Privacy policy

Last updated: 30 April 2026

This Privacy Policy explains how Stone and Gray ("we", "us", or "our") collects, uses, shares and protects your personal information when you visit stoneandgray.co.za, place an order, or get in touch with us.

We follow the South African Protection of Personal Information Act 4 of 2013 (POPIA). We aim to use plain language throughout — if anything is unclear, please email us at [email protected] and we'll explain.

1. Who we are

Stone and Gray is a South African online art store, run by Nikki Sandeman from her studio in Hout Bay, Cape Town.

• Trading name: Stone and Gray
• Address: 26 Lategan Road, Hout Bay, Cape Town, 7806, South Africa
• Phone / WhatsApp: +27 76 789 6884
• Email: [email protected]

2. Information Officer

Our designated Information Officer (the person responsible for privacy matters under POPIA) is Nikki Sandeman. You can reach her at [email protected] with the subject line "Privacy Query" for any questions, requests or complaints about how we handle your information.

3. What we collect

We only collect what we genuinely need to run the business and fulfil your order:

• Your name, email address, phone number and delivery address — when you place an order or contact us.
• What you ordered — items, sizes, frame and finish choices, order value.
• Payment confirmation — we receive a yes/no from our payment provider. We never see or store your full card number; it goes directly to the payment provider.
• Anything you send us — emails, WhatsApp messages, contact-form messages, and any photos you send for wall-visualisation requests.
• Basic website data — your IP address, browser, and which pages you viewed. This helps us see how the site is being used and spot problems.
• Newsletter subscription status — only if you signed up.

4. Why we collect it

Each piece of information has a clear purpose:

• Your order details and delivery address — so we can make your piece, take payment, and courier it to you.
• Your email and phone number — so we can send order confirmations, delivery updates, and answer your questions.
• Newsletter and marketing — only if you've opted in (or you're an existing customer and we're letting you know about similar pieces, with an opt-out in every message).
• Website analytics — to improve the site and prevent fraud.
• Tax and accounting records — because South African law requires us to keep them.

If you don't give us your name, address, email and payment details at checkout, we simply can't process your order — that's the only data that's mandatory. Marketing consent is always optional and you can withdraw it any time.

5. Who sees your information

Inside Stone and Gray

Within our team, only the people who actually need it to fulfil your order get to see your details — and they only see what is strictly necessary:

• Our admin and production team see your name, email address, contact number and delivery address so they can print, frame and finish your order, and prepare a courier waybill.
• Our courier (The Courier Guy or similar) receives your name, contact number and delivery address on the waybill, so they can deliver your parcel and call you if they can't find the address.

That's it. Our team does not share your phone number with anyone outside the courier and order-fulfilment chain, and we never share your information with third parties for their own marketing.

Service providers we rely on

To run an online store we use a small number of trusted service providers. They only process your data on our instructions and are required to keep it secure:

• Shopify Inc. — the platform that powers our website and checkout.
• Our payment provider (e.g. Yoco, PayFast or Shopify Payments) — to process your card or EFT payment securely.
• Email and order-confirmation services — to send you order confirmations and (if you've opted in) newsletters.
• Google Analytics and Meta Pixel — to understand how the site is used and (if you've consented) for advertising. These set cookies in your browser; you can refuse them via the cookie banner.
• Our accountant and (if needed) lawyers — under confidentiality.

We never sell your personal information to anyone.

Legal disclosure

If we are legally required to (for example, by a court order or by SARS), we will share information with the relevant authority. We'll let you know unless we are legally prevented from doing so.

6. Information stored outside South Africa

Some of our service providers (notably Shopify, Google and Meta) store data on servers outside South Africa. POPIA allows this where the recipient country has comparable privacy protection, where it's needed to perform our contract with you, or where you've consented. We've satisfied ourselves that our providers meet these standards.

7. How long we keep your information

• Order and tax records: 5 years after the last transaction (required by South African tax law).
• Customer accounts: for as long as your account is active, plus 12 months after.
• Newsletter subscribers: until you unsubscribe.
• Customer-service emails: 24 months from your last contact with us.
• Website analytics: automatically anonymised after 26 months.

After these periods we securely delete or anonymise the data, unless the law requires us to keep it longer.

8. Cookies

Our site uses cookies — small files stored in your browser:

• Strictly necessary cookies are always on (cart, checkout, security). The site won't work without them.
• Analytics cookies (e.g. Google Analytics) only run if you accept them on the cookie banner.
• Marketing cookies (e.g. Meta Pixel) only run if you accept them.

You can change your cookie preferences any time by reopening the cookie banner or clearing them in your browser settings. Refusing non-essential cookies won't stop you from using the site.

9. Marketing

We will only send you marketing emails or messages if:

• You have signed up (for example, by ticking a newsletter box), or
• You're an existing customer and the message relates to similar pieces to those you've bought from us before.

Every marketing message has a clear unsubscribe option. You can also email [email protected] at any time and we'll remove you immediately.

10. Keeping your information safe

We use sensible technical and organisational measures to protect your information:

• HTTPS encryption across the whole site and at checkout.
• Payment details go directly to the payment provider — we never see your full card number.
• Strong passwords and two-factor authentication on all admin accounts.
• Regular software updates and security checks.
• Written agreements with our service providers requiring comparable safeguards.

If something does go wrong and your personal information is compromised, we will notify you and the Information Regulator as soon as reasonably possible, as POPIA requires.

11. Children

The site is not directed at children. We do not knowingly collect personal information from anyone under the age of 18 without parental consent. If you think we have inadvertently collected a child's information, please contact us and we'll delete it.

12. Your rights

POPIA gives you a number of rights over your personal information. You can:

• Ask us what we hold about you, and receive a copy.
• Ask us to correct or delete information that is wrong, out of date or no longer needed.
• Object to us processing your information for direct marketing — we'll stop immediately.
• Withdraw any consent you've given us, at any time.
• Lodge a complaint with the Information Regulator (see below).

To use any of these rights, email [email protected] with the subject line "Privacy Request". We'll reply within 30 days. We may need to verify who you are before we act on the request, so we don't accidentally share your information with someone else.

13. Automated decisions

We don't make automated decisions about you that have legal or similarly significant effects. A real person handles your order from start to finish.

14. Complaints

If something has gone wrong, please contact us first — we'd much rather sort it out together. If you'd prefer to take it further, you can contact the South African Information Regulator:

• Website: inforegulator.org.za
• General email: [email protected]
• Complaints email: [email protected]
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

15. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will always reflect the most recent change. If the change is significant, we'll let you know by email or a notice on the site.

16. Get in touch

If you have any questions about this policy or how we handle your information, please contact:

• Nikki Sandeman — Information Officer
• Stone and Gray, 26 Lategan Road, Hout Bay, Cape Town, 7806, South Africa
• Email: [email protected]
• WhatsApp / phone: +27 76 789 6884