have the right to withdraw such consent at any time. Please note that the withdrawal of consent does not, however, affect the lawfulness of data processing based on a prior, valid consent. |
NB! Data protection rights are not absolute, and for each request we must assess whether, and to what extent, the applicable laws and the rights of other data subjects allow us to fulfil your request.
13. What should I do if I have questions or would like to file a complaint about the processing of personal data?
If you have any questions or complaints related to the processing of personal data, please feel free to contact us via support@yaga.co.za. We respond to inquiries within one month of receiving your question or complaint. If it is not possible to respond to the application within one month, we may extend the deadline for responding by two months by notifying you of the extension of the deadline and the reason for it within one month of receipt of the application.
You have the right to make a complaint at any time to the South African regulator’s office (Information Regulator’s Office of South Africa). We would, however, appreciate the chance to deal with your concerns before you approach any such regulator, so please contact us in the first instance.
14. Is the content of the Privacy Policy subject to change in the future?
We are constantly striving to ensure that both our data processing and the related documentation are simple, clear and transparent, and comply with all legal requirements and best data protection practices. Accordingly, we regularly update and improve the Privacy Policy and notify all users of updates via the contact details provided to us or via the platform.
You can always find the most up-to-date version of the Privacy Policy on our website and platform. It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
This Privacy Policy is subject to change without notice and is updated or amended from time to time and will be effective once we upload the amended version to the Platform. Your continued access or use of our Services constitutes your acceptance of this Privacy Policy, as amended. It is your responsibility to read this document periodically to ensure you are aware of any changes.