What we hold, and why.

1 · Who we are

"Bling Katrien" refers to the South African fashion atelier that operates this website (blingkatrien.com), hand-crafts the pieces sold through it, and is the responsible party for processing your personal information under POPIA.

Our atelier is in Mpumalanga, South Africa. Postal correspondence about privacy matters can be sent to support@blingkatrien.com until we publish a physical correspondence address.

2 · What we collect

When you interact with Bling Katrien, we collect the following categories of personal information:

• Account information — name, email address, password (stored as a one-way hash; we never see the actual password)
• Order information — name, email, phone, billing and shipping addresses, the pieces you bought, the price you paid
• Payment information — the transaction ID and payment-method type (card, EFT, etc.) from PayFast, Paystack, or Ozow. We never store your card number, CVV, or banking PIN — those go directly to the payment processor and never touch our servers.
• Communication preferences — whether you've opted in to our newsletter, plus any unsubscribes
• Technical information — your IP address, browser type, the pages you visit on our site, the referring URL (which is used by our affiliate program to attribute commission)
• Optional information you choose to give us — e.g. message text in a stockist enquiry, an affiliate signup, a "Want more of this" vote on a category page

3 · Why we collect it

Each category of information is collected for a specific purpose:

• Fulfilling your order — name + address to ship the piece; email + phone for delivery notifications
• Customer service — access your order history when you write in
• Fraud prevention — IP address + transaction details so we can spot patterns that suggest a fraudulent payment
• Marketing — newsletters about new editions, restocks, and behind-the-scenes notes from the atelier (only if you've opted in; we never enrol you silently)
• Affiliate attribution — when someone clicks an affiliate's link, a cookie tags their browser for 30 days so we can credit the right person if a sale follows
• Legal compliance — tax authorities (SARS) require us to retain order records for 7 years; we keep them that long

4 · Lawful basis (POPIA section 11)

Each piece of processing has a lawful basis under POPIA:

• Contract performance — processing needed to send you the piece you bought
• Legitimate interest — fraud prevention, improving the site, basic analytics
• Consent — marketing emails, the affiliate attribution cookie, and any optional fields
• Legal obligation — tax record retention, responding to lawful requests from authorities

5 · Who we share it with

We share parts of your information with the operators we rely on to run the storefront. Each is bound by their own privacy policy and only receives the minimum they need:

• Convex — our database provider (EU region). Stores your account, orders, and addresses.
• Vercel — our hosting provider. Serves the website and processes incoming traffic.
• Resend — sends your transactional emails (order confirmations, magic sign-in links) and the newsletter if you've opted in.
• Payment processors — PayFast, Paystack, and Ozow handle the actual payment for your order. They receive your name, email, billing address, and the amount to charge.
• Couriers — receive your name, shipping address, and phone number to deliver your parcel

We do not sell your personal information to anyone, ever. We do not share your information with advertisers or other third parties for their own marketing.

6 · Cross-border data transfer

Convex operates from data centres in the European Union and Resend operates from the United States. POPIA section 72 allows these transfers because both providers have appropriate safeguards in place (GDPR-equivalent protections, contractual obligations to handle your data lawfully). All other processing happens within South Africa.

7 · How long we keep it

• Active customer account — until you delete it
• Order records (for SARS) — 7 years from the date of the order, even if you delete your account
• Newsletter subscription — until you unsubscribe (one click in the footer of any newsletter)
• Affiliate records — 7 years from the last payout (commission audit trail)
• Failed or cancelled checkouts — 90 days, then automatically purged
• Server logs (IP addresses, page views) — 30 days

8 · Your rights under POPIA

• Right of access — you can ask us for a copy of all the personal information we hold about you. From your account you can also click "Download my data" to get a JSON file with everything.
• Right of correction — if any of it is wrong, tell us and we'll fix it (or correct it yourself in your account)
• Right of deletion — you can ask us to delete your account and personal information. Order records that SARS requires us to keep (7 years) will remain in a restricted form, but everything else will be wiped.
• Right to object to direct marketing — you can unsubscribe from the newsletter at any time, by clicking the unsubscribe link in any newsletter or by writing to us
• Right to complain — if you're not happy with how we've handled your data, you can lodge a complaint with the Information Regulator of South Africa

9 · Cookies

Cookies are small files our website stores in your browser to keep things working. We use three kinds:

• Essential cookies — your shopping bag, sign-in session, CSRF tokens. Without these the site can't function. No consent needed.
• Functional cookies — your preferences (e.g. announcement bar dismissals). Optional.
• Attribution cookie — when you click an affiliate's link, we drop a 30-day cookie so commission attribution works if you buy. You can clear it from your browser settings at any time.

We do not currently use third-party analytics, advertising, or tracking cookies. If we add any in future, this policy will be updated and (where consent is required) we'll ask you first.

10 · Children

Bling Katrien is not designed for or marketed to children under 18. We do not knowingly collect personal information from minors. If you believe a child has provided us with information, please contact support@blingkatrien.com and we will delete it.

11 · Security

We take reasonable steps to protect your information:

• All traffic to and from our website is encrypted via HTTPS
• Passwords are stored as one-way hashes (PBKDF2-SHA256 with per-user salts and 200,000 iterations) — we don't keep the actual password anywhere
• Payment card data never touches our servers — it's collected directly by the payment processor on their own infrastructure
• Admin access is restricted, audited, and protected with hashed credentials

12 · Information Officer

Our designated Information Officer is TBC — Information Officer name. POPIA correspondence: support@blingkatrien.com.

13 · Complaints

If you'd like to lodge a complaint about how Bling Katrien has handled your personal information, you can contact the Information Regulator of South Africa:

• Email: enquiries@inforegulator.org.za
• POPIA complaints: POPIAComplaints@inforegulator.org.za
• Website: inforegulator.org.za

14 · Changes to this policy

We may update this policy from time to time — for example, if we add a new third-party service or change retention periods. When we do, we'll update the "Last updated" date at the bottom and, for material changes, email anyone with a newsletter subscription or an active account. Continued use of the storefront after a change means acceptance of the new terms.