Privacy Policy

Takealot Connect · Last updated 3 June 2026

Takealot Connect (the “App”, “we”, “us”) is a Shopify application operated by Lucci (lucci.co.za) that synchronises a Shopify store with the Takealot Marketplace. This policy explains what data the App accesses, how we use and protect it, and your rights.

1. Who this applies to

This policy covers personal data the App processes on behalf of Shopify merchants who install it (“Merchants”), including data relating to their customers, and the Merchant’s own account data.

2. Data we access and why

• Merchant account data — store domain, contact email, and the Merchant’s Takealot Marketplace API key. The API key is encrypted at rest (AES-256-GCM) and used solely to communicate with Takealot on the Merchant’s behalf.
• Store & product data — products, variants, SKUs, inventory levels, prices and unit costs, used to synchronise stock and pricing with Takealot.
• Order & customer data — when a Takealot order is imported into Shopify, the App creates a Shopify order. Importantly, the Takealot Marketplace API does not expose real buyer names, emails or addresses. The App therefore creates a placeholdercustomer (“Takealot {region} Customer”) with a no-reply email and the public Takealot distribution-centre address as the shipping address. The App does not collect, receive or store real end-buyer personal information. The protected customer fields (name, email, address) we are granted are used only to write this placeholder onto the order.
• Sales & financial data — sales, fees, transactions and returns from Takealot, used for reconciliation and reporting to the Merchant.

3. How we use data

We use data solely to provide the App’s functionality: order import, stock and price synchronisation, financial reconciliation, low-stock alerts, and the Merchant’s own emailed reports. We process the minimum data required for these purposes and limit our use to them.

4. Storage and security

• Data is hosted on Railway and stored in PostgreSQL, encrypted at rest (including backups).
• The Takealot API key is additionally encrypted with AES-256-GCM before storage.
• All data in transit is protected with TLS/HTTPS.
• Access to production data is restricted to the App’s automated processes; we do not browse or export Merchant customer data. Strong authentication is enforced on all administrative accounts, and access is logged.
• Development and testing use a separate database from production.

5. Data sharing

We do not sell personal data. We share data only with the service providers necessary to operate the App, each acting solely to provide their service:

• Takealot Marketplace — the integration the Merchant has authorised.
• Resend — to deliver the Merchant’s own report emails to the Merchant.
• Railway — cloud hosting and database.

6. Retention and deletion

We retain data only as long as needed to provide the App. When a Merchant uninstalls the App we delete their account and data (via Shopify’s shop/redact webhook). We also honour Shopify’s customers/data_request and customers/redact webhooks; because we store no real buyer personal information, these requests are acknowledged accordingly.

7. Your rights

Merchants and their customers may request access to, correction of, or deletion of personal data. Merchants can remove all data by uninstalling the App, or contact us for any request at admin@lucci.co.za.

8. Compliance

We process personal data in accordance with applicable data-protection laws, including the EU GDPR and South Africa’s POPIA.

9. Changes

We may update this policy from time to time; the “Last updated” date reflects the current version.

10. Contact

Lucci · admin@lucci.co.za · lucci.co.za