Data Protection & Security Policy
1. Purpose and Scope
Student Toolbox Central is committed to the highest standards of data sovereignty and security. This Data Policy supplements our Privacy Policy and Terms of Service, specifically detailing how we secure high-value data, manage retention in compliance with South African law, and handle operational risks. We operate in strict compliance with the Protection of Personal Information Act (POPIA) and the Consumer Protection Act (CPA).
2. Financial Data Security (Payouts)
We understand that providing banking information requires trust. We want to be absolutely clear about what we collect and, more importantly, what we do not collect.
2.1 EFT Coordinates (Receiving Only)
We collect EFT Payout Coordinates (Account Number, Branch Code, Account Holder Name) strictly for the purpose of sending money to sellers. These are the same details a business would put on a standard invoice to receive payment.
What we do NOT collect:
We never ask for, collect, or store Credit/Debit Card numbers (16 digits), CVV numbers, Expiry Dates, or Online Banking Passwords/PINs. We possess no data that could be used to shop online or access your bank account directly.
2.2 Purpose Limitation
Your EFT coordinates are processed solely for the execution of credit payment instructions ("push payments" — sending money to you). We do not have the legal mandate or the technical facility to run debit orders ("pull payments" — taking money from you).
2.3 Security Safeguards
Even though EFT coordinates are generally considered lower risk than credit card details, we still protect them with high-level security:
- Encryption: Financial data is encrypted at rest using industry-standard cryptographic protocols.
- Access Control: Access to these details is restricted strictly to authorized personnel involved in the payout process.
3. Contact Information & Communications
3.1 Transactional vs. Direct Marketing
We collect telephone numbers from sellers to facilitate marketplace transactions. We distinguish strictly between two types of communication:
- Operational Notifications: (e.g., "Your book has been sold", "Delivery confirmed"). These are necessary for the performance of the contract and do not require separate consent.
- Direct Marketing: (e.g., "List more books for a discount"). In accordance with CPA Section 11 and POPIA Section 69, we do not send unsolicited electronic marketing unless you have explicitly opted in, or you are an existing customer given a clear opportunity to opt out.
4. Protection of Minors
Given the nature of the secondary textbook market, we acknowledge that some users may be under the age of 18.
4.1 Competent Person Consent
In accordance with POPIA Sections 34 and 35, personal information of minors is only processed with the consent of a "competent person" (parent or legal guardian). By using the service as a minor, you warrant that you have obtained such consent. We reserve the right to verify age and consent at any time and may suspend accounts that cannot provide proof of "competent person" authorization.
5. Data Retention Policy
We do not hoard data. Our retention periods are aligned with statutory requirements:
- Transaction Records: Retained for 5 years as required by the Tax Administration Act. This includes records of payouts and sales history.
- Account Data: Retained only as long as your account is active. Upon account closure, personal identifiers are deleted or de-identified, except where retention is required by law.
- Refund Data: Retained for the duration of the statutory prescription period to resolve any disputes under the CPA.
6. Data Breach Protocols
In the unlikely event of a security compromise, we have a Cyber Incident Response Plan in place. We comply with Section 22 of POPIA and will notify:
- The Information Regulator of South Africa.
- Affected Data Subjects (you), via email, as soon as reasonably possible.
7. Contact
For any inquiries regarding data security, retention, or to exercise your rights under POPIA, please contact: