top of page

 

 

Data Protection and Use Policy 

Effective date: 1 February 2026 
Platform and Company: Retail RockIT (Pty) Ltd 
Contact: policy@retailrockit.co.za  

This policy explains what data we collect, why we collect it, how we protect it, and the limits we place on how it may be used. This policy applies to Takealot marketplace sellers who connect their Takealot seller account to our platform using an API key. 

1. Core commitments 

  1. Data ownership. Clients retain all rights in/to account data, sales data, pricing data, and related business information. 

  1. We use your data only to provide you with the tools and services we offer. We do not use client data to trade, compete with, or favour any client. 

  1. Equal opportunity. We do not use client data to give any client an advantage over another. Our repricing functionality (Price Primer) uses client settings and public marketplace pricing signals only. 

  1. Confidentiality by design. Client data is treated as confidential information. Access is restricted to authorised personnel who need it to operate and support the services we offer. 

  1. Security is not a slogan. We use layered security controls, a Tier 1 data centre, and annual penetration testing. 

2. Scope 

This policy applies to all data processed by our platform in connection with: 

  1. Seller account connection to Takealot via API key. 

  1. Retrieval of seller account information such as catalogue, stock, orders, sales, returns, fees, and other metrics. 

  1. Pricing automation and repricer functionality, including collection of public marketplace pricing and offer signals. 

  1. Billing, support, and platform operations. 

3. Data we collect and process 

We collect and process the following categories of data in the offering of our tools and services. Some of it may be personal information as defined in applicable law. 

3.1 Seller provided data 

  1. Account registration details such as name, email address, mobile number, business name, VAT, or registration number where applicable. 

  1. Takealot API key and related credentials or tokens needed to connect. 

  1. Bank account details used for platform billing, payments for stock, or verification where applicable. 

  1. Support communications and preferences such as notification settings. 

3.2 Data retrieved from Takealot via the API (as authorised by clients) 

Depending on the permissions available through the Takealot API and client configuration, this can include: 

  1. Product catalogue data such as SKU, listing attributes, images and categories; 

  1. Stock levels, availability, inbound and outbound movements; 

  1. Sales and order data such as quantities, dates, order references, fulfilment status, returns and fees; 

  1. Pricing and offer data ; and 

  1. Reports and performance metrics available through the API. 

Note on end customer data: If any Takealot API responses include personal information relating to your customers, such as names, addresses and/or contact details, we process that information strictly to provide our services to clients and to support their operations. We do not use it for marketing, profiling, or any purpose unrelated to our service to you. 

3.3 Public marketplace data used for repricing 

To support repricing, we collect information that is publicly visible on the Takealot marketplace, such as: 

  1. Publicly displayed prices for the same product; 

  1. Public offer signals such as seller count and availability indicators where visible; and 

  1. Public listing identifiers and metadata needed to match competing offers. 

4. How we use data collected 

We use data only for the following purposes: 

  1. Provide the platform service including dashboards, analytics, alerts, reporting, and operational tools; 

  1. Operate the repricer using client instructions, rules, and public marketplace pricing signals; 

  1. Maintain connection integrity including API key validation, token refresh, error handling, and audit logging; 

  1. Customer support including troubleshooting, responding to queries, and resolving incidents; 

  1. Security and fraud prevention including access monitoring, anomaly detection, and abuse prevention; 

  1. Billing and account administration including invoicing, payment reconciliation, and account verification where relevant; and 

  1. Service improvement using aggregated and anonymised insights that cannot reasonably identify clients or expose confidential business information. 

We do not sell client data. We do not rent client data. We do not provide client level sales or pricing data to other clients. 

5. What we do not do 

To avoid any doubt, the following are prohibited within our organisation: 

  1. Employees, contractors, or associates using client data to gain any commercial advantage. 

  1. Using one client’s data to optimise another client’s outcomes. 

  1. Building competitor targeting models from confidential client data. 

  1. Sharing client data with outside parties for their independent use, except as described in section 9. 

6. Data storage and hosting 

  1. Our platform is hosted in a Tier 1 data centre environment with enterprise grade physical and environmental controls. 

  1. Client data is stored in logically segregated systems designed to prevent cross client access. 

  1. Backups are performed and protected using access controls and encryption. Backup retention is defined in section 11. 

7. Security controls 

We apply security controls appropriate to the sensitivity of the data we process, including bank account details and API credentials. 

7.1 Technical safeguards 

  1. Encryption in transit using modern TLS. 

  1. Encryption at rest for sensitive fields such as API keys and bank account details. 

  1. Strong access control with least privilege and multi factor authentication for administrative access. 

  1. Network protections including firewalls, segmentation, and monitored ingress and egress. 

  1. Secure software development practices including code review and vulnerability management. 

  1. Audit logging of administrative access and critical data operations. 

  1. Regular patching and dependency management. 

7.2 Operational safeguards 

  1. Annual independent penetration testing and remediation tracking. 

  1. Access is granted only to authorised staff with a legitimate operational need. 

  1. Confidentiality obligations for employees and contractors. 

  1. Change control processes for production systems. 

  1. Incident response procedures including containment, investigation, and notification. 

No system can be guaranteed as perfectly secure, but we are deliberate about reducing risk and responding quickly if something does go wrong. 

8. API keys and credential handling 

  1. Client Takealot API keys are treated as high sensitivity secrets. 

  1. We store API keys in encrypted form and restrict access to the minimum systems required to operate the service. 

  1. We never display the full API key back to users after initial entry, except where you explicitly request secure re-display mechanisms that do not expose the full secret. 

  1. We support key rotation. If you rotate your key, you can update it in the platform. 

9. Sharing and disclosure 

We only share data in the following limited cases, and then only to the necessary extent: 

  1. Service providers who help us run the platform such as hosting, monitoring, email delivery, and support tooling under written agreements that restrict use and require confidentiality and security controls. 

  1. Legal requirements where disclosure is required by law, court order, or a lawful request by a competent authority. 

  1. With client instruction or consent where clients ask us to share data with a specific third party, such as an accountant or integration partner. 

We do not permit service providers to use your data for their own marketing or independent analytics. 

10. Cross border transfers 

If we ever need to process or store data outside South Africa, we will ensure appropriate safeguards are in place and we will only do so in line with applicable data protection law. Where possible, we prefer to keep primary processing within South Africa. 

11. Retention and deletion 

  1. While a client account is active, we retain data needed to provide our services and meet legal obligations. 

  1. Upon closure of accounts, we delete or anonymise client data within a reasonable period, unless retention is required by law, required to resolve disputes, or required for legitimate audit and security purposes. 

  1. Some data may remain in encrypted backups for a limited period until backup rotation completes, after which it is overwritten or securely destroyed. 

You may request an export of your data before closure. 

12. Client rights and choices 

Subject to applicable law and contractual commitments, clients can: 

  1. Access and correct account information. 

  1. Request exports of data. 

  1. Request deletion of account and associated data, subject to section 11. 

  1. Withdraw Takealot API connections at any time by removing API keys or disconnecting within the platform. 

13. Repricer rules and control 

  1. The repricer only changes client prices based on rules clients configure, including floors, ceilings, step sizes, excluded products, and schedule controls where available. 

  1. Clients can pause or disable repricing at any time. 

  1. We maintain logs of repricing actions to support transparency, troubleshooting and billing. 

  1. Public marketplace pricing data is used as an input signal. We do not use confidential client sales data to compete against other clients. 

14. Data incidents and notification 

If we detect unauthorised access, disclosure, or loss of data we will: 

  1. act to contain and remediate the incident. 

  1. investigate scope and impact. 

  1. where required by law, notify affected clients and relevant authorities as soon as reasonably possible, with practical guidance on steps to take. 

15. Compliance 

We aim to comply with applicable South African data protection requirements, including the Protection of Personal Information Act, as well as any other applicable laws and good practice guidelines. 

16. Changes to this policy 

If we update this policy, we will publish the new version and update the effective date. If a change materially reduces protections, we will provide additional notice through reasonable channels. 

17. Contact 

For questions, requests, or concerns about this policy or your data, contact: 
Email: policy@retailrockit.co.za 

bottom of page