Data Privacy Policy

Grapevine has created this privacy policy in order to demonstrate our commitment to customer privacy. Because we gather important information from our customers and visitors, we have established this policy as a means to communicate our information gathering and dissemination practices.

1. Introduction

The Protection of Personal Information Act 4 of 2013 (“the Act”)serves the purpose of giving effect to the constitutional right to privacy by ensuring information is processed responsibly to prevent security breaches, theft, and discrimination. At Grapevine Interactive (Pty) Ltd (registration number: 2000/015137/07) (‘Grapevine’), we value your trust and endeavour to uphold the provisions of the Act for your protection and peace of mind. The Act sets out requirements for the processing of personal information, whichGrapevine in this policy echoes. This policy will give you insight into howGrapevine processes and protects the personal information you provide us with through your various interactions with us.

Just a few definitions to assist you in navigating the document:

“Responsible Party” is the person or entity that processes information on behalf of a Data Subject

“Data Subject” is any person that provides a Responsible Party with their personal information

“Operator” is any person who processes information of a ResponsibleParty in terms of a contract or mandate. An example of this is where aResponsible Party outsources a function of their business to a third party.Grapevine would act as the Operator in the process of rendering our services and products to our Clients.

2. What is personal information, and what personal information do we collect about you?

According to the Act, ‘ personal information’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.

At Grapevine, we may collect, where applicable (this is not an exhaustive list):

As a Responsible Party:

For clients:

  • Identity data: name and registration number of your company or entity if you are a legal person, first name, surname and identity number if you are a natural person or the representative of a legal person
  • Contact data: address, email address, contact number
  • Financial data: bank account details
  • Transaction data: details about payments and products/services you have purchased from us
  • Details of contracts and/or sales purchases you carry out with us
  • Technical data: includes IP address, your login data,  browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Website. As well as information about your visit, including the full URLs, clickstream to, through and from our Website (including date and time), products you viewed or searched for, page response times, errors, length  of  visits  to  certain  pages,  page  interaction  information  (such  as scrolling, clicks, and mouse-overs) and methods used to browse away from the page
  • Profile data: username and password, purchases or orders made by you, preferences, feedback and survey responses
  • Usage data: information about how you use our Website, products and services.
  • Marketing and communications data: your preferences in receiving marketing from us and your communication preferences.
  • Records of correspondence or enquiries from you or anyone acting on your behalf.

For employees:

  • Identity data: your first name and surname
  • Contact data: address, email address, contact number
  • Financial data: bank account details
  • Technical data: includes IP  address,  your login data,  browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Website. As well as information about your visit, including the complete URLs, clickstream to, through and from our Website (including date and time), products you viewed or searched for, page response times, errors, length  of  visits  to  certain  pages,  page  interaction  information  (such  as scrolling, clicks, and mouse-overs) and methods used to browse away from the page
  • Profile data: username and password for any employee-related service

For third parties, where applicable (such as suppliers or potential customers):

  • Identity data: your first name and surname
  • Contact data: address, email address, contact number
  • Financial data: bank account details
  • Transaction data: details about payments and products/services you have supplied to us
  • Technical data: includes IP  address,  your login data,  browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Website. As well as information about your visit, including the full URLs, clickstream to, through and from our Website (including date and time), products you viewed or searched for, page response times, errors, length  of  visits  to  certain  pages,  page  interaction  information  (such  as scrolling, clicks, and mouse-overs) and methods used to browse away from the page
  • Usage data: information about how you use our Website, products and services.
  • Marketing and communications data: your preferences in receiving marketing from us and your communication preferences.

Where we receive and process the personal information of third parties from our customers, we do so in accordance with agreements concluded with those customers, and act as operators in this regard. This information is processed with the knowledge and authorisation of our customers, who act as the responsible parties.

As an Operator:

Please note as an Operator we process certain information on behalf of our clients to fulfil the contract entered into with our client.  As an Operator we are not liable under the Act as a Responsible Party.  However, we must protect and secure the information in terms of the Act (see paragraph 8 and 10 below).  As Operator we process the following information on behalf of our clients:

  • Identity data: first name and surname
  • Contact data: mobile number and email address
  • Financial data: bank account details supplied to the client by their data subject
  • Transaction data: details about payments and products/services that the data subjects of our clients have purchased
  • Profile data: username and password, purchases or orders made by the Date Subject, their interests, preferences, feedback and survey responses
  • Communications data: Data Subject’s preferences in receiving communications from you, as our client, and their communication data as supplied by you, as our Client, to us.

3. Acceptance of our policy


By using our product/services and website, you understand that we will collect and use your personal information as indicated in this policy.

By submitting personal information to Grapevine, you provide consent to the processing of this personal information as set out in this Policy.

You have the right to decline consent and/or if provided, to withdraw consent at any time. This will not affect the lawfulness of processing prior to the withdrawal of your consent. At any time, you can request that we stop using your personal information for direct marketing purposes.

Where we need to collect personal information under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have with you.

Please refrain from submitting any personal information to Grapevine if you do not agree to any of the provisions in this Policy. If you do not consent to the provisions of this Policy, Grapevine may not be able to provide its services and products to you.

4. How do we collect your personal information?

Direct interactions: by way of filling in forms, email or telephone correspondence, purchasing or subscribing to products/services, and via our Website.

Automated technologies or interactions: we automatically collect technical data about your equipment, browsing actions and patterns as you use our Website. We collect this personal information by using cookies and other similar technologies.

Third parties or publicly available sources: example, business partners, sub-contractors or credit reference agencies.

5. How do we use your or your Data Subject’s personal information?

Grapevine will only use your personal information when the law allows us to. We will most likely use your personal information in the following circumstances:

  • Where we need to perform the contract, we are about to enter into or have entered into with you
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we need to comply with a legal or regulatory obligation

6. How and why do we process your or your Data Subject’s personal information?

  • To register you as a new customer
  • To employ you as an employee of Grapevine and to enable us to fulfil our function as an employer
  • To process and deliver in terms of our Agreement, including processing your Data Subjects information as an Operator, manage payments, fees and charges
  • To provide you with the services, products or offerings you have requested, and notifying you about important changes to these services, products or offerings
  • To collect and recover money owed to us
  • To manage our relationship with you, as a client which will include: notifying you about changes to our terms or privacy policy and asking you to leave a review or take a survey
  • To administer  and  protect our  business  and the Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
  • To deliver relevant website content to you and measure or understand the effectiveness of the advertising we serve to you
  • To use   data   analytics   to improve our Website, products/services, marketing, customer relationships and experiences
  • To make  suggestions  and recommendations to  you about goods or services that may be of interest to you
  • To assess and deal with complaints
  • To comply with operational, marketing, auditing, legal and record keeping requirements
  • To comply with applicable laws, including lawful requests for information received from law enforcement, government and/or tax collection agencies
  • To monitor, keep record of and have access to all forms of correspondence between any Grapevine employees and contractors

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason. We may process your personal information without your knowledge or consent in compliance with the Act, where this is required by law.

7. Marketing

We will provide you with choices regarding certain personal information uses, particularly around marketing and advertising. You will receive marketing communications from us if you have requested information from us or purchased services from us. You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or where you opt out of receiving these marketing messages, this will not apply to personal information provided to us as a result of a product/service purchase, product/service experience or other transactions.

You may set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Website may become inaccessible or not function properly.

8. Disclosure of personal information

We will not sell personal information and no personal information will be disclosed to anyone except as provided in this policy. We may disclose your personal information if required by a subpoena or court order; or to comply with any law or regulation.

We may share your personal information:

  • with other related companies in terms of our Agreement with you, as our Client
  • with our service providers under contract, as permitted by law
  • with credit bureaus to report account information, as permitted by law
  • with social media platforms  when  you  use  tools  or  functionality  on  our Website provided  by  those  platforms  (such  as  “recommend”  or  “share” buttons); and
  • with marketing partners where you register for events, webinars or other related events
  • with public or government authorities to follow applicable law or to respond to legal  process  (like  a  subpoena).  We  also  may  share  your  personal information  when  there  are  threats  to  the  physical  safety  of  any  person, violations of this policy or other agreements, or to protect the legal rights  of  third  parties,  including  our  employees,  users,  or  the  public  as required by law
  • for business transactions like a merger, or sale of our assets, or as part of the due diligence  for  such  contemplated transactions.  If  a  corporate transaction occurs, we will provide notification of any changes to control of your personal information, as well as choices you may have
  • with your consent. For example,  when we post user testimonials that may identify you or for a third party application that may be of use to you and
  • with your employer or organisation where you create an account or user role with an  email  address  assigned  to  you  as  an  employee,  contractor  or member of an organisation, that organisation may find your account and take specific actions that may affect your account
  • We may  need  to  disclose  personal  information  to  our  employees  that  require  the personal information to do their jobs. These include our responsible management, human resources,  accounting,  audit,  compliance,  information  technology,  or  other personnel. Any of our employees or personnel that handle your personal information will have signed non-disclosure and confidentiality agreements

We may transfer your information to other Grapevine Group entities, agents, sub-contractors or third parties who operates in other countries, including countries which may not have the same data privacy laws as South Africa. We will ensure that, if we are required to do so, we will only do so as permitted under the Act.

9. International transfers

We may transfer personal information outside South Africa to be stored on servers located outside South Africa.

10. How secure is our data?

We have put into place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed, such as password protection, two-factor authentication, device control policies and other stringent security measures.

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who needs access for specific business reasons. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

All employees are bound by employment contracts with strict non-disclosure and confidentiality clauses. Access to the Grapevine network is restricted via an authorisation and permissions matrix, only staff who has valid business reasons to access client information is authorised and able to access specific data. Furthermore, our staff is subject to mandatory POPIA compliance training upon employment at Grapevine, and annually thereafter.

We have put in place procedures to deal with any suspected personal information breach and  will notify you and any applicable regulator of a breach where we are legally required to do so. We execute regular penetration tests using third-party software to test and indicate our technical defences’ strength continually. Furthermore, we conduct comprehensive audits and reviews of our data security measures and data processing activities at regular intervals, at least once per year, or more frequently in response to significant changes in our processing activities or data security threats. Based on the audit findings, we regularly update our security measures and data protection policies to address any identified changes or deficiencies and to incorporate best practices and technological advancements.

Due to the inherent risks associated with Internet data transmission and storage, we cannot absolutely guarantee that information, during its transmission over the Internet or while stored on our systems, is completely secure from intrusion by third parties. While we employ robust measures to safeguard your personal information, no security system is entirely impervious to breaches, and the transmission of personal data is at your own risk. It is best practice and in line with POPIA requirements to take appropriate precautions and implement your own security measures to prevent interception of data transmitted over networks and to restrict access to databases and other storage points utilized.

11. How long will we use your personal information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal  information,  we  consider  the  amount,  nature,  and  sensitivity  of  the personal Information, the potential risk of harm from unauthorised use or disclosure of  your  personal  information,  the  purposes  for  which  we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

12. What are your legal rights?

Under certain circumstances you are entitled to:

  • Request access to your Personal Information
  • Request correction of your Personal Information
  • Request erasure of your Personal Information
  • Object to processing of your Personal Information
  • Request restriction of processing your Personal Information
  • Request transfer of your Personal Information
  • Withdraw consent
  • Not be subjected to automated decision-making

13. Promotion of Access to Information Act 2 of 2000 (“PAIA”)

PAIA gives you the right to access information that is required to exercise or protect your rights. In terms of PAIA, before access to the information requested by persons is granted, specific requirements have to be met. PAIA also requires private bodies such as Grapevine to compile a manual designed to assist persons who want to exercise their right to access information.  You or third parties may also request access to your personal information held by Grapevine.

PAIA regulates and sets out the procedure for such a request and under what circumstances such access may be refused. These documents are available on our website, here, or alternatively please contact us should you require our PAIA manual, the prescribed request form (Form C – also available on our website) and/or information on applicable fees payable for access to this information.

14. Your duty to keep your personal information with us updated

This  policy  was  last  updated  on  26 June 2024. The personal information we hold about you must be accurate and current.  Please keep us updated if your information changes during your relationship with us.

15. Changes to this Policy

When we make essential changes to this Policy, the revised Policy will be available on our website or we may notify you via email. It is your responsibility to check the website often and to ensure you are familiar with the revised Policy, and your continued use of our products and services following the amendments means that you accept Grapevine’s updated Privacy Policy.

16. Cookies

At Grapevine, we use first-party and third-party cookies to enhance the user experience of our website and for research and analysis purposes. The cookies stored on our website do not contain any of your personal information. The data collected by the cookies, which cannot be linked back to you, is used to ensure that your experience of our website is seamless and relevant to you.

You can manage your cookie preferences relating to the use of cookies on our website by visiting www.grapevinegroup.co.za, and can opt-out of a third party website’s use of cookies by visiting the Network Advertising Initiative opt-out page at:

http://www.networkadvertising.org/managing/opt_out.asp.

Note that, if you do not allow cookies while using our website, you may not be able to use our website, or user experience may be diminished.

17. Indemnity

Grapevine takes our Clients’ privacy and the protection of their personal information very seriously, and we will only use personal information in accordance with this Statement and applicable data protection legislation. Furthermore, we have implemented reasonable technical and operational measures to keep our Clients’ personal information secure. It is however important that our Clients also take all necessary steps to protect their personal information.

Any person (natural or juristic) who has submitted personal information to Grapevine hereby indemnify and hold Grapevine harmless from any loss, damages or injury that the person may incur as a result of any unintentional disclosures of your personal information to unauthorised persons or the provision of incorrect or incomplete personal information to Grapevine.

18. Queries or complaints

Should you have any queries or complaints about this policy, or if you would like access, correct, amend or delete any personal information we have about you, you may email our Information Officer  – IO@vine.co.za, or alternatively complete Form 2 available on our website.

You are also entitled to refer any concerns to the South African Information Regulator:

Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Email address:  POPIAComplaints@inforegulator.org.za

Forms:

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.