WELL I AM ORGANICS IN TERMS OF THE PROVISIONS OF THE PROTECTION OF PERSONAL INFORMATION ACT, NO 4 OF 2013

1 PREAMBLE
1.1 Well I Am Organics (“the Business”) is committed to respecting client privacy and committed to protecting all personal data as required in terms of the Protection of Personal Information Act 4 of 2013 (“the Act”).
1.2 This policy, together with any terms and conditions as published on the Business’ website, set out the privacy practices for the Business.
1.3 This policy sets out how personal data collected about clients via their interactions with the Business’ online content, such as contact forms and tools, and/or provided directly by a client, is processed.
1.4 Clients will be made aware of the importance of this policy with the purpose to understand why data is being collected and what the Business does with that data because by accessing, browsing or otherwise using the Business’ website, a client is confirming that he/she has read, understood and agrees to the terms of this Privacy Policy, and therefore, agrees to the collection and use of his/her data in accordance with this statement, until further notice or update of his/her preferences.
1.5 The Business’ website and services may contain links to other independent websites which sites may ask a client to provide information to them. Such requests and information provided is not under the Business’ control, and the Business is by no means responsible for the privacy practices of those other sites. Clients will be encouraged to be aware when leaving the Business’ website to read the privacy statement of each and every website that he/she may enter thereafter.
1.6 This policy may be amended from time to time by updating the website or other documents2.

TYPE OF INFORMATION COLLECTED

2 THE FOLLOWING TYPES OF INFORMATION IS COLLECTED FROM CLIENTS:

2.1 When accessing the Business’ website and/or buying any of the products that the Business sells or any other third parties who host, maintain or support such delivery of goods, may collect personal and technical information about such clients.
2.2 The personal information collected from a client may typically include the following:
2.2.1 Full name and contact details (including date of birth, contact number, email and postal address);
2.2.2 Any phone number or email used to get in touch with the Business;
2.2.3 Information relating to a client’s identity, residential address, marital status, information about his/her family and their close associates, and such other information as may be required by prescriptive legislation;
2.2.4 A client’s financial information including but not limited to bank account information and/or credit card details where required such as where the client is paying for the products ordered on the Business’ website;
2.2.5 Details about the client’s areas of interest to enable the Business to send the client notices and marketing information about similar products.
2.3 Technical information that may be collected anonymously and will include the usage information about visits to the Business’ website (via ‘cookies’ which enables the Business’ website to gather information about clients and their preferences). The technical information collected may include:
2.3.1 Internet Protocol (IP) address used to connect the client’s device to the Internet;
2.3.2 URL click stream to and from the Business’ site (including date and time);
2.3.3 Device operating system and platform;
2.3.4 Device location data (if function is not disabled on the client’s device);
2.3.5 Browser and plugin types and versions;
2.3.6 Login usernames;
2.3.7 Time zone settings;
2.3.8 Pages and/or people/information viewed and/or searched for;
2.3.9 Time spent on certain pages and page interaction information (such as scrolling, clicks and mouse-overs);
2.3.10 Methods used to land and exit from the website and/or page;
2.3.11 Page response times;
2.3.12 Download errors;
2.4 Communication history between a client and the Business, including a record of the email, telephone and postal correspondence created when a client contacts the Business.

3 BASIS OF PROCESSING INFORMATION
3.1 The Business will only process a client’s information in pursuance of a legitimate interest.
3.2 The legal grounds under data protection legislation for processing a client’s personal data are contained in Act and are as follows:
3.2.1 It is necessary for the performance of a contract to which the client is a party, or to take steps prior to entering into a contract with the client, for the Business to deliver goods to a client;
3.2.2 The client has given his/her consent to the Business for the processing of his/her personal data for one or more specific purposes, namely:
3.2.2.1 where the client has given his/her consent to receive electronic communication by the Business; and/or
3.2.2.2 to process a client’s Special Personal Information.
3.2.3 It is necessary for the purposes of the Business’ legitimate interests, except where its interests are overridden by the interests, rights or freedoms of affected individuals (such as the client). To determine this, the Business shall consider a number of factors, such as what the client was told at the time he/she provided his/her data, what the client’s expectations are about the processing of the data, the nature of the data and the impact of the processing on the client. The Business’ legitimate interests include processing necessary information to improve and to promote its products and to better understand its clients’ interests;
3.2.4 Where needed to comply with a legal obligation;
3.2.5 Where needed to protect a client’s interests; and/or
3.2.6 Where it is needed in the public interest or for official purposes.

4 USE OF INFORMATION
4.1 The Business will hold and use personal information about clients in the following ways:
4.1.1 To fulfil its contractual and constitutional obligations to clients;
4.1.2 To share a client’s information with others where necessary to deliver the Business’ goods for the client or where acting as agent for a third party on behalf of a client;
4.1.3 To comply with its statutory and regulatory obligations, including verifying a client’s identity;
4.1.4 To communicate with a client during the course of selling and delivering its products including enquiries and requests;
4.1.5 To, for statistical purposes, enable the Business to analyse figures to help it manage its business and plan strategically for the future;
4.1.6 To track the client’s use of the Business’ products, including the client’s navigation of the Business’ website in order to improve the website performance and user experience;
4.1.7 To notify clients about the activities of the Business.

5 RETENTION AND RESTRICTION OF DATA
5.1 Clients’ personal data will be retained for as long as they remain a client of the Business unless the Business is under regulatory or statutory duties to hold a client’s data for a longer period;
5.2 Client’s personal data may be retained after they cease to be a client to the business for statistical and research purposes, subject to the condition that the Business has established appropriate safeguards against the data being used for any other purposes;
5.3 A client may ask the Business to suspend the way in which his/her information is being used, or object to the Business processing his/her data where the Business is relying on a legitimate interest ground (or those of a third party) and the client is of the opinion that it impacts on his/her fundamental right to privacy. If a client objects, the Business may demonstrate that there are compelling legitimate grounds to process the client’s information which override the client’s rights and freedoms;
5.4 Should a client wish to restrict or stop the Business from processing his/her data, this may impact on the ability of the Business to deliver its goods sold to its clients. Depending on the extent of the client’s request, the Business may be unable to continue selling the client its products;
5.5 Queries or concerns about the way in which personal data is being used by the Business, must be referred to the Business’s Information Officer.

6 SHARING OF INFORMATION
6.1 The Business may pass a client’s details to the following entities:
6.1.1 persons who carry out certain activities on behalf of the Business as part of the Business selling its products to clients;
6.1.2 payment of service providers;
6.1.3 credit reference agencies;
6.1.4 cloud computing host providers;
6.1.5 technical support service providers;
6.1.6 financial service providers;
6.1.7 business partners; and
6.1.8 sub-contractors.
6.2 The Business will also pass a client’s details where necessary to professional third party service providers.
6.3 The Business will also disclose certain personal information to third parties if the Business is under a duty to disclose or share a client’s personal data in order to comply with any legal or regulatory obligation, or to protect the rights, property, or safety of the Business and all or any of its clients.
6.4 The Business will not share a client’s information with third parties for marketing purposes without obtaining the client’s prior written consent.

7 SECURITY OF DATA
7.1 The Business is committed to ensuring that all client information is secure. Client data is held on secure servers with necessary technological and operation measures put in place to safeguard it from unauthorised access, as far as can reasonably be required for purposes of transacting with the Business. Where possible any identifiable information will be encrypted or minimised.
7.2 All information collected via the Business’ website is stored and encrypted on secure servers. The Business is continuously auditing its website’s performance and security, to prevent any risk to the website’s security and data collection. If a client has any reason to believe that the Business’ website is not performing at its best in securing client data, it is expected of the client to immediately report this to the Information Officer of the Business.

8 USERNAMES AND PASSWORDS
If a client has been given a username and password which enables him/her to access certain parts of the client’s data on the Business’ website, such client is responsible for keeping it confidential and not share such with anyone.

9 UNAUTHORISED ACCESS TO PERSONAL DATA
9.1 The data collected by the Business from clients may be stored and processed by staff who work for the Business or for one of its suppliers. Such staff may be engaged in the fulfilment of the contract and/or delivery of goods to the client. The Business has taken all the necessary steps to ensure that all client data is treated by them securely and in accordance with this policy.
9.2 The Business undertakes business and website audits which enable it to further develop its strict procedures and security features to prevent unauthorised access.
9.3 Where the personal data of a client has been accessed or acquired by any unauthorised person, the Company will notify the Regulator and the client, unless the identity of the client cannot be established.
9.4 The notification referred to in 9.3 will be made as soon as reasonably possible after the discovery of the compromise and the notification will be sent to the client in writing in accordance with the Act.

10 ACCESS TO, DELETION AND UPDATE OF INFORMATION
10.1 Clients have a right to request a copy of the personal information held by the Business about them.
10.2 Clients also have the right to request that information the Business holds about them, which may be incorrect, or which has been changed since first supplied to the Business, be updated or removed. These requests are free of charge and can be sent to the Information Officer of the Business.
10.3 A client may at any time ask the Business to delete or remove personal data where there is no good reason for the Business to keep or continuing to process it. The client also has the right to ask the Business to delete or remove his/her personal data where the client has successfully exercised his/her right to object to processing, where the client has withdrawn consent for the Business to process it, where the Business may have processed the client’s information unlawfully or where the Business is required to erase the client’s personal data to comply with a provision in law.
10.4 The Business may not always be able to comply with a client’s request to delete personal data if specific legal responsibilities or requirements prohibits the Business from doing so. This will however be communicated to the client at the time of his/her request, if applicable.

11 WITHDRAWAL OF CONSENT
11.1 A client has the right at any time to withdraw any consent given to the Business to process his/her personal information.
11.2 Withdrawal by a client of his/her consent will not affect the lawfulness of any processing of his/her personal data carried out by the Business before the withdrawal of his/her consent.
11.3 Any client who wishes to withdraw his/her consent or changes his/her consent preferences at any time may do so by contacting the Business’ Information Officer.

12 TRANSFERRING OF INFORMATION TO ANOTHER ORGANISATION
In the event that the Business processes the client’s data by automated means where the client has either provided the Business with consent to use his/her information or where the Business used the information to perform a duty in compliance with the provisions of its constitution, the client has the right to request that the Business send to him/her or to another organisation, a copy of the personal data held by the Business about him/her, for example when the client is dealing with a different service provider. Any request to move, copy, or transfer the client’s information must be in writing and addressed to the Information Officer.

13 COMPLAINTS REGARDING THE USE OF PERSONAL DATA
13.1 Should a client wish to raise a complaint on how the Business has handled or dealt with his/her personal data, such client can contact the Business’ Information Officer on: tel +27 (0) ____________ ; or on _________________
13.2 If the client is not satisfied with the Business’ response or believe that his/her personal data is not processed in accordance with the law, he/she can address a complaint to the Information Regulator on: tel +27 (0) 10 023 5207; or on inforeg@justice.gov.za.