Privacy Policy


  1. Introduction
  2. CandyBird (“CandyBird”) acknowledges and supports consumer rights and the right to privacy. Accordingly, our customers’ privacy and trust are extremely important to us! We will ensure that personal information (“information”) is collected and handled in a transparent and lawful manner in alignment with the Protection of Personal Information Act, 2013 (“POPIA”).

    It is important that you read this Statement carefully before submitting any information to CandyBird:

    • By submitting any information to CandyBird, you provide consent to the processing of your personal information as set out in this Statement.
    • The provisions of this Statement are subject to mandatory, unalterable provisions of applicable laws;
    • Please do not submit any information to CandyBird if you do not agree to any of the provisions of this Statement. If you do not consent to the provisions of this Statement, or parts of the Statement, CandyBird may not be able to provide its products and services to you.

    We respect privacy, we promise:

    • To implement reasonable computer (logical), physical and procedural (process) safeguards to protect the security and confidentiality of the information we collect
    • To limit the information collected to the minimum required to provide a better services and/or product or meet our other goals
    • To permit only properly trained, authorised employees to access information
    • Not to disclose your information to external parties unless we are required or permitted by law to do so, and authorised by our Information Officer.
    1. Purpose
    2. CandyBird offer a wide range of products and services, including but not limited to in-store services, digital offerings, a loyalty programme, and value-added services. This Statement explains how we use the information we collect from you when you use our products and/or services and by using our products and/or services and/or by providing information to us you agree to the information being processed as set out in this Statement. This Statement also:

      • sets out the types of information that we collect;
      • explains how and why we collect and use your information;
      • explains whom we share your information with; and
      • explains the rights and choices you have when it comes to your information
      • explains how to contact us or the relevant authorities

      Some parts of our business may need to collect and use personal information to provide you with their products and services. In most cases they will refer to this Statement, but you must also read their specific terms and conditions. CandyBird websites or mobile apps may contain links to websites operated by other organisations that have their own privacy policies. Please make sure you read their terms and conditions and privacy policies carefully before providing any personal information on other websites as we do not accept any responsibility or liability for other organisations. We provide these links merely for your convenience. We have no control over, do not review, and are not responsible for third party sites, their content, or any goods or services available through these sites.

    3. Scope
    4. In this Statement, “CandyBird”, “us”, “our” or “we” refers to one or more of the companies in the CandyBird Group that operate in South Africa. Whilst our franchisees generally use our systems and we have written agreements in place with them to comply with law, this Statement does not necessarily reflect the individual practices of our franchisees as they are their own legal entities.

    5. Legislation and Regulations
    6. This Statement is subject to the laws of the Republic of South Africa in particular POPIA and the Consumer Protection Act, 2008 (“CPA”) as well as other relevant data protection legislation. Any dispute arising will, to the extent permitted by law, first attempted to be settled internally and if this is not possible be referred to arbitration at a venue to be determined by us applying the Uniform Rules of the High Court of South Africa.

    7. Information Collection

    To register or make use of CandyBird programs and services such as our Website, Services, Modules, etc you are required to provide us with your personal information including but not limited to your South African ID number or passport number (for non-South African citizens), name, surname, contact information and other personal details.

    You may provide personal information to us either directly or indirectly (through a person acting on your behalf), by completing an application form for our products and services or requesting further information about our products and services, whether in writing, through our website, over the telephone or any other means.

    We only collect information that is reasonably necessary for our business functions and activities and related purposes. The type of information we collect and hold, will depend on the purpose for which it is collected and used. Where possible, we will inform you what information you are required to provide to us and what information is optional. The information we process is typically to provide you with the goods and services you want to buy and help you with any services and refunds you may ask for, to manage and improve our day-to-day operations, to manage and improve our loyalty program, websites and mobile platforms with the aim of improving your customer experience.

    We may also collect your personal information from a person acting on your behalf, any regulator, or other third party that may hold such information.

    You agree to give accurate and current information about yourself to CandyBird and to maintain and update such information when necessary. To improve the accuracy of our data and get to know our customers better, we may enrich it from other third parties, including credit bureaus.

  3. Services in Collaboration with business partners
  4. CandyBird have various partnerships and we also provide various goods and services. To deliver these goods and services, varying levels of information are required to be processed, including obtained from or shared with relevant external business partners (local and/or abroad) to verify against, or facilitate the goods or services offered by the business partner. When you agree to the CandyBird and/or business partner’s terms and conditions, it allows us to share the relevant information to facilitate the product or service being rendered to you.

    Note that for some of our products may require you to provide additional information directly to a business partner of ours. In such instance, CandyBird process this information on the business partner’s behalf and as such the relevant business partner remains responsible for protecting this information, not CandyBird. When signing up with one of our business partners, it is important for you to recognise that you are establishing a direct, binding relationship with such a partner under their terms & conditions and related privacy policies and that they would be the responsible party under POPIA.

    1. Persons under 18 years
    2. CandyBird will not knowingly collect any information of persons (minors) under the age of 18 years. Our website and mobile apps, products and services are all directed to people who are at least 18 years old or older.

      If you are under the age of 18 years, you must not provide any information to CandyBird without the consent of your parent or guardian. If you become aware that a “child” has provided their personal information without parental consent, please contact us immediately. If we become aware that a child has provided us with personal information without parental consent, we will take steps to remove the data and cancel the child's account.

    3. Your Account
    4. When signing up for certain CandyBird services, you are required to create a user account. You agree that you will provide accurate information to us and keep it updated, and that you will not create a false identity or an account for anyone other than yourself. It is your responsibility to safeguard your profile’s username and password. This includes that you make use of a strong password and that you do not intentionally or unintentionally divulge it to anybody else. In the event of someone else using your username and password to make changes to your profile or transact on your behalf, you will be held responsible for the changes and the outcome thereof.

      If you suspect its misuse or compromise, you must report this to our Inbox or via web form as soon as possible.

    5. Cookies
    6. A cookie is a piece of information that is deposited in your computer’s hard drive by your web browser when you use our computer server. Most web browsers accept cookies automatically, but you can alter your settings to prevent automatic acceptance. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalised web experience. If you choose not to accept cookies, this may disable some features of our website. Our website also uses push notifications. For further information, please see our Cookies Policy.

    7. Embedded Scripts
    8. An embedded script is a programming code that is designed to collect information about your interactions with the CandyBird website. The code is temporarily downloaded onto your device from our web server or a third-party service provider, is active only while you are connected to our website and is deactivated or deleted thereafter.

    9. Mobile Device Identifiers
    10. Certain mobile service providers uniquely identify mobile devices. CandyBird or our third-party service providers may receive such device information if you access our website or mobile applications through your mobile device when allowing cookies or push notifications. For further information, please see our Mobile Application Policy and Cookies Policy

    11. Closed-Circuit Television (CCTV)
    12. Closed-Circuit Television (CCTV) images are processed, monitored and recorded for the purposes of crime prevention and detection as well as public safety in our stores and regional support offices. For further information, please see our CCTV Policy.

    13. Transborder Flows

    CandyBird may need to transfer a data subject's information to service providers in countries outside South Africa, these countries may not have data-protection laws which are similar to those of South Africa. Where this is done, CandyBird do so in accordance with applicable laws.

  5. Purpose and Use of Information
  6. CandyBird use your information for the purposes for which it was collected or agreed with you to facilitate the provision of our products and services to you, and for purposes which are within reasonable expectations and where permitted by law.

    Examples of information collected from you or other sources and processed by CandyBird are detailed below (which is not an exhaustive list) and linked to the purpose thereof.

    • ID number / passport number (which you consent we may collect from credit bureaus and/or other aggregators) - to identify you as a unique person on our database as for us to validate who you are when you want to change your profile details or resolve queries related to your subscription, transactions or database. We also use this to inform segmentation analytics to provide benefits including targeted birthday, pensioner or other life stage-relevant offers. We are also required to process this information where required by law or to facilitate the registration of an external service or product you have signed up for.
    • Biometric information – to facilitate the self-RICA process
    • Unique Identifiers – we may collect other unique identifiers such as account or other numbers, for the purpose of sharing them with other entities in our group and business partners to do data matching if we are legally permitted to do so. We may also collect unique identifiers such as user IDs and passwords.
    • Contact information - to facilitate essential support, communications as well as better customise our offering to you, including:
      • In support of facilitating required activities for services and programs you have chosen to participate in i.e.: OTPs, invoices, statements, deliveries, etc;
      • Send information regarding services and programs via direct marketing i.e. new benefits, clubs or partners as well as inform you of promotions or deals;
      • Process the delivery or return of products from or to our offices
      • Send information regarding services and programs via direct marketing i.e. new benefits, clubs or partners as well as inform you of promotions or deals;
      • Send or serve you targeted advertising across social media, other digital media platforms and physical post;
      • Contact you where you may have won a competition / draw that you have entered;
      • Request your feedback and opinion in the form of surveys, opinion polls or focus groups, should you wish to participate;
      • Contact you in relation to Customer Careline feedback, custom complaints or other feedback you wish to give us where you agree to us contacting you.
      • Employment applications and related correspondence.
    • Any additional information relating to you that you provide to us directly through the website, mobile apps or indirectly through use of thereof, offline or online, through our representatives or otherwise.
    • About your computer – collect statistical data such as IP address, operating system and browser type including browser actions and patterns to present content in the most effective manner.
    • Inform segmentation or analysis based on your transaction history for use by our internal commercial team as well as vendors / suppliers and business partners to serve relevant content or offers. We may do this for use and disclosure of the de-identified or pseudonymised information to determine preferences and shopping patterns.
    • We may also disclose detailed information with our business partners to assist them in marketing products and services as governed by this Statement and the related service’s specific terms and conditions as well as the business partner’s Privacy Policy, Notice or Statements.
    • Share information with 3rd (third) parties as an outsourced function, with the purpose of communicating to you and/or facilitate (operate) the subscribed service(s).

    We may also use your information for the following reasons:

    • complying with statutory and regulatory requirements in respect of the storage and maintenance of documents and information;
    • providing customer service and assessing customer complaints;
    • detecting and preventing fraud and money laundering and/or in the interest of security and crime prevention;
    • assisting in law enforcement, fraud investigations, anti-money laundering and counter-terrorist financing initiatives;
    • providing you with the services, products or offerings you have requested, and notifying you about important changes to these services, products or offerings;
    • managing your account or relationship and complying with your instructions or requests;
    • operational, marketing, auditing, legal and record keeping requirements;
    • recording and/or monitoring your telephone calls and electronic communications to/with CandyBird in order to accurately carry out your instructions and requests, to use as evidence and in the interests of crime prevention;
    • conducting market research and providing you with information about CandyBird’s products or services from time to time via email, telephone or other means (for example, events);
    • where you have unsubscribed from certain direct marketing communications, ensuring that we do not sent such direct marketing to you again;
    • disclosing your personal information to third parties like manufactures, promotion sponsors and Brand owners (in which case we will have agreements in place to secure the confidentiality of Your Personal Information) for reasons set out in this Statement or where it is not unlawful to do so;
    • monitoring, keeping record of and having access to all forms of correspondence or communications received by or sent from CandyBird or any of its employees, agents or contractors, including monitoring, recording and using as evidence all telephone communications between you and CandyBird;
    • improving or evaluating the effectiveness of CandyBird's business or products, services or offerings;
    • conducting internal investigations; and
    • prevention and control of any disease.
  7. Direct Marketing and Opting Out
  8. If you are an existing customer, we may communicate with you based on the preferences as selected by you in relation to products or services you have signed up for. This may include making contact via telephone, email, sms, social media and other channels about products and or services which may be if interest to you. If you are not considered to be a customer, we will obtain your consent to opt-in to direct marketing.

    You may opt-out (free of charge) from receiving future promotional information or direct marketing from CandyBird by either unsubscribing to the specific communications you receive by replying to the email or via sms, accessing the online preferences portal or contacting support at

  9. Retention and Destruction of Information
  10. Information that CandyBird collects is kept in a form which permits your identification for no longer than is necessary to honour your choices, to fulfil the purposes for which it was collected and processed in each specific case, and in any case not longer than as specified by the relevant applicable laws unless we have your consent to process it indefinitely.

    CandyBird will retain your information after you have closed your account where reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, resolve disputes, maintain security, prevent fraud and abuse, enforce our agreement, or fulfil your request to “unsubscribe” from further messages from us.

    We may retain de-identified, anonymised or pseudonymised information after your account has been closed using techniques that do not permit your re-identification. If none of the afore-mentioned scenarios are required, CandyBird will permanently delete (electronic) and shred (paper) after the purpose of collection the information has expired.

  11. Information Preservation and Protection
  12. CandyBird will take reasonable steps to protect the information we collect, hold and process from misuse, loss and from unauthorised access, modification or disclosure. We hold information both at our own premises and with the assistance of our service providers.

    This is based on the information security principles of Confidentiality, Integrity, Availability and Privacy (CIAP) as governed by our Information Security Policy. This sets out CandyBird’s objectives and general approach to information security, which aims to protect CandyBird’s business information and safeguard any personally identifiable information within our custody. We seek to achieve the following 5 key objectives as it relates to Information Security:


    Improve the security culture through continuous education and awareness


    A focused, risk-based approach to protect assets and information


    Comply to the legal and regulatory requirements (local and international)


    Balance the need for protection with effective detection and response


    Integrate security into business decisions through ownership and leadership

    Because no data transmission over the internet is completely secure, and no IT system of physical or electronic security is impenetrable, we cannot guarantee the security of the information you send to us or the security of our servers or databases. Having noted that, we do take every reasonable step within our control, to protect your information and preserve the accuracy thereof. Quality of information means that the information we use must be appropriate, complete and reliable. The higher data quality we maintain, the better service we can render.

  13. Information Disclosure
  14. Notwithstanding anything to the contrary in this Statement, CandyBird reserve the right to disclose any information about you if we are required to do so by law, and if we believe that such action is necessary to: (a) fulfil a government request; (b) conform with the requirements of the law or legal process; (c) protect or defend our legal rights or property, our website, or other users; or (d) in an emergency to protect the health and safety of our website’s users or the general public.

    Authorised CandyBird employees or agents will have access to some or all your information. We may also disclose your information within our group of companies. Such data sharing is governed by our CIAP information security principles and associated practices.

    We do use service providers to provide our services and maintain our systems, including but not limited to maintenance, security, analysis, audit, payments, customer service, marketing and system development. These parties will have access to your information as reasonably necessary to perform these tasks on our behalf (namely role-based access). Where we contract with service providers, and wherever possible, we impose contractual obligations on them to ensure that your information is handled and secured in accordance with law and industry good practise.

    Some of our service providers may be located in other countries that may not have the same levels of protection of information as South Africa. Wherever possible, we try to only use service providers that are located in countries with similar or more stringent levels of protection of information as South Africa. Alternatively, we require that service providers in less stringently regulated countries undertake to protect the information of our customers to the same level that we do.

    Unless you have explicitly consented to this, we will never sell your personal information.

  15. Your Right to Access Information
  16. Depending on which product or service you (as the Data Subject) have signed up for, you can update some of your information via our digital channels. Alternatively, your information can be updated via our Customer Care Line.

    You have the right:

    • free of charge, to confirm with us whether we hold any information about you;
    • at a prescribed fee, which we will give you a written estimate of,
      • - to request the record of information held by us - to request a description of the information held by us, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information
    • to update and correct any out-of-date or incorrect information we hold about you;
    • destroy or delete a record of information of you which we are no longer authorised to retain; and
    • update your communication preferences and / or unsubscribe from communications we may send you.

    Before we provide you with access to your information, we may require proof of identity. We may require up to 21 (twenty-one) days to respond to any requests for information. We may refuse to disclose some information in accordance with PAIA.

    If you require CandyBird to delete all your information that we have about you, please also contact our Customer Care Line. Note that you will probably have to terminate all agreements you have with us, as we cannot maintain our relationship with you without at least having some of your information. We may also refuse to delete some of your information if we are required by law to retain it or if we need it to protect our rights.

  17. Information Breach Notification
  18. A security compromise or information breach can be described as a threat to the Confidentiality, Integrity, Availability or Privacy of IT systems and/or information. Such incidents are governed by the CandyBird Security Incident Response process which allows us to deal with the compromise/breach and/or loss in an efficient and effective manner. One of the key pillars of this process is keeping all impacted stakeholders informed and updated.

    When there are reasonable grounds to believe that your information has been accessed, altered, deleted or acquired by any unauthorised person, we will notify the Information Regulator and yourself in cases where your identity can be established. This notification will be done in accordance with the provisions of POPIA and as soon as reasonably possible after the discovery of the compromise, considering the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of our systems.

  19. Amendment of this Statement
  20. We may amend this Statement from time to time for any of the following reasons:

    • to provide for the introduction of new systems, methods of operation, services, products, property offerings or facilities;
    • to comply with changes to any legal or regulatory requirement;
    • to ensure that this Statement is clearer and more favourable to you;
    • to rectify any mistake that may be discovered from time to time; and/or
    • for any other reason which CandyBird, in its sole discretion, may deem reasonable or necessary.

    Any such amendment will come into effect and become part of any agreement you have with CandyBird when Statement is given to you of the change by publication on our website. It is your responsibility to check the website often.

  21. Contact Us
    1. CandyBird Information Officer
    2. If you have questions about this Privacy Statement or wish to exercise your rights in terms of access to, correction, or deletion of your information, please contact us via email at who will attempt to resolve your query.

      If unable to, and depending on your situation, our Customer Care Line will explain the process to follow and potentially refer your query to internal subject matter experts.

      Our Information Officer contact details are:


    3. Information Regulator (South Africa)

    Should you believe that CandyBird has utilised information contrary to applicable law, you undertake to first attempt to resolve any concerns with CandyBird. If you are not satisfied with such process, you have the right to lodge a complaint with the Information Regulator of South Africa.

    The Information Regulator’s contact details are:

    JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

    P.O Box 31533, Braamfontein, Johannesburg, 2017