Privacy Policy | TheShop.mu

TheShop.mu — operated by TheShop.mu Ltd

This Privacy Policy — how we handle your personal data.
[Terms of Service](https://theshop.mu/terms) — the general agreement between you and us.
[Checkout & Payment Terms](https://theshop.mu/checkout/terms) — the rules of the payment step, including how Peach Payments handles card data.
[Returns, Refunds & Cancellation Policy](https://theshop.mu/refunds) — cancellations, returns and refunds.

1. Who we are (the data controller)

Roma Lane, Riche Terre 11701, Mauritius

Email: contact@theshop.mu

Phone: +230 5250 6006 / +230 253 7611

1.1 Our Data Protection Officer

Email: contact@theshop.mu (subject line: **"DPA Request"**)

Post: DPO, TheShop.mu Ltd, Roma Lane, Riche Terre 11701, Mauritius

1.2 Our registration

2. What personal data we collect

2.1 What you give us directly

Identity and contact data: name, surname, email address, mobile phone number, delivery and billing addresses, and (for age-restricted items) date of birth.
Account data: username, password (stored only as a salted hash — we never see the plain text), profile preferences, language preference, substitutions preference.
Order and transaction data: items ordered, quantities, dates, slot, delivery instructions, invoices, proof of delivery, returns and refund records.
Payment confirmation data: the result of your payment (success, failure, refund), the last four digits of your card, the card brand (Visa, Mastercard, etc.), the Peach Payments transaction reference, the 3-D Secure authentication record, and the merchant descriptor. We do not store full card numbers, CVVs or PINs — these are entered directly on Peach Payments' PCI-DSS Level 1 certified checkout page.
Identification documents where required for age-restricted purchases or corporate-credit applications: a scanned ID card or passport (collected solely for verification, see Section 7 retention).
Corporate-credit application data: company name, BRN, VAT, beneficial owners (for AML purposes under FIAMLA), bank account, trade references, financial statements.
Communications: the content of messages you send us (email, WhatsApp, in-app chat, phone calls — calls to our customer-service line may be recorded for quality and training purposes, with notice at the start of the call).
User-generated content: product reviews, ratings, recipe submissions, photos you choose to share, referral and loyalty activity.

2.2 What we collect automatically

Device and connection data: IP address, browser type and version, operating system, device identifiers, screen size, referrer URL, language, time zone.
Usage and behavioural data: pages visited, time on page, products viewed, items added to and removed from your cart, abandoned carts, search queries, click-stream within the Site, scroll depth.
Cookie and similar-technology data: see Section 4.
Location data: approximate location derived from your IP address; precise location only where you explicitly grant the browser or app permission (used to suggest delivery zones and pickup points).
Voice search: if you tap the microphone in the search bar and grant your browser permission, your device’s built-in speech recognition converts what you say into a text search query. The audio is processed by your browser (which, on some browsers such as Chrome, may transmit it to the browser vendor’s speech service); we receive only the resulting text, the same as if you had typed it, and we store no audio.

2.3 What we receive from third parties

Peach Payments and our acquiring bank: payment outcome, fraud signals, chargeback and dispute notifications, 3-D Secure authentication record.
Delivery partners, where any leg of delivery is fulfilled by a third party: pickup confirmation, route status, proof of delivery.
Marketing platforms (with your consent): referral signups from social media, advertising-attribution data where you arrived from a paid ad.
Public registers, for corporate-credit checks: BRN data from the Companies Division, sanctions screening against UN, EU and Mauritian sanctions lists.
Other third parties where you have authorised them to share with us (e.g. linking a loyalty account from a partner).

2.4 Special categories of personal data

Allergen and dietary preferences (e.g. "halal", "vegan", "gluten-free", "diabetic") that you set in your profile are treated by us as preferences, not as health or religion data. If you do not wish us to process such preferences, leave them blank.
Pharmacy-related orders (over-the-counter medicines, supplements) are necessarily linked to health. For prescription medicines, where applicable, the prescription remains with the dispensing pharmacist; we process only the order metadata required to dispatch, not the clinical content of the prescription. We rely on the limited exception in Section 29 of the DPA 2017 for the purpose of providing healthcare services, and we limit ourselves to the minimum data necessary for that purpose.

3. Why we process your data, and our lawful bases

#	Purpose	Categories of data	Lawful basis
1	Creating and securing your account	Identity, contact, account, device	Contract performance
2	Accepting and fulfilling your orders (picking, packing, delivery, pickup)	Identity, contact, address, order, payment confirmation, delivery records	Contract performance
3	Processing payments and refunds, including with Peach Payments and the acquiring bank	Order, payment confirmation, device, IP, transaction history	Contract performance; legal obligation under the Banking Act and payment-scheme rules
4	Fraud prevention, AML screening, chargeback defence	Identity, contact, device, IP, transaction history, sanctions-screening result	Legitimate interest in protecting against fraud; legal obligation under FIAMLA
5	Providing customer service and handling complaints	Identity, contact, order, communications	Contract performance; legal obligation under the Consumer Protection Act 1991
6	Meeting tax, accounting and VAT obligations	Identity, order, invoice, payment confirmation	Legal obligation under the Income Tax Act, the VAT Act and the Companies Act
7	Sending service-related notices (order confirmations, delivery updates, payment receipts, refund references)	Identity, contact, order	Contract performance
8	Sending marketing emails, SMS and push notifications	Identity, contact, behavioural	Consent (you can opt out at any time)
9	Running loyalty (FreshPoints), referral and promotional programmes	Identity, contact, referral, order	Contract performance; legitimate interest in retention
10	Improving and personalising the Site (recommendations, search ranking, A/B tests, non-essential analytics)	Behavioural, device, account, order	Legitimate interest in product improvement; consent for non-essential analytics cookies
11	Operating AI and machine-learning features (recommendations, halal classification, product summaries, customer-service routing)	Behavioural, order, communications, AI-generated derivatives	Legitimate interest; consent where the feature uses content from your account directly
12	Complying with court orders, regulatory requests, and exercising or defending legal claims	As required by the matter	Legal obligation; legitimate interest
13	Corporate transactions (sale of the TheShop business, restructuring, financing)	All categories, on a need-to-know basis under NDA	Legitimate interest; contract performance for the post-transaction continuation

4. Cookies and similar tracking technologies

4.1 Categories

Strictly necessary — session, authentication, cart, checkout, fraud prevention, load balancing, security headers. These are exempt from consent because the Site cannot function without them.
Functional — remember your language, currency, theme, substitutions preference, recent searches. Set with your consent where required.
Analytics — measure how the Site is used, page-load performance, error rates, conversion funnels. Set only with your consent.
Marketing / personalisation — measure ad performance, attribute referrals, personalise offers, retarget on third-party platforms. Set only with your consent.

4.2 Consent

4.3 Re-prompt

4.4 The current cookie list

4.5 Do Not Track

5. Who we share your data with

5.1 Payment processing

Peach Payments (Pty) Ltd — South Africa-based payment processor licensed under the relevant card schemes; processes our card and online-wallet transactions. Their own privacy notice is available at https://www.peachpayments.com/privacy.
The acquiring bank — a licensed Mauritian commercial bank that settles card transactions into our merchant account.
The card schemes — Visa, Mastercard, American Express and Diners — for authorisation, settlement, dispute and chargeback handling.
Wallet operators — MCB Juice, blink by Emtel, MauCAS — for direct-wallet transactions, where you choose to pay with a wallet.

5.2 Fulfilment

Our own drivers and warehouse staff — to pick, pack and deliver your order.
Third-party delivery partners, where any leg of delivery is fulfilled externally — currently we use our own fleet primarily; any third party we engage will appear in the cookies page and in the customer-facing tracking experience.

5.3 IT and infrastructure

Our cloud hosting and ERP provider — for hosting the Site and our order-management system. International transfers are covered in Section 6.
Our application-monitoring provider — for error monitoring, using pseudonymised user IDs and stack traces.
Email and transactional messaging providers — for order confirmations, delivery updates, password resets.
Customer-service tooling — for ticketing, chat history and (where you are told at the start of a call) call recording.

5.4 AI tooling

5.5 Professional advisors

Auditors, lawyers, accountants, tax advisors, insurance brokers — under duties of confidentiality, where their work requires access to specific personal data.

5.6 Authorities and law enforcement

The Mauritius Revenue Authority (MRA) — for tax compliance, VAT returns, audit responses.
The Mauritius Police Force — in response to a lawful request, or where we report a crime.
The Financial Intelligence Unit (FIU) — for suspicious-transaction reporting under FIAMLA.
The Mauritius Data Protection Office — in connection with a complaint, an audit or a breach notification.
The Independent Commission Against Corruption (ICAC) — in response to a lawful request.
The courts of Mauritius — in response to a court order.
Foreign authorities — only where a Mauritian court has given effect to the foreign authority's request, or where Section 36 of the DPA 2017 otherwise permits.

5.7 Corporate transactions

6. International transfers

6.1 Our DPA 2017 obligations

the recipient country provides an adequate level of protection (e.g. the EU under the GDPR, the UK under UK GDPR);
we put standard contractual clauses in place equivalent to the DPA 2017's protections;
the transfer is necessary for performance of the contract with you, or for a legal claim; or
you have given explicit consent to the transfer after being informed of the risks.

6.2 What we have in place

Peach Payments (South Africa): South Africa has the Protection of Personal Information Act (POPIA), broadly equivalent to the DPA 2017; we additionally have a data-processing agreement with Peach.
Other international processors: standard contractual clauses or the equivalent contractual safeguards required by the DPA 2017, supplemented by the vendor's own certifications (for example under the EU-US Data Privacy Framework) where applicable.

7. How long we keep your data

Category	Retention period	Source of obligation
Account data (active accounts)	For the life of the account, plus 12 months after closure to allow recovery and dispute resolution	Legitimate interest
Order and transaction records, invoices, receipts	7 years from the end of the tax year of the transaction	Income Tax Act, VAT Act, Companies Act
Payment records and AML records	7 years from the end of the business relationship	FIAMLA 2002 — Section 17F
Identification documents collected for AML or age verification	7 years from the end of the business relationship	FIAMLA 2002; legitimate interest
Customer-service correspondence	Up to 3 years from the last interaction	Legitimate interest, defence of legal claims
Call recordings of customer-service calls	6 months, then deleted	Legitimate interest, customer-service training
Marketing consents and preferences	Until you withdraw consent or unsubscribe, plus a record of the withdrawal for accountability	DPA 2017 Section 24
Cookie-consent records	Until you change them, refreshed every 12 months	DPA 2017 Section 24
Analytics data (pseudonymised)	14 months, then aggregated or deleted	Legitimate interest
Application error logs	90 days	Legitimate interest
CCTV at the warehouse and at delivery handovers	30 days, then overwritten, longer only where retained for an open incident	Legitimate interest, defence of legal claims
Driver app GPS traces, delivery photos, signed delivery sheets	90 days for routine deliveries; 7 years where attached to an order that is part of a dispute or a tax record	Legitimate interest; FIAMLA where applicable
Records of data-subject requests under Section 10	3 years from the last activity on the request	DPA 2017 Section 22 (duties of controller — accountability)

8. How we protect your data

HTTPS / TLS 1.2+ encryption for all traffic between your device and our servers and between us and our suppliers;
password hashing with industry-standard algorithms; we never store plain-text passwords;
PCI-DSS Level 1 tokenisation of card payments through Peach Payments — your full card number never touches our systems;
3-D Secure 2 authentication on every card transaction, mandatory under our merchant policy;
role-based access controls with the principle of least privilege; quarterly access reviews;
audit logs for sensitive actions in the admin, retained for one year minimum;
two-factor authentication for staff accounts that touch customer data, payment, or order modification;
encrypted backups with regular restore tests;
patching and vulnerability monitoring on all production systems;
staff training on data protection, phishing, social engineering — annual refresh and onboarding modules;
vendor due diligence before engaging a processor with access to personal data; signed data-processing agreements with each processor;
CCTV at the warehouse and at controlled doors, with signage at every camera position.

8.1 Breach notification

notify the Data Protection Office within 72 hours of becoming aware of the breach (Section 25 DPA 2017);
notify you directly without undue delay where the breach is likely to result in a high risk to your rights — typically by email, SMS or in-product notification, with a description of what happened, what data was affected, what steps to take, and the contact point at our DPO;
keep a written record of every breach (whether or not notifiable) for audit and accountability purposes;
cooperate fully with any investigation by the Data Protection Office or by law enforcement.

9. Your rights under the DPA 2017

Right	What it means	Reference
Right of access	To obtain confirmation that we process your personal data, and to receive a copy of that data, free of charge, within one month of a written request.	DPA 2017 Section 37
Right to rectification	To obtain rectification of inaccurate or incomplete personal data concerning you, without undue delay.	DPA 2017 Section 39
Right to erasure ("right to be forgotten")	To request that personal data concerning you is erased without undue delay where the continued processing is not justified. We comply except where we have a legal obligation to retain (e.g. tax records — see Section 7) or a need for the defence of legal claims.	DPA 2017 Section 39
Right to restrict processing	To request that processing of your personal data is restricted where the accuracy of the data is contested, or where you require it for a legal claim, among other grounds.	DPA 2017 Section 39
Right to object	To object, in writing and at any time and free of charge, to processing of your personal data, including processing for direct marketing. We will stop unless we can show compelling legitimate grounds for the processing which override your interests, rights and freedoms.	DPA 2017 Section 40
Right to withdraw consent	At any time, where we process on the basis of consent. Withdrawal does not affect lawful processing carried out before withdrawal.	DPA 2017 Section 24
Right not to be subject to a measure based solely on automated processing	Where a measure affecting you is based on profiling by automated processing (e.g. an automated fraud-decline at checkout), you have the right not to be subject to it on that basis alone and to ask for human review.	DPA 2017 Section 38
Right to be informed about a personal data breach affecting you	Where a breach is likely to result in a high risk to your rights and freedoms, you must be told without undue delay.	DPA 2017 Section 26
Right to lodge a complaint	With the Data Protection Office (Section 13 below) or in the Mauritian courts.	DPA 2017 Section 6 (investigation of complaints)

10. How to exercise your rights

Email contact@theshop.mu with the subject line "DPA Request".
Tell us which right you want to exercise, and (if applicable) which data or which processing it applies to.
For your protection, we may ask you to verify your identity — usually by confirming details against the account, occasionally by ID document where the request is sensitive (erasure of an active account, copy of a full data set).
We will respond within 30 days. Where the request is complex, we may extend by a further 60 days under Section 35(2) of the DPA 2017, telling you of the extension and the reason.
The first response is free. For repeat requests or excessive requests, we may charge a reasonable fee under Section 35(3).
If you are unhappy with our response, you may complain to our DPO (Section 1.1), or to the Mauritius Data Protection Office (Section 13).

11. Children

12. Automated decisions and AI

Product recommendations and search ranking — these are personalised but the difference between a personalised result and a generic result is not, in our view, a "decision affecting you legally or similarly significantly" within the meaning of Section 38 of the DPA 2017. You may opt out of personalisation in your account preferences, in which case we serve a generic ranking.
Halal-classification labels — these are AI-assisted but reviewed by humans before being published; you may report an incorrect classification through the product page.
Customer-service routing and auto-suggested replies — these classify and route inbound messages, but every reply is sent by a human agent. You may ask for human handling from the start of any conversation.
Automated fraud-decline at checkout — where our risk system or Peach Payments' risk system declines a transaction, you may ask for human review under Section 38 of the DPA 2017 by emailing customerservice@theshop.mu. Human review will be carried out within 5 business days.

13. Contact us and the Data Protection Office

13.1 Us

Topic	Contact
DPA requests (access, erasure, rectification, etc.)	contact@theshop.mu — subject "DPA Request"
General privacy questions	contact@theshop.mu
Suspected data breach affecting you	contact@theshop.mu — subject "Breach"
Cookie / consent matters	https://theshop.mu/cookies or the footer link
Post	DPO, TheShop.mu Ltd, Roma Lane, Riche Terre 11701, Mauritius
Phone	+230 5250 6006 / +230 253 7611

13.2 The Mauritius Data Protection Office

5th Floor, SICOM Tower

Wall Street, Ebène 72201

Mauritius

Email: **dpo@govmu.org

Phone: +230 460 0251

Web: https://dataprotection.govmu.org

14. Changes to this Policy

Cosmetic and clarifying changes (typos, layout, vendor name updates, contact details) take effect on publication.
Material changes that affect your rights — for example, a new processing purpose, a new category of data, a new processor, a new international transfer, or a change to the retention table — take effect 14 days after publication, and we will notify registered customers by email at least 14 days in advance. Where the change is material, you will be re-prompted for consent at your next visit for any processing that depends on consent (marketing, non-essential cookies, AI features).
Where a material change is required by law, by a regulator's order, or by a security incident that takes effect sooner, the change will take effect on the date required, and we will notify customers as soon as practicable.

15. Governing law

End of Policy — version 1.1, 27 May 2026.

This Policy was drafted in English. A French translation will be published alongside for the convenience of French-speaking customers, in line with our bilingual customer-service practice. In the event of any inconsistency between the two language versions, the English version prevails for legal purposes.

TheShop.mu — Fresh to your door.