Skip to content
DS Styling
Privacy

Privacy Policy

Last updated: 20 April 2026

This policy explains what personal information DS Styling Car Wash collects about you, why we collect it, how we use and protect it, and the rights you have over your information under the Protection of Personal Information Act, 4 of 2013 (“POPIA”). We’ve tried to write this in plain English - if anything is unclear, email us and we’ll walk you through it.

1. Who we are

DS Styling Car Wash(“DS Styling”, “we”, “us”, “our”) operates a hand car wash and detailing service in Johannesburg. In this policy, “you” means a customer or website visitor.

We are the responsible party for the personal information we collect about you, as that term is defined in POPIA.

  • Legal entity: [TO BE CONFIRMED BY CLIENT - e.g. DS Styling Car Wash (Pty) Ltd, registration number YYYY/NNNNNN/07, or sole proprietorship trading as DS Styling Car Wash]
  • Physical address: Witkoppen Road, Johannesburg, Gauteng [to be completed with full address + suburb + postal code]
  • Email: privacy@dsstyling.co.za
  • Phone: +27 [to be completed]

2. Information Officer

POPIA requires us to designate an Information Officer who is accountable for our compliance. Ours is:

Our Information Officer is registered with the Information Regulator of South Africa, as required by POPIA.

3. What personal information we collect

We only collect information we actually need to run the car wash and manage your relationship with us. The categories below are a complete list - if we ever need something new, we’ll ask you first.

  • Identity & contact: your first and last name, phone number, email address.
  • Account details: your hashed password, sign-in timestamps, two-factor authentication state (for staff), and session identifiers.
  • Vehicle details: number plate, make, model, and vehicle size (used for pricing).
  • Wash history: date and time of each wash, service chosen, add-ons applied, price paid, payment method, and the staff member who logged it.
  • Loyalty data: your cycle number, current stamp count, lifetime wash count, and redemption history.
  • Consents: whether you gave POPIA consent and whether you opted in to marketing messages, and when you did so.
  • Notes:free-text notes our staff may add about your vehicle or preferences (e.g. “prefers no-fragrance interior spray”).
  • Device & usage data: IP address, browser user-agent, and basic diagnostic events when you use the website.

We do not collect special personal information (race, health, religion, political opinion, biometrics, etc.), and we do not ask for your ID number, banking details, or credit-card numbers. Payments for washes happen in person or through third-party processors - the card details never touch our systems.

4. How we collect it

  • Directly from you when you sign up online, fill in a walk-in QR form on-site, book a service, or speak to our staff in person.
  • Automatically via our website (cookies and basic device telemetry - see section 12).
  • From our staffwhen they log a wash you’ve just had, or update your loyalty balance.

5. Why we use your information

We use your information for the following specific purposes:

  • To provide the service you asked for (wash, detail, loyalty stamp, reward redemption).
  • To manage your account (sign-in, password changes, two-factor authentication for staff).
  • To keep an accurate record of the washes you’ve had, so you can check them and so we can administer your loyalty rewards.
  • To contact you about a wash, a reward, a service change, or anything you’ve explicitly asked us about.
  • To send you marketing messages (specials, new services, loyalty boosts) - only if you’ve opted in via the consent toggle on your profile. You can turn this off at any time.
  • To improve our service (e.g. knowing which services are popular) using aggregated, de-identified data.
  • To comply with our legal obligations (tax records, audit requirements, law-enforcement requests if validly made).
  • To detect and prevent fraud, abuse of our loyalty program, or unauthorised access.

We will not use your personal information for any other purpose without telling you and, where required, asking for your consent.

6. Our lawful basis under POPIA

POPIA requires us to have a lawful basis for every use of your information. Ours are:

  • Consent - for marketing messages and for optional features you choose to enable.
  • Performance of a contract - you agreed to our Terms of Service when you signed up or booked a wash; we need your information to actually deliver the service.
  • Legitimate interest - for running the business (security logging, fraud prevention, audit), always balanced against your privacy interests.
  • Legal obligation - where a law requires us to keep records (e.g. SARS / tax).

7. Who we share your information with

We do not sell your personal information. We share it only with service providers (called “operators” under POPIA) who help us run the business. Each of them has contractual obligations to protect your data and to use it only on our instructions.

  • Supabase (Supabase, Inc.) - our database provider. Hosts the customer, vehicle, wash, and loyalty records.
  • Vercel (Vercel Inc.) - hosts our website and handles web requests.
  • Resend (Resend Inc.) - sends our transactional emails (account verification, password reset, loyalty notifications).
  • Better Auth - open-source authentication library that runs on our servers; it does not transmit data off our infrastructure.
  • Professional advisers - auditors, legal counsel, and insurers, strictly on a confidential basis.
  • Authorities - if a valid court order, subpoena, or lawful request is issued, we will comply. We will not disclose data beyond what the request specifically requires.

We will update this list if we add or change a service provider.

8. Cross-border transfers

Some of our service providers (Supabase, Vercel, Resend) store or process data outside South Africa - typically in the European Union or the United States. POPIA allows this if the destination country has comparable privacy laws, the operator binds itself contractually to adequate safeguards, or you’ve consented.

We rely on contractual safeguards (the standard data-processing agreements offered by each provider) which require them to apply POPIA-equivalent protections to your data wherever they process it. You can ask us for a copy of these agreements.

9. How long we keep your information

We keep your personal information only as long as we need it for the purpose we collected it for, unless a longer retention is required by law. In practice:

  • Customer profile - while your account is active, and for 3 years after you ask us to close it, so we can defend against any late claim or dispute. After that we anonymise or delete.
  • Wash + loyalty history - 5 years from the date of the last wash, to meet SARS / accounting record-keeping obligations. Loyalty data is anonymised thereafter.
  • Audit logs - 2 years, for security and accountability.
  • Authentication sessions - automatically expired after 7 days of inactivity; password-reset tokens expire within 1 hour.

If you ask us to delete your account (see section 11), we honour that request and only retain the minimum we’re legally required to keep, clearly flagged as “closed”.

10. How we protect your information

We take the security of your data seriously. Our safeguards include:

  • HTTPS encryption in transit and encryption at rest by our database provider.
  • Passwords hashed with industry-standard algorithms (scrypt); never stored in plain text.
  • Compulsory two-factor authentication (TOTP) for administrative staff accounts.
  • Role-based access control - staff only see the data they need for their role.
  • An append-only audit log of every change to a customer, wash, or loyalty record - with actor, timestamp, and before/after state - so we can detect and investigate any misuse.
  • Regular patches and dependency updates on our server infrastructure.
  • A documented breach-response plan. If a breach occurs that is likely to result in harm to you, we will notify you and the Information Regulator as soon as reasonably possible, as required by POPIA s22.

No system is perfectly secure. If you believe your account has been compromised, email privacy@dsstyling.co.za immediately and we’ll help you secure it.

11. Your rights under POPIA

You have the following rights over your personal information. We will respond to any request within 30 days (POPIA’s reasonable-time standard) and there is no charge for exercising most of these rights.

  • Right to be notified of what we collect and why - this policy is our primary notification.
  • Right of access - you can ask us for a copy of the personal information we hold about you.
  • Right to correction- if your information is wrong, tell us and we’ll fix it. Most fields you can fix yourself from your profile page.
  • Right to deletion- you can ask us to delete your information. We will honour this unless we’re legally required to keep specific records.
  • Right to object - you can object to any processing of your information. Marketing objections are actioned immediately.
  • Right to withdraw consent - where we rely on consent, you can withdraw it at any time. For marketing, flip the switch on your profile page.
  • Right to restriction - you can ask us to stop processing (but keep) your information while a dispute is pending.
  • Right to data portability- we’ll provide your data in a commonly-used, machine-readable format on request.
  • Right to lodge a complaint with the Information Regulator (see section 15).

To exercise any of these rights, email privacy@dsstyling.co.za. We may need to verify your identity before we action the request to make sure we’re disclosing the information to the right person.

12. Cookies and local storage

Our website uses a small number of cookies and similar storage, all strictly necessary to run the service:

  • Session cookies to keep you signed in securely (HTTP-only, SameSite=Lax).
  • Theme preference stored in local storage so the app remembers whether you chose light or dark mode.

We do not use advertising cookies, third-party analytics cookies, or cross-site trackers. If we ever add analytics, we’ll update this policy and, where required, ask for your consent first.

13. Children

Our service is not intended for children under 18 (the age of majority in South Africa). We do not knowingly collect personal information from children. If you believe we have collected information from a child, email privacy@dsstyling.co.za and we will delete it.

14. Changes to this policy

We may update this policy as our business, our technology, or the law changes. When we make a material change, we’ll update the “Last updated” date at the top of this page and - for meaningful changes - notify you by email to the address on your account.

15. Complaints to the Information Regulator

If we haven’t resolved a privacy concern to your satisfaction, you have the right to complain to the Information Regulator of South Africa:

We hope you’ll talk to us first so we can resolve things quickly - but this right is always yours.

16. Contact us

Privacy questions, access requests, corrections, or complaints - privacy@dsstyling.co.za, or post to our physical address at the top of this policy.