Last updated: 24 May 2026
CrankMart is operated by HLM Holdings (Pty) Ltd, which is the responsible party (data controller) for personal information processed via the Platform. This Privacy Policy explains what we collect, why, how we share it, and your rights — including under the Protection of Personal Information Act, 2013 (POPIA) for users in South Africa.
Account information: name, email address, password (hashed), province, and (for sellers) mobile number. Listing information: photos, descriptions, prices, condition, location of items you list. Transaction information: marketplace transaction records (buyer, seller, listing, amount, state, timestamps). Card details are NOT collected by CrankMart — they are entered directly into TradeSafe's or Stitch's hosted payment pages. Verification information (sellers only, when you complete seller onboarding): full name, South African ID or passport number, mobile number, bank account details (bank, account number, account type), and optionally business registration details. This data is collected via our verification form and immediately forwarded to TradeSafe; we keep only an opaque token reference (not the underlying ID number or bank account number). Technical information: IP address, browser type, device type, pages viewed (used for analytics and security).
• Operate the CrankMart marketplace and directory • Process marketplace transactions through TradeSafe and boost payments through Stitch • Facilitate communication between buyers and sellers (via our messaging system; your email is never shared with other users) • Send transactional emails (account verification, order confirmations, payout notifications, dispute updates) • Comply with legal obligations including FICA (Financial Intelligence Centre Act) record-keeping for payment transactions • Detect and prevent fraud, abuse, and platform misuse • Improve the Platform
We use the following third parties to operate CrankMart. Each is bound by data-protection contracts and processes data only for the purposes set out below: • TradeSafe Escrow (Pty) Ltd — marketplace escrow + seller KYC. Receives buyer and seller PII (names, contact, ID, banking) necessary to operate escrow and pay sellers. Regulated under SA financial-services law. • Stitch Money (Pty) Ltd — boost payment processing. Receives transaction amount and buyer reference for payment routing. No long-term storage of card details (PCI-compliant). • Resend / xneelo — transactional email delivery. • Vercel Inc. — application hosting (EU region for SA users). • Neon Inc. — managed Postgres database (EU region). • Sentry — application error monitoring (PII filtered from error reports). • Upstash — rate-limiting cache. We do not sell your personal information to advertisers or data brokers.
Your display name and general location (city/province) are visible on listings you post and on your public seller profile. Your email address is never shared with other users — all communication goes through our messaging system. Your ID number, banking details, and other verification data are NEVER shared with other users. Phone number visibility (opt-in): if you choose to enable "Show my phone number on my listings" in your profile, signed-in viewers can tap a button on your listing detail page to reveal your number. Reveal requests are rate-limited (20 per viewer per 24 hours) and logged with the viewer's identity for abuse detection. You can switch this off at any time from your profile, after which past viewers retain whatever number they already saw but no new reveals are issued.
• Account data: kept while your account is active; deleted within 30 days of account closure unless retention is required by law. • Transaction records (marketplace + boost): retained for at least 5 years from the transaction date in compliance with FICA record-keeping requirements. • Messaging history: retained for 2 years from the last message. • Webhook + payment event logs (encrypted): retained for 5 years per FICA. • Analytics + access logs: retained for 12 months. When you close your account, we anonymise or delete personal data unless a legal hold applies.
Data is stored on servers with encryption at rest (AES-256) and in transit (TLS 1.2+). Passwords are hashed with bcrypt and never stored in plain text. ID numbers and full bank account numbers are NEVER stored in our database — only opaque tokens issued by TradeSafe. Webhook bodies that contain PII are encrypted before storage. Access to production data is restricted to a small number of authorised engineers and audited.
CrankMart uses cookies for authentication, session management, country routing, and basic analytics. We do not use third-party advertising or cross-site tracking cookies.
You have the right to: • Access the personal information we hold about you • Correct inaccurate information (most fields are editable in your account) • Request deletion of your account and associated data (subject to legal retention requirements) • Withdraw consent to marketing communications at any time (unsubscribe link in every marketing email) • Lodge a complaint with the Information Regulator if you believe we have mishandled your data To exercise any of these rights, contact privacy@crankmart.com.
CrankMart is primarily aimed at users in South Africa. Some processing may occur in the European Union (Vercel + Neon hosting infrastructure). By using the Platform, you consent to your data being processed in these jurisdictions, which provide protections substantially equivalent to POPIA.
CrankMart is not intended for use by anyone under 18. We do not knowingly collect personal information from minors. If you believe a minor has registered an account, contact us at privacy@crankmart.com and we will remove it.
We may update this Privacy Policy as the platform evolves or to reflect changes in law. Material changes will be notified by email and/or via an in-product banner.
For privacy-related queries: privacy@crankmart.com. For data-protection complaints (SA Information Regulator): https://inforegulator.org.za