Privacy Policy

Last updated: 30 May 2026

Who we are

This Privacy Policy describes how CORETRUST TECHNOLOGIES (PTY) LTD (registration number 2025/935641/07), a private company incorporated in the Republic of South Africa on 4 December 2025 ("CoreTrust", "we"), processes personal information when you use the VendorTrust website, mobile applications, and related services (the "Service").

VendorTrust is a verified vendor marketplace operated by CoreTrust. The Service is initially intended for users in South Africa and Zimbabwe.

What we collect

Depending on how you use the Service, we may collect:

Account and profile information — name, username, email address, password (stored in hashed form), business details, profession, location, bio, and profile photo.
Identity and business verification documents — government ID, passport, driver's licence, company registration documents, proof of authority to act for a business, and selfie verification images you upload.
Marketplace and transaction data — listings, bids, cart contents, orders, escrow agreement details, transaction records, reviews, ratings, and trust scores.
Communications — messages and other content you send through in-app messaging.
Device and technical data — device type, operating system, app version, IP address, log data, and push notification tokens when you enable notifications.
Photos and files — images you capture or select from your device for listings, profile photos, or verification (with your permission).
Sign-in with third parties — if you use Google or Facebook sign-in on the web, we receive basic profile information from that provider as permitted by your settings with them.
Cookies and similar technologies — on the website, we use cookies and local storage for authentication, preferences, and security where applicable.

We do not collect payment card or bank account numbers in the current release; integrated payment processing may be limited or unavailable. See our Terms of Service for details.

Mandatory and voluntary information (POPIA)

Mandatory for registration and verification: email, username, password, user type, and identity or business documents we require to verify you. Without these, we cannot create or maintain a verified account.

Voluntary: profile photo, bio, phone number, optional push notifications, and marketing preferences. You may decline optional fields, but some features may not work.

If you do not provide information we reasonably need for verification, fraud prevention, or legal compliance, we may limit features, suspend your account, or decline registration.

Why we use it and lawful basis

We process personal information to:

provide, secure, and improve the Service;
authenticate users and prevent fraud;
facilitate transactions, messaging, and support;
comply with law and respond to lawful requests;
send service-related notices and, where permitted, marketing you can opt out of.

Where the Protection of Personal Information Act, 2013 (POPIA) applies, we rely on lawful grounds including performance of a contract with you, compliance with legal obligations, our legitimate interests (for example security and fraud prevention), and your consent where required (for example optional marketing or certain permissions).

Device permissions

The mobile app may request access to your camera and photo library so you can upload verification documents, profile photos, and listing images. You can decline permission, but some features may not work. Push notifications are optional; if enabled, we store a device push token to deliver alerts about messages, bids, and account activity.

Sharing

We may share information with:

Other users — where the Service requires (for example your public profile, listings, or messages to a counterparty).
Service providers — hosting, email delivery, push notification delivery (for example Expo), fraud prevention, analytics, and customer support tools under contract.
Payment partners — when integrated payment processing is enabled in a future release.
Authorities — when required by law or to protect rights, safety, and security.

Cross-border transfers (POPIA)

We use service providers that may process personal information outside South Africa, including in the United States and European Union, for example:

application hosting (Vercel);
database hosting (MongoDB Atlas);
push notification delivery (Expo);
email delivery (your configured SMTP or transactional email provider);
OAuth sign-in providers (Google, Facebook) when you use them on the web.

Where POPIA applies, we implement appropriate safeguards, including contractual protections with processors and, where relevant, your consent when you create an account and use the Service. Contact us if you need more detail about a specific transfer.

Information Officer and privacy contact

CoreTrust is the responsible party under POPIA. Our designated Information Officer can be reached at info@coretrust.tech (interim contact pending formal registration with the Information Regulator at eservices.inforegulator.org.za).

Retention and security

We retain information for as long as needed to provide the Service, meet legal obligations, resolve disputes, and enforce our agreements. We implement reasonable technical and organisational measures designed to protect personal information.

Your rights

Depending on where you live, you may have rights to access, correct, delete, or restrict certain processing, and to receive information about how we use your data.

If you are in South Africa, POPIA may grant you additional rights, including to:

request access to or correction of personal information we hold about you;
object on reasonable grounds to processing based on our legitimate interests (we will assess your request under POPIA);
opt out of direct marketing by emailing info@coretrust.tech or using unsubscribe options where provided;
lodge a complaint with the Information Regulator at inforegulator.org.za.

To exercise rights, email info@coretrust.tech from the address registered on your account. We may need to verify your identity before responding.

The Service is not directed at children under 18. We do not knowingly collect personal information from children.

Account deletion

If you created a VendorTrust account, you can permanently delete it and associated personal data at any time:

In the mobile app: Settings → Security → Delete account
On the web: Delete account page or Dashboard → Settings → Security
By email: info@coretrust.tech from the address registered on your account

Deletion removes your profile, verification documents, listings, messages, and transaction records from our active systems. We may retain limited information where required by law (for example fraud prevention, dispute resolution, or tax obligations).

Contact

For privacy questions or to exercise your rights, email info@coretrust.tech from the address registered on your account or use the in-app support options.

Privacy Policy

Last updated: 30 May 2026

Who we are

VendorTrust is a verified vendor marketplace operated by CoreTrust. The Service is initially intended for users in South Africa and Zimbabwe.

What we collect

Depending on how you use the Service, we may collect:

Account and profile information — name, username, email address, password (stored in hashed form), business details, profession, location, bio, and profile photo.
Identity and business verification documents — government ID, passport, driver's licence, company registration documents, proof of authority to act for a business, and selfie verification images you upload.
Marketplace and transaction data — listings, bids, cart contents, orders, escrow agreement details, transaction records, reviews, ratings, and trust scores.
Communications — messages and other content you send through in-app messaging.
Device and technical data — device type, operating system, app version, IP address, log data, and push notification tokens when you enable notifications.
Photos and files — images you capture or select from your device for listings, profile photos, or verification (with your permission).
Sign-in with third parties — if you use Google or Facebook sign-in on the web, we receive basic profile information from that provider as permitted by your settings with them.
Cookies and similar technologies — on the website, we use cookies and local storage for authentication, preferences, and security where applicable.

We do not collect payment card or bank account numbers in the current release; integrated payment processing may be limited or unavailable. See our Terms of Service for details.

Mandatory and voluntary information (POPIA)

Voluntary: profile photo, bio, phone number, optional push notifications, and marketing preferences. You may decline optional fields, but some features may not work.

If you do not provide information we reasonably need for verification, fraud prevention, or legal compliance, we may limit features, suspend your account, or decline registration.

Why we use it and lawful basis

We process personal information to:

provide, secure, and improve the Service;
authenticate users and prevent fraud;
facilitate transactions, messaging, and support;
comply with law and respond to lawful requests;
send service-related notices and, where permitted, marketing you can opt out of.

Device permissions

Sharing

We may share information with:

Other users — where the Service requires (for example your public profile, listings, or messages to a counterparty).
Service providers — hosting, email delivery, push notification delivery (for example Expo), fraud prevention, analytics, and customer support tools under contract.
Payment partners — when integrated payment processing is enabled in a future release.
Authorities — when required by law or to protect rights, safety, and security.

Cross-border transfers (POPIA)

We use service providers that may process personal information outside South Africa, including in the United States and European Union, for example:

application hosting (Vercel);
database hosting (MongoDB Atlas);
push notification delivery (Expo);
email delivery (your configured SMTP or transactional email provider);
OAuth sign-in providers (Google, Facebook) when you use them on the web.

Information Officer and privacy contact

Retention and security

Your rights

Depending on where you live, you may have rights to access, correct, delete, or restrict certain processing, and to receive information about how we use your data.

If you are in South Africa, POPIA may grant you additional rights, including to:

request access to or correction of personal information we hold about you;
object on reasonable grounds to processing based on our legitimate interests (we will assess your request under POPIA);
opt out of direct marketing by emailing info@coretrust.tech or using unsubscribe options where provided;
lodge a complaint with the Information Regulator at inforegulator.org.za.

To exercise rights, email info@coretrust.tech from the address registered on your account. We may need to verify your identity before responding.

The Service is not directed at children under 18. We do not knowingly collect personal information from children.

Account deletion

If you created a VendorTrust account, you can permanently delete it and associated personal data at any time:

In the mobile app: Settings → Security → Delete account
On the web: Delete account page or Dashboard → Settings → Security
By email: info@coretrust.tech from the address registered on your account

Contact

For privacy questions or to exercise your rights, email info@coretrust.tech from the address registered on your account or use the in-app support options.

Privacy Policy

Who we are

What we collect

Mandatory and voluntary information (POPIA)

Why we use it and lawful basis

Device permissions

Sharing

Cross-border transfers (POPIA)

Information Officer and privacy contact

Retention and security

Your rights

Account deletion

Contact

Related documents

Privacy Policy

Who we are

What we collect

Mandatory and voluntary information (POPIA)

Why we use it and lawful basis

Device permissions

Sharing

Cross-border transfers (POPIA)

Information Officer and privacy contact

Retention and security

Your rights

Account deletion

Contact

Related documents