Privacy Policy

Good Shepherd Toys (Pty) Ltd
Last Updated: 9 February 2026

NOTICE

This Privacy Policy forms part of the Agreement between you (the website visitor, customer, and user) and Good Shepherd Toys (Pty) Ltd (registration number 2023/791798/07) (“Good Shepherd Toys”, “we”, “us”, or “our”). This Policy applies to our website at https://www.goodshepherdtoys.com and all related services, sales, and marketing activities.

We reserve the right to make changes or modifications (“amendments”) to this Policy at any time and for any reason. We will alert you about any changes by updating the “Last Updated” date of this Policy. It is your responsibility to periodically review this Policy to stay informed of updates. Your continued use of the website and/or placing orders after any amendments constitutes your acceptance of the revised Policy.

By using our website, submitting your Personal Information, and/or making purchases, you acknowledge that you have reviewed this Policy and consent to our collection, use, transfer, and processing of your Personal Information in accordance with its terms.

APPLICABILITY OF LAWS

Good Shepherd Toys is a South African company. Our primary obligations are under the Protection of Personal Information Act, 4 of 2013 (“POPIA”). However, as we serve customers internationally, including in the European Union, we also comply with relevant provisions of the General Data Protection Regulation (GDPR”) where applicable to processing of EU residents’ personal data.

This Policy addresses the requirements of both POPIA and GDPR to ensure comprehensive protection of your personal information regardless of your location.

DEFINITIONS

“Cookies” mean small pieces of information in the form of text files placed on your device’s hard drive. Cookies are generated by a web page server and help your browser navigate a website, enabling the website to deliver a more user-friendly service.

“Data Controller” (GDPR term) / “Responsible Party” (POPIA term) means Good Shepherd Toys (Pty) Ltd, which determines the purposes and means of processing personal information.

“Data Subject” means you, the individual to whom Personal Information relates.

“Personal Information” / “Personal Data” means information relating to an identifiable, living natural person, and where applicable, an identifiable existing juristic person. This includes but is not limited to:

  • Information relating to race, gender, sex, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth
  • Information relating to education, medical, financial, criminal, or employment history
  • Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or IP address
  • Biometric information
  • Personal opinions, views, or preferences
  • Correspondence sent that is private or confidential
  • The person’s name, if it appears with other personal information or if disclosure of the name itself would reveal information about the person

“Processing” means any operation or activity concerning personal information, including collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use, dissemination by transmission, distribution or making available, merging, linking, restriction, degradation, erasure, or destruction of information.

“User” means the website visitor, customer, and/or any person who uses a computer or other device to access our website.

INFORMATION WE COLLECT

Information You Provide Directly

We collect information directly from you when you:

  • Create an account or register on our website
  • Complete and place an order
  • Subscribe to our newsletter
  • Sign up for back-in-stock notifications

This personal information may include:

  • Name and surname
  • Email address
  • Billing address
  • Delivery address
  • Contact number
  • Account passwords (stored in encrypted form)
  • Order data and purchase history
  • Payment information (processed securely by third-party payment processors)
  • Content you submit through contact forms or customer support

Important: Please ensure this information is true and correct, as it is required for billing, delivery, and payment purposes. You must notify us of any changes to personal information you have provided.

Information Collected Automatically

When you visit our website, we automatically collect certain technical information:

  • IP address and general location (country/city level)
  • Browser type and version
  • Device information (device type, operating system)
  • Pages visited and time spent on pages
  • Referral source (how you arrived at our website)
  • Clickstream data and navigation patterns
  • Shopping cart and checkout behaviour (including abandoned carts)

HOW WE USE YOUR INFORMATION

Legal Basis for Processing (GDPR)

For EU residents, we process your personal data under the following legal bases:

  • Contract Performance: Processing necessary to fulfil our contract with you (processing orders, delivery, customer support)
  • Consent: For marketing communications, newsletters, and optional cookies (you may withdraw consent at any time)
  • Legal Obligation: Compliance with tax, accounting, and other legal requirements
  • Legitimate Interests: Fraud prevention, website security, business analytics, and improving our services (balanced against your rights)

Purposes of Processing

We collect and process your personal information for the following legitimate business purposes:

  • To process transactions, fulfil orders, and manage purchases
  • To communicate order status and delivery updates
  • To deliver purchased products to you
  • To create and maintain your account
  • To respond to enquiries and provide customer support
  • To send newsletters and promotional communications (with your consent; you may unsubscribe at any time)
  • To notify you when out-of-stock products become available (if you have subscribed to back-in-stock notifications)
  • To send abandoned cart recovery emails (to help you complete your purchase)
  • To improve website performance and user experience
  • To conduct business analytics and identify usage trends
  • To comply with legal and regulatory obligations
  • For internal record-keeping and accounting
  • To prevent fraud and enhance security
  • To enforce our terms and conditions

Important: We will only use your personal information for the purposes for which it was collected, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose.

COOKIES AND TRACKING TECHNOLOGIES

What Are Cookies?

Cookies are small text files stored on your device that help us recognise your browser, remember certain information, and provide a better website experience. A cookie does not give us access to your computer or device.

You may choose to disable cookies via your browser settings. However, if you turn cookies off, some features of our website may not function properly, and you may not be able to complete purchases.

Types of Cookies We Use

1. Essential Cookies (Strictly Necessary)

These cookies are required for the website to function and cannot be disabled. They include:

  • Session cookies for maintaining your shopping cart
  • Authentication cookies for account login
  • Security cookies for fraud prevention
  • Cookie consent preferences

2. Analytics Cookies

We use analytics services to understand how visitors use our website. These help us improve site performance and user experience:

  • Matomo Analytics (Self-Hosted): We host our own analytics platform at ana.goodshepherdtoys.com. Data is stored on our servers and is not shared with third parties. Matomo tracks page views, visitor behaviour, checkout funnels, and site performance.
  • Google Analytics 4: Provides additional analytics insights. Data is processed by Google LLC in accordance with Google’s Privacy Policy (https://policies.google.com/privacy). We are transitioning away from Google Analytics.
  • Cloudflare Analytics: Cloudflare provides basic analytics on traffic and security threats. Data is processed in accordance with Cloudflare’s Privacy Policy (https://www.cloudflare.com/privacypolicy/).

3. Marketing and Advertising Cookies

We use Google Tag Manager to manage marketing tags and pixels. These may include:

  • Conversion tracking pixels
  • Retargeting pixels for advertising campaigns
  • Social media pixels (Facebook, Instagram)

4. Functional Cookies

  • Currency and country selection preferences
  • Language preferences
  • Recently viewed products

Managing Your Cookie Preferences

You can control and manage cookies in several ways:

  • Cookie Consent Banner: When you first visit our website, you’ll see a cookie consent banner allowing you to accept or reject non-essential cookies.
  • Browser Settings: Most browsers allow you to refuse or delete cookies. Please note that disabling cookies may affect website functionality.
  • Opt-Out Tools: For Google Analytics, you can install the Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout).

THIRD-PARTY SERVICE PROVIDERS AND DATA PROCESSORS

We work with trusted third-party service providers to operate our business, process payments, deliver products, and improve our services. These third parties may have access to your personal information only to perform specific tasks on our behalf and are obligated to protect your information.

Hosting and Infrastructure

  • Hetzner Online GmbH (Germany): Our website is hosted on servers in Germany operated by Hetzner. This includes our database and backup storage. Privacy Policy: https://www.hetzner.com/legal/privacy-policy
  • RunCloud: Server management platform for maintaining our hosting infrastructure.
  • Cloudflare, Inc. (USA): Provides DNS, SSL/TLS certificates, DDoS protection, and CDN services. Privacy Policy: https://www.cloudflare.com/privacypolicy/

Payment Processors

Important: We do not directly process or store your payment card details. All payment information is processed securely by PCI-DSS compliant third-party payment processors:

  • SnapScan (Standard Bank, South Africa): Mobile payment solution. Privacy Policy: https://www.snapscan.co.za/privacy
  • Paystack (Stripe, Nigeria/USA): Online payment gateway. Privacy Policy: https://paystack.com/privacy

Each payment processor handles payment data in accordance with their own privacy policies and PCI-DSS requirements. We receive only transaction confirmation details necessary to fulfil your order.

Email Services

  • Amazon Web Services SES (USA/Europe): Transactional emails (order confirmations, shipping notifications, password resets) are sent via Amazon Simple Email Service. Privacy Policy: https://aws.amazon.com/privacy/
  • FluentSMTP: WordPress plugin managing email delivery through AWS SES.

Shipping and Delivery

We share your delivery address, name, and contact number with courier services to fulfil orders:

  • Local South African couriers (Courier Guy, PostNet, etc.)
  • International shipping providers (UPS, FedEx, etc., depending on destination)

Analytics and Marketing

  • Matomo (Self-Hosted): Privacy-focused analytics platform. Data stored on our servers at ana.goodshepherdtoys.com.
  • Google Analytics 4: Website analytics. Privacy Policy: https://policies.google.com/privacy
  • Google Tag Manager: Tag management system for analytics and marketing pixels.

Other WordPress Plugins and Services

Our website uses various WordPress plugins that may process personal information:

  • WooCommerce: E-commerce platform
  • UpdraftPlus: Backup service (backups stored on Hetzner and Google Drive)
  • Wordfence Security: Website security and firewall
  • FiboSearch: Site search functionality
  • Back In Stock Notifier: Email notifications for product availability
  • Cart Abandonment Recovery: Abandoned cart email reminders
  • ShopMagic: Marketing automation for transactional emails

Note: Most of these plugins process data locally on our servers. Where plugins connect to external services, they do so in accordance with their respective privacy policies.

INTERNATIONAL DATA TRANSFERS

Good Shepherd Toys is based in South Africa. Some of our service providers are located outside South Africa and the European Union, which means your personal information may be transferred to, stored in, and processed in other countries, including:

  • Germany (Hetzner hosting servers)
  • United States (Cloudflare, AWS SES, Google Analytics)
  • Other countries where our payment processors and service providers operate

For EU Residents (GDPR): Where we transfer your personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Transfers to countries with adequacy decisions from the European Commission (e.g., for certain service providers)
  • Use of Standard Contractual Clauses (SCCs) approved by the European Commission
  • Service providers certified under recognised privacy frameworks

For South African Residents (POPIA): We comply with POPIA Section 72 requirements for transborder information flows. We only transfer personal information to third countries where adequate levels of protection are in place or where you have consented to the transfer.

DATA RETENTION

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

Retention Periods

  • Account Information: Retained for as long as your account is active. If you request account deletion, we will delete your account data within 30 days, except where we must retain it for legal or accounting purposes.
  • Order and Transaction Data: Retained for 7 years from the date of purchase to comply with tax and accounting regulations (SARS requirements in South Africa).
  • Email Marketing Lists: Retained until you unsubscribe. We remove unsubscribed email addresses from marketing lists immediately but retain a suppression list to ensure you are not re-added.
  • Abandoned Cart Data: Automatically deleted after 30 days of inactivity (cart considered “stale”).
  • Website Analytics: Matomo analytics data is retained for 24 months. Google Analytics data is retained according to Google’s retention settings (currently 14 months).
  • Server Logs: Technical logs (including IP addresses) are retained for 90 days for security and troubleshooting purposes.
  • Backup Data: Database backups containing personal information are retained for 365 days on Hetzner servers and Google Drive. Backups are automatically overwritten after this period.

When personal information is no longer needed, we will either delete it securely or anonymise it so that it can no longer identify you.

HOW WE PROTECT YOUR INFORMATION

We implement appropriate technical and organisational security measures to protect your personal information from unauthorised access, use, disclosure, alteration, or destruction:

  • Encryption: All data transmitted between your browser and our website is encrypted using SSL/TLS protocols (HTTPS). This includes checkout and payment pages.
  • Secure Hosting: Our website and database are hosted on secure servers in Hetzner’s German data centres with physical and network security controls.
  • Firewall and Security Monitoring: We use Wordfence Security and Cloudflare’s firewall to protect against malicious attacks, including DDoS attacks, SQL injection, and cross-site scripting (XSS).
  • Access Controls: Access to personal information is restricted to authorised personnel only, on a need-to-know basis.
  • Password Protection: User passwords are stored using industry-standard hashing algorithms and are never stored in plain text.
  • Regular Backups: Automated daily backups ensure data can be restored in case of system failure.
  • Payment Security: We do not store credit card information on our servers. Payment processing is handled by PCI-DSS compliant third-party processors.

Important Limitation: While we take all reasonable measures to secure your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You acknowledge that your use of our website and provision of personal information is at your own risk.

YOUR RIGHTS

Rights Under POPIA (South African Residents)

Under POPIA, you have the following rights:

  • Right to Access (Section 23): You have the right to request confirmation of whether we hold personal information about you and to access that information.
  • Right to Correction (Section 24): You may request correction, destruction, or deletion of your personal information if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
  • Right to Object (Section 11): You may object to the processing of your personal information on reasonable grounds relating to your particular situation, unless legislation provides for such processing.

Rights Under GDPR (EU Residents)

If you are located in the European Union, you have additional rights under GDPR:

  • Right to Access (Article 15): You can request a copy of the personal data we hold about you.
  • Right to Rectification (Article 16): You can request correction of inaccurate or incomplete personal data.
  • Right to Erasure / “Right to be Forgotten” (Article 17): You can request deletion of your personal data in certain circumstances (e.g., when it is no longer necessary for the purposes for which it was collected).
  • Right to Restriction of Processing (Article 18): You can request that we limit the processing of your personal data in certain situations.
  • Right to Data Portability (Article 20): You can request a copy of your personal data in a structured, commonly used, and machine-readable format.
  • Right to Object (Article 21): You can object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent (Article 7): Where processing is based on your consent, you can withdraw that consent at any time.
  • Right to Lodge a Complaint (Article 77): You have the right to lodge a complaint with a supervisory authority (e.g., your national data protection authority).

How to Exercise Your Rights

To exercise any of these rights, please contact our Information Officer:

Information Officer: Dominique Lodewijks
Email: info@goodshepherdtoys.com
Telephone: +27 (0) 72 800 8672
Postal Address: PO Box 10641, Linton Grange, Port Elizabeth, 6015, South Africa

For formal requests under POPIA, please use:

  • POPIA Form 1: Objection to the Processing of Personal Information (available at https://www.goodshepherdtoys.com/paia-manual-for-good-shepherd-toys/)
  • POPIA Form 2: Request for Correction or Deletion of Personal Information (available at https://www.goodshepherdtoys.com/paia-manual-for-good-shepherd-toys/)

We will respond to your request within 30 days (POPIA) or 1 month (GDPR), unless an extension is required due to the complexity of the request.

Please note: We may require proof of identity before processing your request to ensure the security of your personal information. Prescribed fees may apply for certain requests under POPIA (see our PAIA Manual for details).

CHILDREN’S PRIVACY

The processing of personal information of children is prohibited under Section 35 of POPIA. Similarly, GDPR Article 8 imposes restrictions on processing children’s data.

We do not knowingly collect or process personal information from children under the age of 18 without parental or guardian consent.

By using our website, placing an order, and/or creating an account, you confirm that:

  • You are at least 18 years old, OR
  • If you are under 18, a competent person (parent or legal guardian) has consented to your use of the website and provision of your personal information

If we become aware that a child has provided personal information without proper parental consent, we will delete such information and deactivate any associated account immediately. If you believe a child has provided us with personal information without consent, please contact us at info@goodshepherdtoys.com.

MARKETING COMMUNICATIONS AND CONSENT

We may send you marketing communications if you have:

  • Opted in to receive newsletters or promotional emails
  • Subscribed to back-in-stock notifications
  • Made a purchase (we may send you related product recommendations or special offers based on legitimate interest, unless you opt out)

You can opt out of marketing communications at any time by:

  • Clicking the “unsubscribe” link in any marketing email
  • Logging into your account and updating your email preferences
  • Contacting us at info@goodshepherdtoys.com

Important: Even if you opt out of marketing communications, we will still send you transactional emails necessary to fulfil your orders (e.g., order confirmations, shipping notifications, password resets).

THIRD-PARTY LINKS

Our website may occasionally include links to third-party websites, products, or services (e.g., payment processors, social media platforms).

Please note: Once you leave our website by clicking on these links, we have no control over third-party websites. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content, activities, or privacy practices of these linked sites.

We recommend reviewing the privacy policies of any third-party websites you visit. We welcome feedback about third-party sites to help us protect the integrity of our platform.

AUTOMATED DECISION-MAKING AND PROFILING

We do not use fully automated decision-making or profiling that produces legal effects or similarly significantly affects you.

However, we may use analytics tools (Matomo, Google Analytics) to analyse browsing behaviour and shopping patterns to improve our website experience and show relevant product recommendations. This does not result in automated decisions that affect your rights or access to services.

DATA BREACH NOTIFICATION

In the unlikely event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant authorities: The Information Regulator (South Africa) within 72 hours (as required by POPIA), and any applicable EU supervisory authority (as required by GDPR)
  • Notify affected individuals: We will inform you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, providing details of the breach and steps we are taking to address it

CONTACT INFORMATION AND COMPLAINTS

Our Contact Details

Company Name: Good Shepherd Toys (Pty) Ltd
Registration Number: 2023/791798/07
Information Officer: Dominique Lodewijks
Email: info@goodshepherdtoys.com
Telephone: +27 (0) 72 800 8672
Postal Address: PO Box 10641, Linton Grange, Port Elizabeth, 6015, South Africa
Website: https://www.goodshepherdtoys.com

Lodge a Complaint with Regulators

If you have concerns about how we handle your personal information, you have the right to lodge a complaint with the relevant data protection authority:

For South African Residents (POPIA):

The Information Regulator (South Africa)
Physical Address: 33 Hoofd Street, Forum III, 3rd Floor, Braampark, Johannesburg
Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017
Telephone: +27 (0) 10 023 5200
Email: complaints.IR@justice.gov.za
Website: https://www.justice.gov.za/inforeg/

For EU Residents (GDPR):

You may lodge a complaint with your national supervisory authority. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

ADDITIONAL INFORMATION

PAIA Manual: For detailed information about accessing records held by Good Shepherd Toys, please refer to our PAIA Manual (as amended by POPIA) available at: https://www.goodshepherdtoys.com/paia-manual-for-good-shepherd-toys/

Terms and Conditions: Please also review our Terms and Conditions, which govern the use of our website: https://www.goodshepherdtoys.com/terms-and-conditions/

Feedback: If you are dissatisfied with our services or have concerns about our handling of your personal information, please contact us at info@goodshepherdtoys.com. We welcome feedback and take all privacy concerns seriously.

CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the “Last Updated” date at the top of this Policy.

We encourage you to review this Policy periodically. Your continued use of our website after changes are posted constitutes your acceptance of the updated Policy.

For significant changes that materially affect your rights, we will provide additional notice (e.g., via email or a prominent notice on our website).