Privacy Policy

Effective Date: May 2026 Last Updated: March 19, 2026

1. Introduction

Welcome to Baby Bee Blossom's Privacy Policy. We are committed to protecting your personal information and respecting your privacy rights in accordance with South African law.

Who We Are:

• Trading Name: Baby Bee Blossom
• Legal Entity: Baby Bee Blossom (Pty) Ltd
• CIPC Registration: To be registered
• Information Officer: Miguel (Information Officer)
• Contact Email: privacy@babybeeblossom.com
• Physical Address: Unit 315 Ballito Hills, 1 Hills Avenue, Dolphin Coast, Ballito, KwaZulu-Natal, 4399, South Africa, South Africa

Our Commitment: This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ("POPIA").

2. POPIA Compliance

2.1 POPIA Registration

Baby Bee Blossom is registered with the South African Information Regulator as required by POPIA.

Information Regulator Details:

• Website: https://inforegulator.org.za
• Email: inforeg@justice.gov.za
• Complaints: complaints.IR@justice.gov.za
• Phone: 012 406 4818

2.2 Processing Principles

We process your personal information in accordance with POPIA's eight principles:

1. Accountability - We are responsible for compliance
2. Processing Limitation - We process information lawfully and reasonably
3. Purpose Specification - We collect information for specific purposes
4. Further Processing Limitation - We don't use information beyond stated purposes
5. Information Quality - We keep information accurate and up to date
6. Openness - We are transparent about processing activities
7. Security Safeguards - We protect information from loss, damage, or unauthorized access
8. Data Subject Participation - You have rights over your information

3. Information We Collect

3.1 Information You Provide Directly

Account Registration:

• Full name (first and last name)
• Email address
• Password (encrypted)
• Phone number
• Date of birth (optional, for age-appropriate product recommendations)

Shipping and Billing:

• Delivery address (street, suburb, city, province, postal code)
• Billing address (if different from delivery)
• Contact phone number
• Special delivery instructions

Order Information:

• Products purchased
• Order value and payment amounts
• Discount codes used
• Order date and time

Payment Information:

• We do NOT store payment card details
• PayFast handles all payment processing
• We receive only transaction confirmations from PayFast

Communications:

• Customer support inquiries and messages
• Product reviews and ratings
• Feedback and survey responses
• Marketing preferences (opt-in/opt-out)

Optional Information:

• Baby's age or due date (for personalized recommendations)
• Product preferences and interests
• Wishlist items

3.2 Information Collected Automatically

Website Usage Data:

• IP address
• Browser type and version
• Device type (desktop, mobile, tablet)
• Operating system
• Pages visited and time spent
• Referring website
• Date and time of visit

Cookies and Tracking:

• Session cookies (required for shopping cart)
• Preference cookies (remember your settings)
• Analytics cookies (understand usage patterns)
• See Section 9 for detailed cookie information

Email Engagement:

• Email open rates
• Link clicks in emails
• Email delivery status (bounces, spam reports)

3.3 Information from Third Parties

PayFast (Payment Processor):

• Transaction success/failure status
• Transaction ID and reference number
• Payment method used (card type, not card details)

Courier Services:

• Delivery tracking information
• Delivery confirmation
• Failed delivery attempts

Social Media (if you choose to connect):

• Profile information you authorize us to access
• We currently do NOT offer social media login

3.4 Sensitive Personal Information

What is Sensitive Personal Information?

Under POPIA, sensitive personal information (also called "special personal information") includes:

• Health or medical information
• Biometric information
• Religious or philosophical beliefs
• Race or ethnic origin
• Political opinions
• Trade union membership
• Sexual orientation
• Criminal behavior or allegations

We Do NOT Collect or Use Sensitive Personal Information:

Baby Bee Blossom does not collect, use, or disclose sensitive personal information without your explicit consent, except as required by law.

If Sensitive Information Is Provided:

If you voluntarily provide sensitive personal information (e.g., in a customer support message):

• We will process it only to respond to your specific inquiry
• We will not use it for any other purpose without your explicit consent
• We will not share it with third parties
• We will delete it after resolving your inquiry (unless legally required to retain)
• We will not use it to infer characteristics about you

Baby Product Information:

While we sell baby products, information about your baby (age, preferences) is not considered sensitive personal information under POPIA:

• This information is optional and only used for product recommendations
• You can choose not to provide it
• You can delete it from your account at any time

Your Rights:

You have enhanced rights regarding sensitive personal information:

• Right to know if we process any sensitive information about you
• Right to delete sensitive information immediately upon request
• Right to withdraw consent at any time
• Right to restrict processing

4. How We Use Your Information

4.1 Lawful Basis for Processing

We process your personal information based on:

Contract Performance:

• Processing and fulfilling your orders
• Managing your account
• Providing customer support
• Processing returns and refunds

Legitimate Interest:

• Preventing fraud and securing our platform
• Improving our website and services
• Analyzing business performance
• Sending transactional communications

Consent:

• Sending marketing communications (you can opt-out anytime)
• Using cookies for analytics (you can manage cookie preferences)
• Collecting optional information (baby's age, preferences)

Legal Obligation:

• Complying with tax and accounting requirements
• Responding to law enforcement requests
• Maintaining records as required by law

4.2 Specific Uses

To Provide Services:

• Process and fulfill orders
• Arrange shipping and delivery
• Send order confirmations and tracking information
• Process payments through PayFast
• Handle returns and refunds
• Provide customer support

To Communicate:

• Respond to inquiries and support requests
• Send account-related notifications
• Notify you of order status changes
• Send password resets and security alerts
• Request product reviews (optional)

To Improve and Personalize:

• Personalize product recommendations
• Remember your preferences and settings
• Improve website functionality and user experience
• Understand customer needs and trends
• Develop new products and services

For Marketing (with consent):

• Send promotional emails about new products
• Notify you of sales and special offers
• Share parenting tips and product guides
• Announce new features and updates

For Security and Legal Compliance:

• Detect and prevent fraud
• Ensure website security
• Comply with legal obligations (tax, accounting)
• Enforce our Terms of Service
• Protect our rights and property

5. How We Share Your Information

5.1 We Share Information With:

Service Providers (Data Processors):

PayFast - Payment Processing

• Purpose: Secure payment processing
• Data Shared: Order amount, order ID, your name and email
• Location: South Africa
• Security: PCI DSS Level 1 compliant

Courier Services (TBA) - Delivery

• Purpose: Product delivery
• Data Shared: Name, delivery address, phone number, order details
• Location: South Africa
• Retention: Until delivery completed

Cloudflare - Website Infrastructure

• Purpose: Website security, performance, and CDN
• Data Shared: IP address, browser data, pages visited
• Location: Global network (with data center routing through South Africa where possible)
• Privacy Policy: https://www.cloudflare.com/privacypolicy/

Resend - Email Communications

• Purpose: Transactional and marketing emails
• Data Shared: Email address, name, email content
• Location: United States (see cross-border transfer in Section 6)
• Privacy Policy: https://resend.com/legal/privacy-policy

Supabase - Database Hosting

• Purpose: Secure database hosting
• Data Shared: All account and order information
• Location: Configurable (we use closest South African region when available)
• Security: SOC 2 Type II certified

Google Analytics - Website Analytics

• Purpose: Understand website usage and improve user experience
• Data Shared: Anonymized usage data, IP addresses (anonymized)
• Location: United States
• Your Control: You can opt-out of Google Analytics

5.2 We Do NOT Share Information For:

❌ Selling or renting your data to third parties ❌ Telemarketing or unsolicited calls ❌ Sharing with other retailers or competitors ❌ Public display of your personal information ❌ Unrelated marketing purposes

5.3 Legal Disclosure

We may disclose your information if required by law:

• In response to valid legal process (court orders, subpoenas)
• To comply with South African legal obligations
• To protect our rights, property, or safety
• To detect, prevent, or address fraud or security issues

5.4 Data Sharing for Marketing and Advertising (With Consent)

Transparency Disclosure:

With your explicit consent (opt-in), we may share certain categories of personal information with business and marketing partners for advertising and marketing purposes.

Categories of Information Shared:

When Sharing Occurs:

This sharing only occurs when:

• ✓ You have opted-in to marketing communications
• ✓ You have accepted marketing cookies via our cookie banner
• ✓ You have not enabled Global Privacy Control (GPC)
• ✓ You have not opted-out of targeted advertising

How to Opt-Out:

You can opt-out at any time:

• Click "Unsubscribe" in marketing emails
• Adjust cookie preferences in Cookie Preference Center
• Enable Global Privacy Control (GPC) in your browser
• Email unsubscribe@babybeeblossom.com

We Do NOT:

• ❌ Sell your personal information for monetary consideration
• ❌ Share your information without consent or legal basis
• ❌ Share sensitive personal information (health data, financial info, etc.)
• ❌ Share your data with data brokers or lead generation companies

POPIA Compliance:

All sharing activities comply with POPIA requirements:

• Based on your consent or legitimate interest
• Limited to necessary information only
• Subject to data processing agreements with recipients
• You can withdraw consent at any time

Timeframe:

This disclosure covers data sharing activities over the past 12 months from the date of this policy.

6. Cross-border Data Transfers

6.1 POPIA Cross-Border Requirements

Some service providers are located outside South Africa, requiring cross-border data transfers. Under POPIA Section 72, we ensure:

Adequate Protection:

• Recipients provide adequate data protection (assessed against POPIA standards)
• Contractual obligations for data protection (Standard Contractual Clauses where applicable)
• Technical and organizational security measures
• Compliance with international data protection standards (SOC 2, ISO 27001, etc.)

Transfer Mechanisms:

We rely on the following mechanisms to ensure lawful cross-border transfers:

• Standard Contractual Clauses (SCCs): Contractual agreements approved by data protection authorities
• Adequacy Decisions: Transfers to countries deemed to have adequate protection
• Your Consent: Explicit consent for specific transfers (obtained during account creation or service use)
• Necessity for Contract Performance: Transfers essential to providing services you've requested

Services Involving Cross-Border Transfer:

Resend (United States):

• Purpose: Email delivery infrastructure
• Safeguards:
  • Standard Contractual Clauses (SCCs)
  • SOC 2 Type II compliance
  • Encryption in transit (TLS 1.3)
  • Data processing agreement in place
• Transfer Mechanism: Your consent + necessity for contract performance
• Necessity: Required for reliable email delivery
• Your Consent: By using our services, you consent to this transfer

Cloudflare (Global Network):

• Purpose: Website security, performance, and CDN
• Safeguards:
  • Global network with data routing preferences
  • Enterprise-grade security (ISO 27001 certified)
  • EU-US Data Privacy Framework participant
  • Data localization options where possible
• Transfer Mechanism: Necessity for contract performance
• Data Processing: Edge processing with minimal data retention

Google Analytics (United States):

• Purpose: Website analytics
• Safeguards:
  • IP anonymization enabled
  • Data retention controls (14 months maximum)
  • Google's EU-US Data Privacy Framework certification
  • Data processing amendment in place
• Transfer Mechanism: Your consent (via cookie consent)
• Your Control: Can opt-out via browser settings, cookie preferences, or GPC

Supabase (Configurable Regions):

• Purpose: Database hosting
• Safeguards:
  • SOC 2 Type II certified
  • ISO 27001 certified
  • Data residency options (we prioritize South African or closest region)
  • Encryption at rest and in transit
• Transfer Mechanism: We minimize cross-border transfers by using regional data centers
• Data Location: Hosted in closest available region to South Africa

6.2 Your Rights Regarding Transfers

You have the right to:

• Object to cross-border transfers
• Request details about safeguards in place
• Withdraw consent (may limit service availability)

7. Data Retention

7.1 Retention Periods

We retain your personal information for as long as necessary to fulfill the purposes outlined in this policy:

Active Accounts:

• Retained while your account is active
• Plus 3 years after last activity (for legal compliance)

Order Information:

• Retained for 7 years (tax and accounting requirements)
• Required by South African Revenue Service (SARS)

Marketing Communications:

• Retained until you unsubscribe
• Unsubscribe records retained indefinitely (to honor your preference)

Support Communications:

• Retained for 3 years after issue resolution
• For quality assurance and dispute resolution

Website Analytics:

• Aggregated data retained indefinitely (anonymized)
• Individual session data: 14 months maximum

Login History:

• Retained for 90 days (security purposes)
• Older logs automatically deleted

7.2 Deletion and Anonymization

After retention periods expire:

• Personal information is permanently deleted
• Or anonymized (removing all identifiable elements)
• Backups are overwritten within 90 days

8. Your Rights Under POPIA

8.1 Right to Access (Section 23)

You have the right to request access to your personal information we hold.

How to Request:

• Email: privacy@babybeeblossom.com
• Subject: "POPIA Access Request"
• Include: Full name, email address, account details

What You'll Receive:

• Confirmation of what information we hold
• Copy of your personal information
• Details of processing purposes
• Information about third-party recipients

Response Time: Within 30 days (may extend to 60 days for complex requests) Cost: Free for first request per year; reasonable fee for subsequent requests

8.2 Right to Correction (Section 24)

You have the right to correct or update inaccurate personal information.

How to Correct:

• Account Information: Update directly in your account settings
• Other Information: Email privacy@babybeeblossom.com

Response Time: Corrections made within 7 business days

8.3 Right to Deletion (Section 11)

You have the right to request deletion of your personal information in certain circumstances:

Valid Deletion Reasons:

• Information no longer necessary for original purpose
• You withdraw consent (where processing was consent-based)
• You object to processing and no overriding legitimate interest exists
• Processing was unlawful
• Legal obligation requires deletion

How to Request Deletion:

• Email: privacy@babybeeblossom.com
• Subject: "Account Deletion Request"

What Happens:

• Account and personal information deleted within 30 days
• Order history retained for 7 years (legal obligation)
• Data in backups overwritten within 90 days

Exceptions (We Cannot Delete):

• Information required for legal compliance (tax records, etc.)
• Information needed for pending orders or support tickets
• Information required for legal claims or disputes

8.4 Right to Object to Processing (Section 11)

You have the right to object to processing based on legitimate interest.

How to Object:

• Email: privacy@babybeeblossom.com
• Specify which processing you object to

Our Response:

• We will assess your objection
• Stop processing unless compelling legitimate grounds override your rights
• Response within 30 days

8.5 Right to Object to Direct Marketing (Section 69)

You have an absolute right to object to direct marketing at any time.

How to Opt-Out:

• Click "Unsubscribe" link in any marketing email
• Update preferences in your account settings
• Email: unsubscribe@babybeeblossom.com

Effect:

• Marketing emails stop within 7 days
• You will still receive transactional emails (order confirmations, etc.)

8.6 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used format.

How to Request:

• Email: privacy@babybeeblossom.com
• Subject: "Data Export Request"

What You'll Receive:

• JSON or CSV file with your personal information
• Includes: account details, order history, preferences, reviews
• Delivered within 30 days

8.7 Right to Complain

You have the right to lodge a complaint with the Information Regulator if you believe we have violated POPIA.

Information Regulator Contact:

• Website: https://inforegulator.org.za
• Email: complaints.IR@justice.gov.za
• Phone: 012 406 4818
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

We Encourage You to Contact Us First: Before filing a complaint, please contact us at privacy@babybeeblossom.com. We are committed to resolving any concerns directly.

8.8 Right to Appeal

You have the right to appeal our decision if we decline to process your POPIA rights request.

When You Can Appeal:

• We deny your access request
• We deny your deletion request
• We deny your correction request
• We deny your objection to processing
• We deny your portability request

How to Appeal:

1. Reply directly to our denial email with "APPEAL" in the subject line
2. Or email privacy@babybeeblossom.com with subject "Appeal - [Request Type]"
3. Provide additional information or justification for your request
4. Explain why you believe our denial was incorrect

Appeal Process:

• We will review your appeal within 15 business days
• We may request additional information to verify your identity or clarify your request
• We will provide a substantive response explaining our decision
• If we uphold the denial, we will provide detailed reasoning

If Appeal Is Denied: You may escalate to the Information Regulator (see Section 8.7 above).

8.9 Non-Discrimination

We Will Not Discriminate Against You:

We will not discriminate against you for exercising any of your POPIA rights, including:

• Right to access your information
• Right to correct your information
• Right to delete your information
• Right to object to processing
• Right to data portability
• Right to object to marketing

What This Means:

We will not:

• Deny you goods or services
• Charge you different prices or rates
• Provide you with a different level or quality of service
• Suggest that you will receive a different price or quality of service

Exception:

We may offer you financial incentives (discounts, promotions) in exchange for consent to certain data processing activities (e.g., marketing emails), but:

• Participation is always voluntary
• You can opt-out at any time without penalty
• The incentive is reasonably related to the value of your data

8.10 Authorized Agent Requests

You may designate an authorized agent to make POPIA rights requests on your behalf.

Authorized Agent Requirements:

Before we process a request from an authorized agent, we require:

From the Agent:

• Written authorization signed by you (the data subject)
• Proof of the agent's identity
• Valid power of attorney (if applicable)
• Contact information for verification

From You:

• We may contact you directly to verify the agent's authorization
• You may need to confirm the request via email or account login
• You may need to verify your identity separately

Why We Verify:

• To protect your privacy and prevent unauthorized access
• To comply with POPIA's security and accountability requirements
• To prevent fraud and identity theft

Processing Time:

• Authorized agent requests may take longer to process due to verification requirements
• We will respond within 60 days (extended from standard 30 days)
• We will notify the agent of any delays

Denial of Agent Request: We may deny an authorized agent request if:

• The agent cannot provide sufficient proof of authorization
• You do not confirm the agent's authority when we contact you
• We suspect fraudulent activity
• The agent has a conflict of interest

8.11 Verification Process

Identity Verification:

To protect your privacy, we must verify your identity before processing rights requests.

Information We May Request:

• Email address associated with your account
• Account username or customer ID
• Recent order number or transaction details
• Answers to security questions
• Government-issued ID (for high-sensitivity requests only)

Verification Methods:

• Email verification link sent to registered email
• Account login confirmation
• Matching personal details on file
• Two-factor authentication (if enabled)

Why We Verify:

• To prevent unauthorized access to your personal information
• To protect against identity theft and fraud
• To comply with POPIA's security requirements

Cannot Verify? If we cannot verify your identity:

• We will explain what additional information is needed
• We may limit the scope of information provided
• We may deny the request if verification is impossible
• You may appeal our decision (see Section 8.8)

9. Cookies and Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide you with a better experience.

9.2 Types of Cookies We Use

Strictly Necessary Cookies (Cannot be disabled):

• Session Management: Keep you logged in, remember your cart
• Security: Prevent fraud, ensure secure connections
• Load Balancing: Distribute traffic for optimal performance

Functional Cookies (Optional):

• Preferences: Remember your settings (language, region)
• Accessibility: Remember accessibility preferences

Analytics Cookies (Optional):

• Google Analytics: Understand how visitors use our site
• Performance Monitoring: Identify and fix technical issues
• IP Anonymization: Enabled (last octet of IP address removed)

Marketing Cookies (Optional, requires consent):

• Facebook Pixel: Measure ad effectiveness (if you opt-in)
• Email Tracking: Track email opens and clicks (marketing emails only)

9.3 Cookie Consent

On Your First Visit:

• Cookie consent banner appears
• You can accept all, reject optional, or customize preferences
• Strictly necessary cookies are always active

Managing Cookie Preferences:

• Use our Cookie Preference Center (link in footer)
• Update preferences anytime
• Clear cookies via browser settings

9.4 Cookie Retention

• Session cookies: Deleted when you close your browser
• Persistent cookies: Up to 12 months (varies by type)
• Analytics cookies: 14 months maximum

9.5 Third-Party Cookies

Some cookies are set by third-party services:

• Google Analytics: Analytics cookies
• PayFast: Payment session cookies (during checkout)
• Cloudflare: Security and performance cookies

9.6 Global Privacy Control (GPC) Signal

We Recognize Global Privacy Control:

Our website recognizes the Global Privacy Control (GPC) signal, which enables you to opt-out of certain uses or disclosures of your information.

What is GPC?

• GPC is a browser setting that signals your privacy preferences
• It's supported by browsers like Firefox, Brave, and DuckDuckGo
• Learn more: https://globalprivacycontrol.org/

How We Respond to GPC:

If you visit our website with GPC enabled:

• We will treat it as a request to opt-out of:
  • Data sharing with marketing partners
  • Targeted advertising based on your browsing
  • Optional analytics cookies (Google Analytics)
  • Marketing cookies (Facebook Pixel)
• The opt-out applies to the specific browser or device sending the signal
• If we can associate the device with your account, we'll apply the opt-out to your account as well

What GPC Does NOT Affect:

• Strictly necessary cookies (session, security)
• Transactional emails (order confirmations, shipping updates)
• Essential website functionality
• Processing necessary to fulfill your orders

Managing GPC:

• Enable GPC in your browser settings
• The setting applies per browser/device
• You can also manage preferences via our Cookie Preference Center

Other "Do Not Track" Signals:

Apart from GPC, we do not currently recognize other "Do Not Track" (DNT) signals sent by web browsers due to lack of industry standards for implementation.

10. Security Measures

10.1 How We Protect Your Information

We implement technical and organizational measures to protect your personal information:

Technical Security:

• Encryption in Transit: TLS 1.3 for all data transmission
• Encryption at Rest: AES-256 for stored data
• Password Hashing: Bcrypt with salt (passwords never stored in plain text)
• Secure Hosting: Supabase with SOC 2 Type II certification
• DDoS Protection: Cloudflare enterprise security

Access Controls:

• Role-based access control (RBAC)
• Principle of least privilege (staff access only what's needed)
• Two-factor authentication for admin accounts
• Audit logs of all data access

Operational Security:

• Regular security audits and vulnerability scans
• Employee training on data protection
• Incident response plan
• Secure development practices

Payment Security:

• No card storage: We never see or store your card details
• PCI DSS Compliance: PayFast is PCI DSS Level 1 certified
• Tokenization: Payment references only, no sensitive data

Important Security Disclaimer:

⚠️ No Security Measures Are Perfect:

While we implement industry-standard security measures to protect your personal information, please be aware that:

• No security system is completely impenetrable or foolproof
• We cannot guarantee "perfect security" or absolute protection against all threats
• No method of transmission over the Internet is 100% secure
• No method of electronic storage is completely secure

Your Responsibility:

We recommend that you:

• Do not use insecure channels (public Wi-Fi, unencrypted email) to send sensitive or confidential information to us
• Use strong, unique passwords for your account
• Keep your login credentials confidential
• Be vigilant against phishing attempts and suspicious communications
• Report any suspected security issues immediately

Limitation of Liability:

To the extent permitted by law, we are not liable for:

• Security breaches caused by third-party attacks beyond our reasonable control
• Unauthorized access resulting from your failure to protect your account credentials
• Information transmitted through insecure channels at your discretion
• Events arising from circumstances of force majeure

This security disclaimer does not limit your rights under POPIA or other applicable consumer protection laws.

10.2 Your Security Responsibilities

Protect Your Account:

• Choose a strong, unique password
• Don't share your password with anyone
• Log out after using shared devices
• Keep your email account secure (password reset capability)

Be Cautious of Phishing:

• We will never ask for your password via email
• Verify email sender addresses before clicking links
• Report suspicious emails to security@babybeeblossom.com

10.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

We Will:

1. Notify the Information Regulator within 72 hours (POPIA requirement)
2. Notify affected users without undue delay
3. Provide details of the breach and mitigation steps
4. Take immediate action to contain and remediate the breach

Notification Will Include:

• Nature of the breach
• Types of data affected
• Potential consequences
• Steps we're taking to address the breach
• Steps you can take to protect yourself

11. Children's Privacy

11.1 Age Restriction

Our website is intended for adults (18 years and older). We do not knowingly collect personal information from children under 18.

If You're Under 18:

• You must have parental consent to use our services
• Parent/guardian must create the account
• Parent/guardian must make purchases

11.2 Children's Information

While we sell baby products, we do NOT collect personal information about babies or children:

• Baby's age is optional and used only for product recommendations
• We do not create profiles or track children
• No targeted advertising based on children's information

11.3 If We Discover Children's Information

If we discover we have collected information from a child under 18 without proper parental consent:

• We will delete the information immediately
• We will not use or disclose the information
• We will notify the Information Regulator if required

11.4 No Sale or Sharing of Children's Data

Important Declaration:

As of the effective date of this Privacy Policy, we do not have actual knowledge that we "share" or "sell" (as those terms may be defined in applicable privacy laws) personal information of individuals under 16 years of age.

Our Commitment:

We do not:

• Sell personal information of children under 16
• Share personal information of children under 16 for marketing purposes
• Use personal information of children under 16 for targeted advertising
• Create profiles of children under 16

If a Child Account Is Discovered:

If we discover an account was created by someone under 16:

• We will immediately suspend the account
• We will contact the registered email to verify parental consent
• If parental consent cannot be verified, we will delete the account and all associated data
• We will not have shared or sold any data collected from that account

Parental Rights:

Parents or guardians who believe their child's information has been collected can:

• Contact us immediately at privacy@babybeeblossom.com
• Request immediate deletion of all child information
• Request details of what information was collected
• Request confirmation that no information was sold or shared

12. Marketing Communications

12.1 Types of Marketing

Email Marketing (Opt-In Required):

• New product announcements
• Sales and promotions
• Parenting tips and product guides
• Exclusive offers for subscribers

Transactional Emails (Cannot Opt-Out):

• Order confirmations
• Shipping notifications
• Password resets
• Account security alerts

12.2 How We Obtain Consent

We obtain consent for marketing communications:

• During Checkout: Optional checkbox (pre-unchecked)
• Account Registration: Optional checkbox (pre-unchecked)
• Newsletter Signup: Dedicated signup form

Consent Requirements:

• Clear and specific consent request
• Separate from terms and conditions
• Easy to understand language
• No pre-checked boxes

12.3 How to Opt-Out

Unsubscribe Methods:

1. Click "Unsubscribe" link in any marketing email (instant)
2. Update preferences in account settings
3. Email: unsubscribe@babybeeblossom.com
4. Contact customer support

Processing Time:

• Immediate: Unsubscribe links
• Within 7 days: Other methods

After Unsubscribing:

• You'll receive confirmation email
• Marketing emails stop within 7 days
• Transactional emails continue (order updates, etc.)
• Your preference is permanently honored

12.4 ECTA Compliance (Anti-Spam)

We comply with the Electronic Communications and Transactions Act, 2002:

• All marketing emails include unsubscribe mechanism
• We honor opt-out requests promptly
• We don't send to purchased email lists
• We maintain opt-out records indefinitely

13. Automated Decision Making

13.1 Limited Automated Processing

We use limited automated processing for:

Fraud Detection:

• Purpose: Detect potentially fraudulent orders
• How It Works: Algorithms analyze order patterns for suspicious activity
• Your Rights: You can request human review if your order is flagged

Product Recommendations:

• Purpose: Suggest relevant products
• How It Works: Algorithms based on browsing and purchase history
• Impact: No significant legal or financial effect (purely suggestive)

Email Personalization:

• Purpose: Send relevant marketing content
• How It Works: Algorithms based on preferences and past interactions
• Your Rights: You can opt-out of marketing emails anytime

13.2 No Profiling for Significant Decisions

We do NOT use automated decision-making or profiling for decisions that significantly affect you, such as:

• Credit decisions
• Insurance decisions
• Employment decisions
• Pricing decisions (all customers see same prices)

14. Changes to This Privacy Policy

14.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Changes in legal requirements
• Introduction of new services
• User feedback and improvements

14.2 Notification of Changes

Material Changes:

• We will notify you via email (if you have an account)
• Prominent notice on the website
• 30 days' notice before changes take effect
• You may withdraw consent if you disagree with changes

Minor Changes:

• Updated "Last Updated" date
• No prior notification required
• Check policy regularly for updates

14.3 Version History

We maintain a version history of this policy:

• Current version always available at /legal/privacy-policy
• Previous versions archived and available upon request
• Version number and date clearly displayed

15. Contact US

15.1 Privacy Inquiries

Information Officer:

• Name: Miguel (Information Officer)
• Email: privacy@babybeeblossom.com
• Phone: info@babybeeblossom.com
• Address: Unit 315 Ballito Hills, 1 Hills Avenue, Dolphin Coast, Ballito, KwaZulu-Natal, 4399, South Africa, South Africa

Response Times:

• General inquiries: Within 3 business days
• POPIA rights requests: Within 30 days (may extend to 60 days for complex requests)
• Urgent security concerns: Within 24 hours

15.2 Customer Support

For Non-Privacy Inquiries:

• General questions: hello@babybeeblossom.com
• Order support: orders@babybeeblossom.com
• Returns: returns@babybeeblossom.com

15.3 Information Regulator

To File a Complaint:

Information Regulator South Africa

• Website: https://inforegulator.org.za
• Email: complaints.IR@justice.gov.za
• Phone: 012 406 4818
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

16. Consent

By using our website, creating an account, or making a purchase, you consent to:

✓ The collection of personal information as described in this policy ✓ The use of your information for stated purposes ✓ The sharing of information with service providers as described ✓ Cross-border transfers to service providers (with safeguards) ✓ The use of cookies (subject to your cookie preferences)

You can withdraw consent at any time by:

• Deleting your account
• Contacting privacy@babybeeblossom.com
• Adjusting your privacy and cookie preferences

Last Updated: March 19, 2026 Version: 1.0