Pakstoor (Pty) Ltd is the Responsible Party for personal information processed on this platform. Our practices are aligned with POPIA (Act 4 of 2013), the primary data protection law applicable to Pakstoor as a South African business. We also follow GDPR-style fair-processing standards for any cross-border users from jurisdictions where those apply.
What we collect, in plain view
Seven categories of data, each for a specific purpose. Full detail in the sections below.
Email, password hash, optional profile fields.
Listing, deal, payment status, and amounts, handled through the escrow / payment partner.
Uploaded by sellers as part of a listing or by parties as part of a dispute.
Platform messages and support exchanges, retained for safety and audit.
Verification status, trust-level inputs, and dispute history.
Login attempts and IPs for fraud checks and platform integrity.
Photos, notes, and timelines tied to a specific dispute.
Our Information Officer is registered with the Information Regulator of South Africa under registration number 2026-013758. Pakstoor is registered with the Information Regulator and has submitted its PAIA Annual Report.
Article 01 Collection
The buckets, not every field. Minimal where possible.
Name, email, mobile number (if you provide one), hashed password, profile details, communication preferences (transactional SMS toggle, marketing consent), and a record of consents and opt-outs. South African ID details where verification is required.
Listings you publish, offers made and received, completed deals, ratings, public listing Q&A, and private buyer-seller chat exchanged inside the platform. Courier waybill numbers, declared values, delivery addresses, courier-event records, payment references, and payout records held with our regulated escrow partner.
The images you upload to listings or to your profile. We process images for safety and quality: an automated optical-character-recognition (OCR) pass scans every photo for contact details (phone numbers, email addresses, links) that would push a transaction off-platform; a first-photo AI vision pass (currently using a small multi-modal model from our cloud AI partner) may help pre-fill category, title, brand, model, and condition fields where they are empty; and basic image-quality checks discourage blurry or unsuitable photos. Images may be downsized and re-encoded before storage. We do not use images for third-party advertising.
Listing Q&A and private chat may be moderated (automatically and, where necessary, by a human admin) to prevent fraud, off-platform contact-exchange, prohibited-goods activity, harassment, and abuse. Moderation does not turn message content into marketing data.
Where required for payouts or higher-risk activity, we may collect, or receive from our regulated escrow partner, the outcome of FICA-aligned identity and bank-account verification, plus risk-screening signals. We do not run our own liveness check today; identity verification reaches us as a verified/not-verified result from the escrow partner.
IP address, browser/device fingerprint, session metadata, login events, two-factor state, and fraud-risk signals. Append-only audit logs of high-risk actions (payouts, listing boosts, dispute outcomes, admin overrides).
Where a transaction enters Formal Protected Review, Courier & Insurance Review, Direct Party Resolution, or Fraud Escalation, Pakstoor may process parcel photos, waybill images, serial or IMEI images, item condition photos, chat records, timestamps, courier tracking events, IP addresses, device data, account-risk indicators, and related evidence submitted by buyers, sellers, admins, couriers, or payment partners.
Evidence should be uploaded inside Pakstoor. Do not send ID documents or Formal Protected Review evidence by email unless Pakstoor specifically instructs you to do so through an approved process.
Article 02 Purpose
We process personal information to:
We do not sell your personal information. We do not use it for third-party advertising.
Article 03 Sharing
We share personal information only as needed to run the service.
Current operators and processors include:
gpt-4o-mini) used only on the first photo a seller uploads, to pre-fill category, title, brand, model, and condition where empty; AND AI-assisted case advice generation during Protected Review investigations, where Pakstoor limits and privacy-scrubs the information sent for AI-assisted review support. AI output does not make the final decision; Pakstoor admin review remains responsible for the outcome. OpenAI processes the request as an API processor under its no-training-by-default API terms; Pakstoor does not opt in to model training on customer data. Image OCR (which scans listing and avatar images for off-platform contact details) runs on Pakstoor's own servers and is not an external sub-processor.Article 3A Communications
Security codes, courier deadlines, payout events. These messages are part of running your account.
We send transactional notifications (security codes, offer alerts, courier-collection windows, delivery confirmations, dispute notices, and payout events) by email and, where you provided a mobile number, by SMS. Sending these messages is necessary for the performance of your contract with Pakstoor. Without them you may miss security alerts, courier deadlines, and payout events.
Marketing messages, where offered, are sent only with separate opt-in consent.
Article 04 Retention
Kept while needed, no longer than the law requires.
We retain personal information for as long as it is needed for the purpose collected, and as long as required by law. Indicative periods:
You may request earlier deletion where legally permitted. Where deletion is not permitted (for example, statutory retention), we restrict further processing to the original purpose.
Article 05 Your rights
Access, correct, delete, object, or complain.
You may: access a copy of the personal information we hold about you (s. 23); correct information that is inaccurate or out of date, or request its deletion where the responsible party is no longer authorised to retain it (s. 24), subject to FICA, tax, dispute, and fraud-prevention retention; and object to specific processing on reasonable grounds relating to your situation (s. 11(3)). You may also lodge a complaint with the Information Regulator under POPIA s. 74. See our POPIA compliance page for how to exercise these rights, the eight conditions for lawful processing, and the relationship between POPIA and PAIA.
Article 06 Security
Technical & organisational measures, on the record.
Passwords are hashed with Argon2id. Session cookies are httpOnly, Secure, and SameSite=Lax. We limit access to sensitive records on least-privilege principles, keep immutable audit logs of administrative actions, encrypt data in transit (TLS 1.2+), enforce TOTP-based two-factor authentication on admin accounts, and review security controls on an ongoing basis. Data Processing Addendums (DPAs) are maintained or being put in place with selected operators who process data on Pakstoor's behalf, including Zoho.
Article 07 Cookies
A short list of strictly-necessary cookies, no advertising.
We use strictly-necessary cookies for authentication and a minimal analytics cookie for service improvement. No third-party advertising cookies are set. See our Cookie Policy for details.
Article 08 Section 22
72-hour notice to you and the Information Regulator.
Article 09 Information Officer
A single inbox for access, correction, deletion, objection, and complaints.
Email: privacy@pakstoor.co.za (preferred contact)
Regulator registration number: 2026-013758
PAIA Annual Report: Submitted for financial year 2025–26 PAIA Annual Report submitted
For complaints: Information Regulator of South Africa
Privacy Standard
We do not sell personal information and do not use it for third-party advertising. Data processed cross-border is protected consistent with section 72 of POPIA.
See also: Terms of Service · POPIA Compliance · Cookie Policy