GDPR Compliance | Teboa by TeboaTech

The GDPR applies to any organisation that processes personal data of individuals in the European Union, regardless of where the organisation is based. As a South African company with global users, TeboaTech takes GDPR compliance seriously and has built its platform with privacy as a foundation, not an afterthought.

1. What is the GDPR?

The General Data Protection Regulation (EU) 2016/679 is the world's most comprehensive data protection law. It came into effect on 25 May 2018 and sets out strict rules for how organisations collect, use, store, and share personal data belonging to individuals in the European Union.

Key principles under the GDPR include lawfulness and transparency in processing, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. TeboaTech operates according to all of these principles.

Non-compliance with the GDPR can result in fines of up to 20 million euros or 4% of global annual turnover, whichever is higher. We take our obligations seriously.

2. Our Role Under the GDPR

Under the GDPR, the entity that determines the purposes and means of processing personal data is called the Data Controller. The entity that processes data on behalf of a controller is called the Data Processor.

TeboaTech as Data Controller

TeboaTech (Pty) Ltd acts as a Data Controller for the personal information of:

Teboa platform users and account holders
Visitors to teboatech.com who submit contact forms
Individuals who communicate with us directly

TeboaTech as Data Processor

When you connect your Shopify store to Teboa, we process personal data about your customers (names, email addresses, order history) on your behalf. In this relationship, you are the Data Controller and TeboaTech is the Data Processor. You are responsible for ensuring you have the lawful basis to share your customers' data with our platform.

3. Lawful Basis for Processing

The GDPR requires every act of processing personal data to have a valid lawful basis. TeboaTech processes personal data under the following legal grounds:

Contract Performance

Processing necessary to deliver the Teboa platform to subscribed users, including account creation, billing, and service delivery.

Consent

Where you have explicitly agreed to processing, such as signing up for marketing communications or enabling optional analytics features.

Legitimate Interests

Processing for platform security, fraud prevention, abuse detection, and service improvement, where our interests do not override your rights.

Legal Obligation

Processing required to meet our obligations under applicable law, including tax, financial reporting, and regulatory requirements.

4. Your Rights Under the GDPR

If you are located in the European Union, you have the following rights regarding your personal data. We will respond to all requests within 30 days at no charge.

Right of Access (Article 15) Request a copy of all personal data we hold about you and information about how it is used.

Right to Rectification (Article 16) Ask us to correct inaccurate or incomplete personal data without undue delay.

Right to Erasure (Article 17) Request deletion of your personal data where there is no longer a legitimate reason to retain it.

Right to Restriction (Article 18) Ask us to restrict how we process your data in certain circumstances, such as while a dispute is resolved.

Right to Data Portability (Article 20) Receive your data in a structured, machine-readable format and transfer it to another controller.

Right to Object (Article 21) Object to processing based on legitimate interests or for direct marketing purposes at any time.

Right to Withdraw Consent (Article 7) Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.

Right Not to be Subject to Automated Decisions (Article 22) Not to be subject to decisions based solely on automated processing that significantly affects you.

To exercise any of these rights, email us at privacy@teboatech.com. We will acknowledge your request within 3 business days and respond in full within 30 days.

5. Data We Collect and Why

Account and Platform Data

Name and email address — to create and manage your account
Business name and Shopify store URL — to connect your store and deliver the service
Billing information — processed through our payment provider for subscription management
Usage data and logs — to improve platform performance and resolve technical issues

Shopify Store Data (Processed on Your Behalf)

Order data, customer names and email addresses, product data, and store metrics
This data is processed solely to deliver the Teboa service to you
It is never used for our own marketing, shared with third parties, or used to train AI models

Website Analytics

Anonymised traffic data collected via Google Analytics
Session recordings and heatmaps via Microsoft Clarity (anonymised)
You can opt out of analytics at any time

6. International Data Transfers

TeboaTech is a South African company. When we use services from providers based outside South Africa or the EU, personal data may be transferred internationally. We use the following safeguards to ensure these transfers comply with GDPR Article 46:

Standard Contractual Clauses (SCCs) approved by the European Commission with each relevant provider
Data Processing Agreements (DPAs) with Firebase (Google), Vercel, Anthropic, and other processors
Adequacy decisions where applicable to the destination country

Our Key Processors and Their Locations

Firebase (Google LLC) — United States. DPA and SCCs in place. Google Privacy Policy
Anthropic (Claude AI) — United States. DPA in place. Anthropic Privacy Policy
Vercel Inc. — United States. DPA and SCCs in place. Vercel Privacy Policy
Shopify Inc. — Canada (adequacy decision). Shopify Privacy Policy

7. Data Retention

We keep personal data only for as long as necessary for the purpose it was collected or as required by applicable law:

Active account data — retained for the duration of your subscription
Cancelled account data — retained for 30 days after cancellation to allow recovery, then permanently deleted
Shopify store data — deleted within 30 days of disconnecting your store
Contact and support data — retained for up to 12 months
Financial records — retained for 7 years as required by applicable tax law

When data reaches the end of its retention period, it is securely and permanently deleted from our systems and from all third-party processors who hold it on our behalf.

8. Security Measures

We implement appropriate technical and organisational measures as required by GDPR Article 32 to ensure a level of security appropriate to the risk:

TLS 1.2 or higher encryption for all data in transit
AES-256 encryption for all data at rest via Firebase
Complete workspace isolation at the database layer
Role-based access controls limiting internal access to production data
Regular security reviews and incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Affected individuals will be notified without undue delay where the breach is likely to result in a high risk to their rights.

9. Cookies and Tracking

Our website uses the following technologies that may involve processing personal data:

Essential cookies — strictly necessary for the platform to function. No consent required.
Analytics (Google Analytics) — used with your consent. You can opt out at any time using the Google Analytics Opt-out Add-on.
Session recording (Microsoft Clarity) — anonymised heatmaps and session data. No personally identifiable information is recorded.

We do not use advertising cookies, retargeting pixels, or any tracking technology that profiles you for third-party advertising purposes.

10. Data Protection Officer

While TeboaTech is not legally required to appoint a formal Data Protection Officer under the GDPR at this stage of our scale, we have designated a responsible person to handle all data protection matters and ensure GDPR compliance across the organisation.

Data Protection Contact

Name Xabiso Ngece

Title Technical Director and Co-Founder

Email privacy@teboatech.com

Company TeboaTech (Pty) Ltd, Reg No: 2025/516299/07

Country Republic of South Africa

11. Supervisory Authority

If you are located in the European Union and believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority.

You can find your national supervisory authority through the European Data Protection Board: edpb.europa.eu

We always encourage you to contact us directly first at privacy@teboatech.com so we have the opportunity to resolve your concern. We respond to all privacy queries within 3 business days.

12. Changes to This Notice

We may update this GDPR Compliance notice from time to time as our platform evolves or as legal requirements change. When we make material changes, we will update the date at the top of this page and notify active users by email at least 14 days before changes take effect.

GDPR Queries and Requests

For any GDPR-related questions, data subject requests, or concerns, contact us directly.

Email: privacy@teboatech.com

Company: TeboaTech (Pty) Ltd, Reg No: 2025/516299/07

We will acknowledge within 3 business days and respond in full within 30 days.