- (012) 992 6003
- (012) 922 6004
- Mon - Fri: 9:00 - 18:00 | Sat: 8:00 - 16:00 | Sun+Public Holidays: 9:00 - 15:00
Privacy Policy
Last updated: 1 September 2025
1) Who we are
Controller: [Gelli (Pty) Ltd]
This policy explains how we process personal information under South Africa’s POPIA.
2) What we collect
-
Account & order data: name, email, phone, billing & delivery addresses, order history, returns, invoices.
-
Salon portal data (members-only): business name, registration/VAT (optional), social links/website, proof of trade, approval status.
-
Payment data: processed securely by PayFast (we don’t store card details). PayFast is a PCI-DSS Level 1 service provider.
-
Device/cookie data: IP, device type, pages viewed, and events via Google Site Kit (Analytics/Search Console).
-
Support & marketing: emails, chat messages, preferences, opt-ins, competition entries.
3) Why we use your data (lawful bases)
-
To fulfil orders & provide services (contracts).
-
To verify and manage salon memberships (legitimate interests & contracts).
-
To send service and marketing messages (consent/legitimate interests; you can opt out anytime).
-
Fraud prevention & security including Wordfence (legitimate interests).
-
Legal & tax obligations (legal obligation).
4) Cookies & analytics
We use essential cookies (site & checkout), analytics cookies (Google Analytics via Site Kit), and marketing cookies (only if you consent). You can manage cookies in your browser and via our cookie banner. See Google’s policies for details on Analytics processing.
5) Sharing your data
We share only what’s necessary with trusted processors:
-
Payments: PayFast (card/Instant EFT). We do not receive or store full card PANs.
-
Couriers/fulfilment: [Courier Name(s)] for delivery & tracking.
-
Email/SMS & CRM: [Provider, e.g., Mailchimp/Sendinblue] for comms (only if opted in or service-related).
-
Hosting & security: [Host], Wordfence.
We don’t sell personal information.
6) Cross-border transfers
Some providers (e.g., analytics/email) may process data outside SA. We only transfer data where appropriate protections are in place as required by POPIA (e.g., contractual safeguards).
7) Retention
-
Orders/invoices: 5 years minimum (tax & accounting).
-
Salon documents: for the membership duration + up to 2 years after last activity, unless law requires longer.
-
Marketing data: until you unsubscribe or request deletion. We keep minimal suppression data to honour opt-outs.
8) Security
We use HTTPS, least-privilege access, regular updates, backups, and security monitoring (e.g., Wordfence). Card processing happens on PayFast’s PCI-DSS Level 1 systems.
9) Your POPIA rights
You can access, correct, delete, or object to processing; withdraw consent; and complain to the regulator. We’ll respond within a reasonable time and may require verification of identity.
10) Children
Our site is for general retail; the Salon portal is for verified professional businesses only. We don’t knowingly collect children’s data.
11) Direct marketing
We send marketing only with consent or as allowed by law. You can unsubscribe in any email or by contacting us.
12) Contact us
Information Officer: Melanie [melanie@gelli.co.za]
13) Complaints
You may lodge a complaint with the Information Regulator (South Africa):
Email: POPIAComplaints@inforegulator.org.za (POPIA) • PAIAComplaints@inforegulator.org.za (PAIA)
Website: inforegulator.org.za