This Privacy Policy explains how MshenguEats (Pty) Ltd (registration number 2026/135444/07) collects, uses, stores, shares, and protects your personal information when you use the CopperEats mobile application or visit mshengueats.com (together, the "Service"). We comply with the Protection of Personal Information Act, 4 of 2013 (POPIA), the Electronic Communications and Transactions Act, 25 of 2002 (ECTA), and the Consumer Protection Act, 68 of 2008 (CPA).
By using the Service, you confirm that you have read this policy and understand how your personal information is processed.
Section 01Who we are
MshenguEats (Pty) Ltd is the responsible party (data controller) for personal information collected through the Service. We operate the consumer-facing CopperEats brand serving Copperleaf Estate in Centurion, Gauteng, South Africa.
Email: legal@mshengueats.com
Registered office: Copperleaf Estate, Centurion, Gauteng, South Africa
Company registration: 2026/135444/07
Our Information Officer is registered with the Information Regulator of South Africa as required under POPIA section 55.
Section 02What we collect
We collect only the personal information necessary to provide the Service. Specifically:
| Category | Examples | Source |
|---|---|---|
| Identity & contact | First name, last name, mobile number | You (during registration) |
| Address | Estate name, unit number, delivery instructions | You (when adding addresses) |
| Order & transaction | Order history, items, prices, delivery times, restaurant ratings | Generated when you order |
| Payment | Payment method type, last 4 digits of card, PayFast tokenised reference | PayFast (we never see full card numbers) |
| Location | Approximate location for delivery tracking (only with your permission, only while ordering) | Your device (with consent) |
| Device & technical | Device type, OS version, app version, IP address, anonymised crash reports | Your device automatically |
| Communications | Support emails, in-app chat, customer service call recordings (with notice) | You (when contacting support) |
What we do not collect
- We do not collect ID numbers, passport numbers, or other government identifiers.
- We do not collect biometric data (fingerprints, facial recognition).
- We do not collect information about your race, religion, political beliefs, health, or sexual orientation.
- We do not collect children's personal information knowingly (see Section 10).
Section 03Why we collect it
POPIA requires us to identify a lawful basis for processing your personal information. We process your information on the following bases:
- Performance of a contract (POPIA s.11(1)(b)) — to provide the Service you requested, including order delivery, payment, and customer support.
- Compliance with legal obligations (POPIA s.11(1)(c)) — to comply with tax, financial, and consumer protection laws.
- Your consent (POPIA s.11(1)(a)) — for optional features such as location tracking and marketing communications.
- Our legitimate interests (POPIA s.11(1)(f)) — to prevent fraud, secure the Service, and improve our product.
Section 04How we use it
We use your personal information to:
- Create and maintain your account
- Verify your mobile number during sign-in (one-time password via SMS)
- Process and deliver your orders
- Process payments and issue refunds
- Communicate order status (push notifications, SMS, email)
- Provide customer support and resolve complaints
- Detect and prevent fraud, abuse, or security incidents
- Improve the Service through anonymised analytics
- Comply with legal and regulatory obligations
- Send marketing communications (only with your explicit opt-in, and you can opt out at any time)
Section 05Who we share it with
We share your personal information only with the third parties listed below, and only to the extent necessary to operate the Service. Each party is contractually bound to protect your information.
| Third Party | Purpose | Country |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage, application hosting | United States |
| Twilio Inc. | SMS delivery for one-time passwords | United States |
| PayFast (Pty) Ltd | Card payment processing | South Africa |
| Apple Inc. / Google LLC | Push notifications via APNs / FCM | United States |
| Google LLC (Maps Platform) | Address geocoding and delivery routing | United States |
| Retell AI Inc. | Voice agent for placing orders with restaurants (your name and order details only) | United States |
| Restaurant partners | Your name, order items, and delivery time (no contact details unless required) | South Africa |
| Delivery riders | Your first name, unit number, and order details | South Africa |
| Investec Bank Ltd | Rider payment processing via Programmable Banking | South Africa |
We may also share information when required by law (subpoena, court order, regulatory request) or to protect the rights, property, or safety of MshenguEats, our customers, or the public.
We do not sell your personal information to anyone, ever.
Section 06International transfers
Some of our service providers (notably Supabase, Twilio, Retell AI, Apple, and Google) are based outside South Africa, primarily in the United States. POPIA section 72 permits cross-border transfers of personal information where:
- The recipient is bound by a law, binding corporate rules, or binding agreement that provides adequate protection of the information; or
- You have consented to the transfer; or
- The transfer is necessary for the performance of a contract with you.
We rely primarily on the contractual basis: each of our international service providers is bound by data processing agreements that require POPIA-equivalent protection.
Section 07How long we keep it
We retain your personal information for as long as necessary to provide the Service and comply with our legal obligations.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account profile (name, mobile, address) | Active account + 30 days after deletion request | Service operation |
| Order & transaction records | 5 years | Tax Administration Act, Companies Act |
| Payment records | 5 years | Financial Intelligence Centre Act |
| Support communications | 2 years | Customer service quality and dispute resolution |
| Anonymised analytics | Indefinitely | Cannot be linked back to you |
| Marketing preferences | Until you opt out | Your consent |
Section 08How we protect it
We implement reasonable technical and organisational measures to protect your personal information against unauthorised access, loss, alteration, or disclosure, including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Tokenisation of payment information (we never store card numbers)
- Multi-factor authentication for all administrative access
- Row-level security policies on our database
- Regular security reviews and dependency updates
- Limited employee access on a need-to-know basis
- Encrypted backups stored in compliance with POPIA
In the event of a security breach affecting your personal information, we will notify you and the Information Regulator as soon as reasonably possible, in line with POPIA section 22.
Section 09Your rights
POPIA gives you the following rights in relation to your personal information:
- Right of access — request a copy of the personal information we hold about you
- Right to correction — request that we correct inaccurate or incomplete information
- Right to deletion — request that we delete your personal information (subject to legal retention obligations)
- Right to object — object to processing on the basis of our legitimate interests
- Right to withdraw consent — withdraw consent at any time for processing that relies on your consent
- Right to lodge a complaint — complain to the Information Regulator (see Section 13)
- Right to data portability — receive your information in a structured, machine-readable format
To exercise any of these rights, contact our Information Officer at legal@mshengueats.com. We will respond within 30 days. There is no fee for these requests, except where requests are manifestly unfounded or excessive.
Account deletion
You can request account deletion at any time:
- In the app, go to Profile → Settings → Delete Account; or
- Email legal@mshengueats.com from the email address linked to your account.
Deletion is permanent. Order history required for tax and accounting purposes will be retained for 5 years in line with the Tax Administration Act, but it will be disassociated from your identifiable personal details where possible.
Section 10Children's privacy
The Service is intended for users aged 18 and over. We do not knowingly collect personal information from children under 18. POPIA section 34 prohibits the processing of personal information of children except in narrow circumstances with parental consent.
If you believe a child has provided personal information to us, please contact legal@mshengueats.com immediately. We will delete the information as soon as we verify the report.
Section 11Cookies & tracking
The mobile app does not use traditional web cookies. We do use:
- Local device storage — to keep you signed in and remember your preferences
- Crash reporting — anonymised crash logs to fix bugs (no personal information included)
- Push notification tokens — to send order updates (you can disable in your device settings)
The mshengueats.com website uses minimal functional cookies only. We do not use advertising cookies or third-party trackers.
Section 12Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:
- We will update the "Last updated" date at the top of this page
- We will notify you via email and/or in-app notification at least 14 days before the changes take effect
- For changes that require new consent, we will obtain your fresh consent before processing
Continued use of the Service after the effective date of changes constitutes acceptance, where consent is not separately required.
Section 13Contact & complaints
If you have questions or concerns about how we handle your personal information, please contact our Information Officer:
Email: legal@mshengueats.com
Postal address: MshenguEats (Pty) Ltd, Copperleaf Estate, Centurion, Gauteng
Response time: within 30 days
If you're not satisfied with our response
You have the right to lodge a complaint directly with the Information Regulator of South Africa:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: complaints.IR@justice.gov.za
Website: inforegulator.org.za
About this document. This Privacy Policy is provided by MshenguEats (Pty) Ltd in good faith and is intended to comply with the Protection of Personal Information Act, 2013 (POPIA) and related South African legislation. This document is currently subject to attorney review. If any provision is found to conflict with applicable law, the law prevails and the rest of the document remains in effect.
For our Terms of Service, see mshengueats.com/terms.