Privacy Policy

Last updated: June 2026 (revised)

At CreaGo ("the Company"), we are committed to protecting the privacy and personal information of our customers. This policy explains how we collect, use, and share your data in accordance with the Protection of Personal Information Act (POPIA) and the Electronic Communications and Transactions Act (ECTA) of South Africa.

1. Information We Collect

We collect personal information to provide you with our products and services. This includes:

• Account & Profile Data: When you register via email or Social Logins (Google or Facebook), we collect your name, email address, and profile picture as provided by the authentication provider.
• Contact & Delivery Data: Your physical address, province, postal code, and contact phone number for courier delivery.
• Transaction Data: Details of the products you purchased, order totals, and payment status.
• Technical Data: Your IP address, browser type, and device information used to access our website.

2. How We Collect Data

We collect data in three ways:

• Directly from you: When you fill in forms or place an order.
• From Third Parties: When you use Google or Facebook to log in, they share your basic profile information with our database.
• Automatically: Through cookies and tracking technologies to maintain your shopping session.

3. Purpose of Processing

We process your information for the following lawful bases:

• Performance of a Contract: To process your order, verify payment, and deliver your creatine.
• Consent: When you opt-in to marketing or use social login features.
• Legal Obligation: To maintain financial records for SARS and comply with South African business laws.

4. Third-Party Operators (Data Sharing)

To run a modern website, we share specific data with specialised service providers. We only share what is strictly necessary:

• Infrastructure: Supabase (Database and Authentication) hosts our data in secure, encrypted cloud environments.
• Payment Gateways: We use secure third-party payment processors including PayFast, Apple Pay, and Google Pay.
• Logistics: We share your name and address with our courier partners to facilitate delivery.
• Analytics & Advertising: We use Google Ads conversion tracking, including Enhanced Conversions, to measure the effectiveness of our advertising campaigns. When you complete a purchase or create an account, certain data you provide (such as your email address) is hashed (cryptographically scrambled into an unreadable format) before being shared with Google. This hashed data cannot be reversed to reveal your original information. It is used solely to match your interaction with a CreaGo ad to your purchase, improving our campaign measurement. You can opt out of personalised advertising at any time by visiting adssettings.google.com.

Important: We never see or store your credit card numbers, CVV, or bank login credentials. These are entered directly into the secure, PCI-DSS compliant environments of the payment gateways.

5. Payment Security

All payments are processed through secure gateways that utilise 3D Secure technology. Whether you pay via card, Instant EFT, or Digital Wallets (Apple/Google Pay), your financial data is protected by the highest industry standards. Our website only receives a "Success" or "Failure" token from these gateways to update your order status.

6. International Data Transfers

By using our website, you acknowledge that your data may be processed in servers located outside of South Africa (e.g., Supabase or Google data centres). We ensure that these providers adhere to international security standards (such as GDPR or SOC2) that provide an equivalent level of protection to POPIA.

7. Your Rights (The Data Subject)

Under POPIA, you have the following rights:

• Right to Access: You may request a record of the personal information we hold about you.
• Right to Correction: You can update your profile or address at any time via your account dashboard.
• Right to Deletion: You may request that we delete your account and personal data (subject to legal record-keeping requirements).
• Right to Object: You may withdraw consent for marketing communications at any time.

8. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes outlined in this policy, or as required by law. Specifically:

• Account data: Retained for as long as your account is active. You may request deletion at any time.
• Transaction records: Retained for a minimum of 5 years as required by SARS for tax compliance.
• Marketing data: Retained until you withdraw consent or unsubscribe.

9. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notify the Information Regulator as required by POPIA.
• Notify affected data subjects as soon as reasonably possible.
• Take immediate steps to mitigate any harm and secure our systems.

10. Children's Privacy

Our products and services are not directed at children under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a child has provided us with personal data, we will take steps to delete such information.

11. Cookies & Tracking

We use cookies to:

• Keep you logged into your account.
• Remember items in your shopping cart.
• Secure our checkout process.
• Manage Google/Facebook login sessions.

You can manage cookie preferences through your browser settings. Disabling cookies may affect the functionality of our website.

12. Google Ads & Enhanced Conversions

We participate in Google Ads advertising and have enabled Enhanced Conversions to improve the accuracy of our conversion measurement. This feature works as follows:

• When you complete a purchase or register an account, data you have provided (such as your email address) is hashed using SHA-256 encryption before being transmitted to Google.
• Google uses this hashed data to determine whether your visit originated from a CreaGo advertisement, helping us understand which ads are effective.
• The hashed data is not used for any other purpose, cannot be reversed, and is processed in accordance with Google's Privacy Policy.
• This processing is conducted on the lawful basis of our legitimate interest in measuring the effectiveness of our marketing spend.

To opt out of Google's use of your data for advertising purposes, visit adssettings.google.com or install the Google Analytics opt-out browser add-on.

13. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically.

14. Contact Our Information Officer

If you have any questions regarding your data, wish to exercise your rights, or lodge a complaint, please contact our Information Officer:

• Company: CreaGo (Pty) Ltd
• Information Officer: Dorian Marx
• Email: info@getcreago.co.za
• Address: 154 Bluebell Way, Brackenfell North, Cape Town, 7560

You also have the right to lodge a complaint with the Information Regulator of South Africa:

• Website: inforegulator.org.za
• Email: complaints.IR@justice.gov.za

This policy is governed by the laws of the Republic of South Africa.