🍪 Legal Document
Privacy Policy
This Privacy Policy complies with the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa and aligns with internationally recognised data protection principles.
We are a small, proudly South African food blog. We take your privacy seriously — not because we have to, but because we believe it is the right way to run a business. This policy tells you exactly what we collect, why we collect it, and what you can do about it.
Please read this policy carefully. By using OvernightOats.co.za, signing up for our free 7-Day Challenge, purchasing products from our shop, or joining our email list, you acknowledge that you have read and understood this Privacy Policy.
Plain English summary: We collect your name and email when you sign up for our challenge or shop. We use it to send you recipes and (occasionally) tell you about our products. We never sell your data. You can opt out any time. That is really it.
—– Section 01
Who We Are
OvernightOats.co.za (“we”, “us”, “our”) is a South African digital food media business operating the website at overnightoats.co.za. We create and publish overnight oats recipes, guides and educational content specifically for South African audiences, and sell digital products (recipe eBooks and meal plans) via our WooCommerce-powered online shop.
Under POPIA, OvernightOats.co.za is the Responsible Party — meaning we determine the purpose and means of processing your personal information and are accountable for ensuring that it is processed in compliance with POPIA.
—– Section 02
Information We Collect
We collect personal information only when you voluntarily provide it to us through specific actions on our website. We do not collect data unless it is necessary for the purpose described. Below is a complete list of every category of information we collect and how it is gathered.
| Category | Data Collected | How Collected | Required? |
|---|---|---|---|
| Identity | First name | Challenge sign-up form, shop checkout | Yes |
| Contact | Email address | Challenge sign-up, newsletter subscription, shop checkout, contact form | Yes |
| Location | Province (SA) — optional | Challenge sign-up form (optional field) | No |
| Transaction | Purchase history, product type | WooCommerce shop checkout (PayFast handles payment details — see Section 11) | Purchase only |
| Technical | IP address, browser type, pages visited, time on site, referring URL | Automatically via Google Analytics / server logs | Automatic |
| Behavioural | Email open rates, link clicks, challenge engagement | MailerLite email platform tracking pixels | Automatic |
| Communications | Content of messages you send us | Contact form submissions, email replies | Voluntary |
We DO NOT collect the following:
Payment card details or banking information (handled exclusively by PayFast) · National ID or passport numbers · Race, ethnicity, religion or political affiliation · Health or medical data · Biometric data · Information from children under 18 without verifiable parental consent
—– Section 03
How We Use Your Information
We use the personal information we collect only for the purposes described below. We will not use your information for any purpose that is incompatible with the purpose for which it was originally collected without first obtaining your consent.
To deliver the 7-Day Challenge: Send your daily recipe emails for 7 consecutive days following your sign-up, including recipes, shopping guides, science content and the Day 7 recipe card pack download.
To send our weekly newsletter: After challenge completion, send our weekly email newsletter containing new SA recipes, blog posts, tips and occasional promotional content. You may unsubscribe at any time.
To process your purchase: Fulfil digital product orders (eBook, meal plan), send your PDF download link, and maintain transaction records for accounting purposes.
To personalise your experience: Use your province (if provided) to tailor recipe recommendations and seasonal shopping guides to your region.
To improve our content: Analyse website traffic and email engagement (open rates, click rates) in aggregate to understand which content resonates with our audience and improve future recipes, guides and emails.
To respond to enquiries: Reply to messages submitted via our contact form or by direct email. We retain contact form submissions for up to 12 months.
To comply with legal obligations: Maintain records required by South African tax and accounting law, and respond to any lawful requests from regulatory or law enforcement authorities.
—– Section 04
Lawful Basis for Processing (POPIA)
Under POPIA, we must have a lawful basis — or “justification condition” — for processing your personal information. The table below sets out the basis on which we process each category of your data.
POPIA Compliance Note
The Protection of Personal Information Act 4 of 2013 (POPIA) commenced in full on 1 July 2021. All processing of personal information by OvernightOats.co.za is conducted in accordance with POPIA's eight conditions for lawful processing: Accountability, Processing Limitation, Purpose Specification, Further Processing Limitation, Information Quality, Openness, Security Safeguards, and Data Subject Participation.
—– Section 05
Sharing Your Information
We do not sell your personal information to any third party. We never have and we never will.
We share your personal information only with the following categories of third-party service providers who help us operate our business. All third-party processors are contractually required to process your data only as instructed by us and in accordance with applicable data protection law.
Affiliate Links
Our website contains affiliate links to third-party retailers including Faithful to Nature, Takealot, Dis-Chem and others. If you click an affiliate link and make a purchase, we may receive a commission at no additional cost to you. Clicking these links does not transfer your personal information to us — the third-party retailer's own privacy policy governs the data they collect when you visit their site.
—– Section 06
Email Marketing
We take a consent-first approach to email marketing. You will only receive marketing emails from us if you have explicitly opted in — either through the 7-Day Challenge sign-up form, a newsletter subscription form, or by purchasing a product from our shop.
What we send: New SA overnight oats recipes, health and nutrition content, seasonal cooking guides, product launches, exclusive discounts for subscribers, and occasional promotional content.
How often: The 7-Day Challenge sends one email per day for 7 days. After the challenge, our weekly newsletter typically sends once per week. We may occasionally send additional emails for significant product launches or time-sensitive offers.
Tracking: Our emails contain tracking pixels that allow us to see whether an email was opened and which links were clicked. This helps us understand which content is most useful. This data is analysed in aggregate and is not used to make automated decisions about you individually.
Unsubscribing: Every email we send contains an unsubscribe link at the bottom. Clicking it will immediately remove you from our mailing list. You may also unsubscribe by emailing hello@overnightoats.co.za. We process all unsubscribe requests within 48 hours.
Transactional emails: If you purchase a product, we will send you order confirmation and download link emails regardless of your marketing preferences. These are necessary for fulfilling your purchase and cannot be opted out of while maintaining an active order.
Unsubscribing from the Challenge Mid-Way
If you unsubscribe during the 7-Day Challenge, your remaining daily emails will stop immediately. You may re-subscribe at any time by signing up again at overnightoats.co.za/challenge.
—– Section 07
Cookies
Cookies are small text files stored on your device when you visit our website. We use cookies to make the site work correctly, remember your preferences, and understand how visitors use our content. We do not use cookies for advertising targeting or to sell your data.
| Cookie Type | Purpose | Duration | Can Be Disabled? |
|---|---|---|---|
| Essential / Functional | Required for the website and shop to function — session management, shopping cart, login state | Session / up to 1 year | No — disabling breaks core functionality |
| Analytics (Google Analytics) | Anonymised traffic analysis — pages visited, time on site, traffic sources | Up to 2 years | Yes — via cookie consent banner or Google opt-out |
| Preference | Remember your cookie consent choice and any user preferences you have set | 1 year | Yes — clearing browser cookies |
| Marketing / Tracking | We do not use advertising or retargeting cookies | N/A | N/A |
You can control cookie settings through your browser. Most browsers allow you to block all cookies, block third-party cookies only, or clear existing cookies. Please note that disabling certain cookies may affect your ability to use parts of our website, particularly the shop and checkout process.
For more information on managing cookies, visit aboutcookies.org. To opt out of Google Analytics tracking specifically, install the Google Analytics Opt-out Browser Add-on.
—– Section 08
Data Retention
We retain your personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. The table below sets out our retention periods for each category of data.
| Data Type | Retention Period | Reason |
|---|---|---|
| Email subscriber (active) | Until unsubscription | Required to maintain your subscription and send agreed communications |
| Email subscriber (unsubscribed) | 12 months after unsubscription | Suppression list — to prevent accidental re-addition; deleted thereafter |
| Purchase records | 7 years | South African tax law (Income Tax Act) requires 5-year minimum; we retain 7 years as best practice |
| Contact form submissions | 12 months | Sufficient to resolve any outstanding queries; deleted on rolling basis |
| Website analytics (Google) | 26 months (Google default) | Anonymised aggregate data — individual data not retained |
| Server logs | 90 days | Security monitoring; automatically deleted |
When data has reached the end of its retention period, we delete or anonymise it securely. You may request early deletion of your personal information at any time — see Section 10 (Your Rights) below.
—– Section 09
Security
We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, accidental loss, destruction or alteration. These measures are reviewed and updated regularly.
SSL/TLS encryption: All data transmitted between your browser and our website is encrypted via HTTPS. Look for the padlock icon in your browser address bar.
Password security: All administrative accounts use strong, unique passwords and where available, two-factor authentication (2FA).
Payment security: We do not store payment card information on our servers. All payment processing is handled by PayFast, which is PCI DSS Level 1 certified — the highest level of payment security certification.
Access controls: Access to personal information is restricted to only those individuals who need it to perform their role, and they are bound by confidentiality obligations.
Regular backups: Our website and database are backed up regularly to prevent data loss from technical failures.
Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Regulator of South Africa as required by POPIA, and we will notify you directly if the breach is likely to result in a high risk to your rights and freedoms. We aim to notify affected individuals within 72 hours of becoming aware of a qualifying breach.
—– Section 10
Your Rights Under POPIA
POPIA grants you specific rights in relation to your personal information. We are committed to upholding these rights and will respond to all valid requests within 30 days of receipt.
To exercise any of these rights, please contact us at hello@overnightoats.co.za with “Privacy Request” in the subject line. We may need to verify your identity before processing your request.
Information Regulator of South Africa
If you are not satisfied with how we have handled your privacy complaint, you have the right to lodge a complaint with the Information Regulator of South Africa at: inforeg@justice.gov.za or visit www.inforegulator.org.za. Postal address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001.
—– Section 11
Third-Party Services
Our website contains links to third-party websites, including our affiliate partners and social media platforms. This Privacy Policy does not apply to those websites. We encourage you to read the privacy policy of any third-party site you visit.
The following third-party services are integrated into our website. Each has its own privacy policy which governs how they handle data collected through their services:
—– Section 12
Children's Privacy
Our website, services and digital products are not directed at or intended for children under the age of 18. We do not knowingly collect personal information from anyone under the age of 18.
Under POPIA, the processing of personal information of a child (defined as a person under 18) requires the prior consent of a competent person (a parent or guardian), and such processing is prohibited for the purpose of targeted marketing.
If you are a parent or guardian and believe that your child under 18 has provided us with personal information without your consent, please contact us immediately at hello@overnightoats.co.za and we will delete that information promptly.
—– Section 13
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable legal requirements. When we make material changes to this policy, we will:
Update the “Last Updated” date at the top of this page
Send a notification email to our active subscribers describing the material changes
Post a notice on our website for a minimum of 30 days following material changes
Your continued use of our website or services after any changes to this Privacy Policy constitutes your acceptance of those changes. If you do not agree to the updated policy, please stop using our services and unsubscribe from our email list.
We encourage you to periodically review this page to stay informed about how we protect your information. The current version number and effective date are displayed at the top of this page and in the site footer.
—– Section 14
Contact Us
If you have any questions, concerns or requests regarding this Privacy Policy or the handling of your personal information, please contact us using the details below. We take every privacy inquiry seriously and commit to responding within 72 hours.
A Note from Us
We are a small, proudly South African food blog — not a corporation with a legal department. We have written this policy as clearly and plainly as we can because we believe you deserve to know exactly how your information is used. If anything in this policy is unclear, please email us and we will explain it in plain English. We are real people who genuinely care about getting this right.