Last updated: 27 February 2026
1. Introduction
MerchDash ("we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and protect your data when you use the MerchDash analytics dashboard ("Service"). This policy complies with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable South African legislation.
2. Information We Collect
We collect the following categories of information:
2.1 Account Information
- Email address (used for authentication and communication)
- Name (if provided during registration)
- Authentication credentials (managed via Supabase Auth)
2.2 API Keys
- Third-party platform API keys (e.g., Takealot Seller API key) that you provide to connect your accounts.
- API keys are stored on our servers and used solely to synchronise your data.
2.3 Business Data
- Sales data (order IDs, quantities, prices, dates, fulfilment status) synchronised from your connected seller accounts.
- Inventory and product data (stock levels, offer details, product titles, pricing) synchronised from your connected seller accounts.
- Computed metrics and analytics derived from the above data.
2.4 Technical Data
- Browser type, device information, and IP address (collected automatically for security and service improvement).
- Essential cookies for authentication and session management (see our Cookie Policy).
3. How We Use Your Information
We use your information for the following purposes:
- Service delivery: To synchronise, process, and display your sales and inventory data.
- Authentication: To verify your identity and secure your account.
- Communication: To send you service-related notifications and updates.
- Service improvement: To monitor performance and improve the Service.
4. Legal Basis for Processing (POPIA)
Under POPIA, we process your personal information based on:
- Consent: You consent to data processing when you create an account and connect your API keys.
- Contract: Processing is necessary to fulfil our service agreement with you.
- Legitimate interest: For security monitoring and service improvement.
5. Data Storage and Security
- Your data is stored on Supabase infrastructure with row-level security ensuring that users can only access their own data.
- All data is transmitted over encrypted connections (HTTPS/TLS).
- API keys are stored server-side and are never exposed to the browser in full.
- We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or destruction.
6. Data Sharing
We do not sell your personal information or business data to any third party.
We may share data only in the following circumstances:
- Service providers: We use Supabase for database hosting and Vercel for application hosting. These providers process data on our behalf under appropriate data processing agreements.
- Legal requirements: If required by law, court order, or governmental authority.
7. Your Rights Under POPIA
As a data subject under POPIA, you have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete personal information.
- Deletion: Request deletion of your personal information, subject to legal retention requirements.
- Object: Object to the processing of your personal information in certain circumstances.
- Withdraw consent: Withdraw your consent to processing at any time by deleting your account.
8. Data Retention
We retain your data for as long as your account is active. Upon account deletion or termination, we will delete your personal information and synchronised business data within 30 days, unless we are required by law to retain it for longer.
9. Cross-Border Data Transfers
Your data may be processed on servers located outside South Africa (e.g., in the United States or European Union via our hosting providers). We ensure that adequate safeguards are in place as required by POPIA Section 72 for any cross-border transfers.
10. Children
The Service is not intended for use by persons under the age of 18. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top reflects the most recent revision.
12. Information Officer
For any queries regarding this Privacy Policy or to exercise your rights under POPIA, contact our Information Officer:
- Email: privacy@merchdash.io
You also have the right to lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.