Privacy policy
1. Who we are
Roots and Rituals (Pty) Ltd t/a Ancient Roots ("we", "us", "our") operates the website ancientroots.co.za and the online store shop.ancientroots.co.za (together, the "Services"). We are the responsible party for your personal information under the Protection of Personal Information Act, 2013 (POPIA).
Responsible party: Roots and Rituals (Pty) Ltd t/a Ancient Roots
Address: Tramway House, Woodstock, Cape Town, WC, 7935, South Africa
Email: orders@ancientroots.co.za
This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, and your rights. It applies to all interactions with the Services, including browsing the website, placing an order, contacting us, and clicking on our advertisements.
2. Personal information we collect
Depending on how you use the Services, we may collect or process the following categories of personal information:
| Category | Examples | When collected |
|---|---|---|
| Identity & contact | Name, email address, phone number, delivery address | When you place an order, contact us, or sign up for updates |
| Order & transaction | Items purchased, order value, payment method (last 4 digits only), shipping selection | When you complete a purchase |
| Payment | Card details processed by our payment provider; we do not store full card numbers | At checkout |
| Communication | Email content, contact form submissions, support enquiries | When you contact us via email or the website contact form |
| Technical | IP address, browser type, device identifiers, operating system, referring URL | Automatically when you visit the Services |
| Usage | Pages viewed, time on site, products viewed, cart activity, click patterns | Automatically via cookies and similar technologies |
| Advertising identifiers | Meta click ID (fbclid), Meta browser ID (_fbp), and similar identifiers from advertising platforms | When you arrive via an advertisement or browse the Services |
We collect personal information directly from you (when you provide it) and automatically (when you use the Services). We do not knowingly collect special personal information (e.g. health, religious belief, biometric data) unless you voluntarily provide it in a communication with us.
3. How we use your personal information
We use your personal information for the following purposes:
- To provide the Services: process and fulfil orders, send order confirmations, manage delivery, handle returns, provide customer support.
- To operate our business: maintain our website, secure the Services against fraud and abuse, comply with legal obligations (tax, accounting, regulatory).
- To communicate with you: respond to enquiries, send transactional emails (order updates, shipping notifications), and — only with your consent — send marketing communications.
- To measure and improve advertising: track which advertisements led to website visits and purchases; build audiences for similar advertising; report on advertising performance.
- To improve the Services: analyse aggregate usage patterns to improve product pages, checkout flow, and content.
We rely on the following lawful bases under POPIA: performance of a contract (orders), our legitimate interests (security, fraud prevention, advertising measurement, business analytics), your consent (marketing communications, optional cookies), and compliance with legal obligations.
4. Cookies and similar technologies
We and our service providers use cookies, pixels, and similar technologies to operate the Services and measure advertising effectiveness. The main categories are:
| Cookie / identifier | Set by | Purpose | Duration |
|---|---|---|---|
_fbp | Meta Pixel (via Google Tag Manager) | Identifies your browser to Meta to attribute visits to our advertisements | 90 days |
_fbc | Meta Pixel (via Google Tag Manager) | Stores the Meta click ID (fbclid) when you arrive from a Meta advertisement, used for attribution | 90 days |
_shopify_* (multiple) | Shopify | Shopping cart, checkout state, store analytics | Session to 1 year |
| Cart and session cookies | Shopify | Maintain your cart and session during checkout | Session |
| Google Tag Manager container | Google LLC | Loads our analytics and advertising tags | Session |
We do not currently display a cookie consent banner because we operate from South Africa, where POPIA does not require granular cookie opt-in for non-sensitive analytics and advertising cookies (unlike the EU's ePrivacy Directive). You can disable cookies through your browser settings; doing so may affect how the Services function (for example, your shopping cart may not persist).
5. Who we share your personal information with
We share personal information only with service providers who help us operate the Services. They are contractually bound to use it only for the purposes we instruct.
| Recipient | Role | Personal information shared | Location |
|---|---|---|---|
| Shopify International Limited | E-commerce platform; order processing, checkout, customer accounts | All order and account information | Ireland / international |
| Yoco Technologies (Pty) Ltd | Payment processing for South African card payments | Cardholder name, card details, transaction amount | South Africa |
| Meta Platforms Ireland Limited | Advertising delivery and measurement (Meta Pixel, Conversions API) | Hashed email, hashed phone, hashed name, hashed address (where available); event details (page views, products viewed, cart actions, purchases); IP address; browser identifiers | Ireland / United States |
| Google LLC | Tag management (Google Tag Manager) | IP address, browser identifiers, page interactions | United States |
| Sanity.io (Sanity AS) | Content management for the marketing website | No customer personal information; product and editorial content only | European Union |
| Vercel Inc. | Hosting of the marketing website | IP address, request logs, browser type | United States / global edge network |
| Zoho Corporation | Email hosting for our @ancientroots.co.za mailboxes (support, order communications) | Contents of emails sent to or from us, including any personal information you include | International (varies by region) |
| Klaviyo, Inc. | Email marketing platform; newsletter signups, opt-in confirmation, and marketing email delivery | Email address, subscription status, consent records, and email engagement data (opens, clicks) | United States |
We will also share personal information when required by law, court order, or to protect our legal rights, or in connection with a sale, merger, or restructuring of our business (in which case we will notify you).
We do not sell personal information.
6. Advertising and Meta Pixel / Conversions API
We advertise on Meta's platforms (Facebook and Instagram). To measure whether our advertisements lead to purchases — and to build audiences of people similar to our existing customers — we use two Meta technologies:
- Meta Pixel: a small piece of code on our website that records page views, product views, add-to-cart actions, and checkout starts in your browser, and sends them to Meta along with browser identifiers (
_fbp,_fbc). - Conversions API (CAPI): when you complete a purchase, our server sends Meta a copy of the purchase event along with hashed versions of your email, phone, name, and address. Hashing means the data is irreversibly transformed before being sent — Meta uses it to match the purchase to a Meta user account if one exists, but cannot read your original details from the hash.
Meta uses this information to attribute purchases to specific advertisements, optimise advertising delivery, and build "lookalike" audiences. Meta is an independent controller of the data once received, and processes it according to its own Data Policy.
You can opt out of Meta-personalised advertising via your Meta account settings or by using browser-level controls and ad blockers.
7. Cross-border data transfers
Although we currently sell only to customers in South Africa, several of our service providers (notably Meta, Google, Vercel, Sanity, Shopify, Zoho, and Klaviyo) process personal information outside South Africa, including in the United States, the European Union, and other jurisdictions.
In accordance with POPIA section 72, we ensure that such transfers are made only to recipients who are subject to laws, binding corporate rules, or binding agreements that uphold protections substantially similar to POPIA, or where the transfer is necessary for the performance of a contract with you, or with your consent.
8. Data retention
We retain personal information only for as long as we need it for the purposes described in this Policy or as required by law:
- Order records: retained for at least 5 years to comply with South African tax and accounting law.
- Marketing data: retained until you unsubscribe or object, or up to 3 years of inactivity, whichever is sooner.
- Website analytics and advertising identifiers: retained for up to 2 years.
- Support communications: retained for 2 years from the date of the last interaction.
When personal information is no longer needed, we delete or anonymise it.
9. Security
We take reasonable technical and organisational measures to protect your personal information against loss, unauthorised access, alteration, and disclosure. These include encryption in transit (HTTPS), access controls, and using reputable service providers who maintain industry-standard security.
No internet transmission or storage system is completely secure. While we work hard to protect your information, we cannot guarantee absolute security.
10. Your rights under POPIA
You have the following rights regarding your personal information:
- Access: request a copy of the personal information we hold about you.
- Correction: ask us to correct information that is inaccurate, irrelevant, excessive, out of date, incomplete, or misleading.
- Deletion: ask us to delete information we no longer have a lawful basis to hold.
- Objection: object to processing of your information for direct marketing or where we rely on legitimate interests.
- Withdrawal of consent: withdraw consent at any time where processing is based on consent (this does not affect prior lawful processing).
- Lodge a complaint: lodge a complaint with the Information Regulator (see Section 12).
To exercise any of these rights, email us at orders@ancientroots.co.za. We will respond within a reasonable time and may need to verify your identity before acting on the request.
11. Children's information
The Services are not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
12. Information Officer and complaints
Information Officer: Delon O'Donnell, Managing Director
Email: orders@ancientroots.co.za
Postal address: Tramway House, Woodstock, Cape Town, WC, 7935, South Africa
If you are unhappy with how we have handled your personal information or a request to exercise your rights, you can lodge a complaint with the South African Information Regulator:
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
PO Box 31533, Braamfontein, Johannesburg, 2017
Email (general enquiries): inforeg@justice.gov.za
Email (POPIA complaints): POPIAComplaints@inforegulator.org.za
Website: https://inforegulator.org.za
13. Changes to this Privacy Policy
We may update this Policy from time to time. The revision date at the bottom of this Policy reflects the most recent version. Material changes will be communicated via email or a prominent notice on the Services where required by law. Continued use of the Services after a change indicates acceptance of the updated Policy.
14. Contact
For any questions about this Privacy Policy or our privacy practices, contact us at orders@ancientroots.co.za.
Last updated: 14 May 2026
