Loading…
Loading…
We use cookies to improve your experience and analyse site traffic. By clicking Accept, you consent to analytics cookies. You can also . See our Privacy Policy for details.
Last updated: 2026-05-05
Parts Corp (Pty) Ltd ("Parts Corp", "we", "us", "our") operates the Parts Corp online storefront for the supply of genuine OEM replacement parts for commercial foodservice and beverage equipment. Parts Corp is registered and operates in the Republic of South Africa.
This Privacy Policy describes how we collect, use, disclose, and retain your personal information when you access or use our website and services. It applies to all visitors, registered customers, and franchise account holders. It is written to comply with the Protection of Personal Information Act 4 of 2013 ("POPIA") and, where applicable to data subjects in the European Economic Area, the General Data Protection Regulation 2016/679 ("GDPR").
By using our website you acknowledge that you have read and understood this policy.
Parts Corp has designated an Information Officer as required by POPIA s.55 and consistent with the GDPR Art. 37 contact point obligation. You may contact the Information Officer for any privacy-related enquiry, access request, or complaint:
We collect the following categories of personal information:
Name, email address, phone number, and a password hash (we never store your plaintext password). Collected when you register or update your account.
Billing and shipping addresses, line items, order totals, and franchise tier metadata (where applicable). Collected when you place an order.
Payment is processed by Paystack. Parts Corp does not store card numbers, expiry dates, or CVV/CVC codes. We receive only a transaction reference and payment status from Paystack.
IP address, user-agent string, country (resolved from the x-vercel-ip-country header), session and authentication cookies, and the cache-isolation cookie (_medusa_cache_id) used to isolate tier pricing between sessions. This data is collected automatically as a necessary part of operating the website.
If you consent to analytics cookies, we collect first-party usage data via Vercel Analytics and Vercel Speed Insights. This includes aggregated page views, web vitals, and IP-class (not full IP) data. No cross-site tracking or advertising identifiers are used.
We process personal information only where we have a lawful basis under POPIA s.11 and (where GDPR applies) Art. 6:
| Activity | Lawful basis (POPIA s.11 / GDPR Art. 6) |
|---|---|
| Account creation, order processing | Performance of contract |
| Email + transactional notifications | Performance of contract |
| Cookie-isolated tier pricing | Legitimate interest |
| Analytics cookies (Vercel Analytics / Speed Insights) | Consent |
| Marketing emails | Consent |
| Fraud + abuse prevention (rate limiting, Turnstile) | Legitimate interest |
| Legal + tax retention of orders (Companies Act, VAT Act) | Legal obligation |
We engage the following third-party processors to operate our service. Each processor is bound by data processing agreements and is only permitted to use your data as instructed by Parts Corp:
| Processor | Purpose | Data location |
|---|---|---|
| Medusa (self-hosted on AWS) | Backend / orders / customer data | AWS af-south-1 |
| Vercel | Storefront hosting / analytics | Global edge |
| Paystack | Payment processing | NG / ZA |
| Cloudinary | Product image CDN | Global edge |
| Cloudflare R2 + AWS S3 | Asset storage | EU + AWS regions |
| Cloudflare Turnstile | Bot protection | Global edge |
Some processors operate on global edge networks (Vercel, Cloudinary, Cloudflare) meaning your request data may be processed in data centres outside South Africa, including in the European Union, the United States, and the Asia-Pacific region. Paystack processes payment data in Nigeria and South Africa. Our primary Medusa backend and order data reside on AWS af-south-1 (Cape Town), and our AWS S3 buckets are configured to their designated regions.
Where personal information is transferred outside of South Africa, Parts Corp takes reasonable steps to ensure that the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection, as required by POPIA s.72. For transfers to countries that are parties to adequacy decisions (e.g. EU under GDPR), we rely on those adequacy determinations. For other transfers, we rely on contractual safeguards and the legitimate operational necessity of using these globally distributed infrastructure providers to deliver the service.
We retain personal information only for as long as is necessary for the purpose for which it was collected, or as required by applicable law:
| Category | Retention |
|---|---|
| Order records | 5 years (Companies Act + VAT Act) |
| Customer account (post-deletion) | 30-day soft-delete window |
| Marketing consent | Until withdrawn |
| Operational logs | 90 days |
| Analytics data (if consented) | 25 months |
Under POPIA s.23/24 and (where applicable) GDPR Art. 15–22, you have the following rights in relation to your personal information:
To exercise any of these rights, contact the Information Officer at privacy@partscorp.co.za. We will respond within 30 days.
We use the following cookies. Strictly-necessary and functional cookies cannot be disabled as they are essential to the operation of the website. Analytics cookies are opt-in only and set only with your consent.
| Name | Purpose | Lifetime |
|---|---|---|
| _medusa_jwt | Stores your authentication token to keep you signed in. | Session / 7 days |
| _medusa_cart_id | Identifies your shopping cart across page navigations. | 30 days |
| _medusa_cache_id | Namespaces the server-side data cache so franchise tier pricing cannot leak between sessions on shared connections. | 30 days |
| _medusa_country_code | Stores your resolved country / region code to route you to the correct storefront locale. | Session |
| Name | Purpose | Lifetime |
|---|---|---|
| _pc_login_flash | One-shot cookie set on login to trigger the tier-badge animation on the next render; cleared immediately after display. | Single request |
| _pc_consent | Stores your cookie consent preferences (accepted / declined categories). | 12 months |
| _pc_order_confirm | Prevents duplicate display of the order confirmation screen if you refresh the confirmation page. | Session |
| Name / service | Purpose | Lifetime |
|---|---|---|
| Vercel Analytics | First-party page view analytics — aggregated, no cross-site tracking. | 25 months |
| Vercel Speed Insights | First-party Core Web Vitals measurement — aggregated, no cross-site tracking. | 25 months |
You can manage your cookie preferences at any time via the Cookie settings link in the footer.
The Parts Corp website and services are not directed at persons under the age of 18. We do not knowingly collect personal information from minors. If you believe that we have inadvertently collected personal information from a person under 18, please contact the Information Officer at privacy@partscorp.co.za so that we can delete it promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. Where changes are material, we will notify you by email (to the address associated with your account) or by displaying a prominent banner on the website. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.
For any questions, access requests, or complaints relating to this Privacy Policy or the processing of your personal information, please contact us:
Parts Corp (Pty) Ltd
[Postal address — TODO(legal): confirm and insert registered address]
Information Officer: [Name — TODO(legal): confirm and insert]
Email: privacy@partscorp.co.za
Complaints about our handling of personal information may also be lodged with the Information Regulator of South Africa at inforegulator.org.za.
For a full copy of our Terms & Conditions, please visit the linked page.