Privacy Policy
Higgler — How we handle personal data under the Data Protection Act 2020
1. Who we are
1.1 Higgler is the data controller for personal data processed through higgler.org and related apps, under the Data Protection Act 2020 (“DPA 2020”).
1.2 Privacy contact: [email protected] (subject: Privacy Request).
2. Scope
2.1 This Policy covers:
- customer and vendor accounts, checkout, and wallet use;
- KYC and identity verification;
- card payments via Stripe and CBC ledger transactions;
- order, delivery, and receipt data;
- uploads (e.g. product photos) and support or dispute communications;
- optional linking to companion products where you choose to connect them.
2.2 Stripe, Uber Direct, Kajay, vendors, carriers, and analytics providers may process data under their own policies when you use their services.
3. What we collect
| Category | Examples | Typical context |
|---|---|---|
| Account & identity | Name, email, phone, OTP codes, account IDs | Sign-in, account recovery |
| KYC | Government ID, selfie, business registration, tax IDs | Wallet limits, vendor payouts, compliance |
| Transaction | Orders, subtotal, GCT, tips, delivery, totals, CBC/card method | Checkout, receipts, reconciliation |
| Payment metadata | Stripe tokens/IDs, wallet addresses, fee deductions | Card and CBC settlement |
| Location & delivery | Delivery address, map-picked coordinates | Fulfilment, Uber Direct |
| Vendor catalogue | Listings, images, prices, categories | Marketplace |
| Usage & device | IP, browser, device, logs | Security, fraud prevention |
| Communications | Support, disputes, chargebacks | Customer and vendor service |
We collect only what each feature reasonably needs.
4. Lawful bases (DPA 2020)
We process personal data on one or more of:
- Contract — accounts, checkout, delivery, and wallet features you request (section 23, performance of contract);
- Legitimate interests — fraud prevention, platform security, marketplace operation, and service improvement, balanced against your rights;
- Consent — non-essential cookies, optional marketing, or processing where consent is required;
- Legal obligation — tax, AML/KYC, court orders, and regulatory duties.
We maintain a processing record for accountability (section 16(2) where registration applies). High-risk processing may be supported by a data protection impact assessment (section 45).
5. How we use personal data
- provide marketplace, wallet, and checkout;
- calculate and record GCT and order breakdowns;
- process card and CBC payments and 2% platform fees;
- verify identity and manage KYC;
- arrange delivery and platform-store freight;
- handle refunds, chargebacks, and vendor payouts;
- detect abuse and comply with law;
- enforce our Terms.
We do not sell personal data.
6. Sharing and processors
We may share data with:
- Stripe, hosting, SMS/OTP, mapping, delivery, and freight partners under contract;
- vendors to fulfil your orders (name, contact, delivery details as needed);
- professional advisers and authorities when law requires;
- successors in a merger or reorganisation, subject to this Policy.
Processors must implement appropriate technical and organisational measures and process only on our instructions.
7. International transfers
Data may be processed outside Jamaica (e.g. cloud hosting, Stripe, US sourcing). Where Part VII of the DPA 2020 applies, we use appropriate safeguards (adequacy, standard contractual clauses, or other permitted mechanisms under Schedule 4).
8. Retention
We keep data only as long as needed for the purposes above, including tax, payment, fraud, and dispute records. Account data is deleted or anonymised within a reasonable period after closure, unless law requires longer retention. Blockchain transaction records may persist on the ledger in pseudonymous or hashed form as part of settlement integrity.
9. Security and breaches
9.1 We use administrative, technical, and organisational measures appropriate to the risk. No system is completely secure. Public-read file endpoints for catalogue images increase exposure if sensitive data is uploaded by mistake.
9.2 If a personal data breach is likely to affect your rights, we will notify the Office of the Information Commissioner and affected individuals as required by section 27 of the DPA 2020, including where applicable within 72 hours of becoming aware of a notifiable breach.
10. Your rights (DPA 2020)
Subject to exceptions in the Act, you may request:
| Right | Section |
|---|---|
| Access | s.6 |
| Rectification | s.7 |
| Erasure | s.8 |
| Restriction | s.9 |
| Data portability | s.10 |
| Objection | s.11 |
Email [email protected] with “Privacy Request” and enough detail to verify your identity. We respond within 30 days, extendable to 60 days where complex.
You may complain to the Office of the Information Commissioner if unsatisfied.
11. Cookies
11.1 Essential cookies support login, checkout, security, and core functions.
11.2 Non-essential analytics or preference cookies, where used, rely on consent via the site banner or settings.
11.3 You may control cookies through browser settings; blocking some cookies may limit checkout or wallet features.
12. Children
The Platform is not directed at persons under 18. We do not knowingly collect children’s personal data. Contact [email protected] to request deletion if you believe we have done so.
13. Changes
We may update this Policy. Material changes will be notified as in the Terms (registered email and/or on-site notice, 30 days where practicable). The effective date appears at the top.
14. Contact
Higgler — [email protected] (Privacy Request, Data Subject Access, Erasure, Complaint, Payment or KYC enquiry).