FREE SHIPPING OVER R500SHIPPED FROM CAPE TOWNLAB-TESTED EVERY BATCHSANAS-ACCREDITED LABSAHPRA-COMPLIANT CoAs1–3 DAY SA DELIVERYBERLIN STANDARDS · SA STOCKDOCTOR-REVIEWED WELLNESSPROUDLY SA-STOCKEDSECTION 21 SUPPORT10% OFF FIRST ORDERFREE SHIPPING OVER R500SHIPPED FROM CAPE TOWNLAB-TESTED EVERY BATCHSANAS-ACCREDITED LABSAHPRA-COMPLIANT CoAs1–3 DAY SA DELIVERYBERLIN STANDARDS · SA STOCKDOCTOR-REVIEWED WELLNESSPROUDLY SA-STOCKEDSECTION 21 SUPPORT10% OFF FIRST ORDER
Cannabuben CBD
0
Rated by SA customers
10,000+ orders shippedTrusted across South Africa

POPIA section 21

Sub-processors

Effective 18 May 2026

Draft — pending legal review

This document is a working template based on standard South African consumer-retail and Section 21 cannabis-supply practice. It will be reviewed and signed off by a POPIA- and consumer-law-qualified attorney before public launch.

Under POPIA, Cannabuben (the "Responsible Party") remains accountable for any personal information that is processed on its behalf by an operator (a "Sub-processor"). This page lists every Sub-processor that may handle your personal information when you use Cannabuben, what they do, what we share with them, and where they operate.

We update this page whenever a Sub-processor is added, removed, or materially changes its data-handling. The Information Officer maintains the authoritative copy of all operator agreements; see Information Officer for contact details.

1. Active Sub-processors

SUB-PROCESSOR

PayFast (Pty) Ltd

PURPOSE
Card and instant-EFT payment processing. Cannabuben never sees full card numbers.
DATA CATEGORIES
Name, email, billing address, order total, transaction reference.
JURISDICTION
South Africa (Western Cape)
AGREEMENT STATUS
Operator terms accepted via merchant onboarding. POPIA-compliant SA operator.

SUB-PROCESSOR

Sentry, Inc.

PURPOSE
Application error tracking and incident response. Used to find and fix bugs and security issues.
DATA CATEGORIES
IP address (last octet masked), user-agent, route accessed, redacted error context. PII fields are scrubbed before transmission via Sentry beforeSend hooks.
JURISDICTION
United States (Delaware) — EU/SA Standard Contractual Clauses apply.
AGREEMENT STATUS
Data Processing Addendum accepted with Sentry SaaS terms.

SUB-PROCESSOR

OpenAI, L.L.C.

PURPOSE
Editorial hero-image generation for /guides articles (offline batch). No customer data is sent to OpenAI; prompts contain only public-style descriptors.
DATA CATEGORIES
None. Image-generation prompts contain no personal information.
JURISDICTION
United States (California).
AGREEMENT STATUS
API used in offline content-generation scripts only. No customer-facing inference.

SUB-PROCESSOR

Supabase, Inc.

PURPOSE
Authenticated session storage and (legacy) magic-link auth provider. Currently transitioning to in-house auth.
DATA CATEGORIES
Email address, hashed session token. No payment, ID, or order data.
JURISDICTION
United States (Delaware) — EU/SA Standard Contractual Clauses apply.
AGREEMENT STATUS
Data Processing Addendum accepted via Supabase platform terms.

SUB-PROCESSOR

Resend (Posthog OY)

PURPOSE
Transactional email delivery — order receipts, magic-link emails, account notices.
DATA CATEGORIES
Recipient email address, message subject + body content, send timestamp.
JURISDICTION
United States (Delaware) / EU.
AGREEMENT STATUS
Operator terms accepted with Resend platform terms; SCCs apply for cross-border transfer.

SUB-PROCESSOR

Courier partners (The Courier Guy, Aramex, Fastway)

PURPOSE
Order delivery to customer-supplied SA addresses.
DATA CATEGORIES
Recipient name, delivery address, contact phone number, parcel description (generic — "wellness products").
JURISDICTION
South Africa.
AGREEMENT STATUS
Per-shipment instruction under courier standard terms. POPIA-compliant SA operators.

SUB-PROCESSOR

Docto24 Telemedicine SA

PURPOSE
HPCSA-registered practitioner review of Section-21 medical cannabis applications and prescribing.
DATA CATEGORIES
Clinical questionnaire, identity verification documents, prescribing notes, SAHPRA Section-21 application data.
JURISDICTION
South Africa.
AGREEMENT STATUS
Group-controlled operator. Shared POPIA Information Officer and operator agreement.

2. Cross-border data transfers

Where a Sub-processor is located outside South Africa, Cannabuben relies on the cross-border transfer protections in POPIA section 72 — adequate-level laws or contractual safeguards (Standard Contractual Clauses) — together with the operator's own certifications (SOC 2, ISO 27001, GDPR adequacy decisions where applicable). The Information Officer holds the documentation.

3. Changes to this list

When we add a new Sub-processor, this page is updated before the Sub-processor handles any production data. If you have a standing operator-agreement copy request, please email io@cannabuben.co.za.

4. Objecting to a specific Sub-processor

Under POPIA section 11(3), you may object to the processing of your personal information on reasonable grounds. If you object to the use of a specific Sub-processor, contact the Information Officer. We will explain whether that Sub-processor is essential to the service (and therefore the alternative is to discontinue the service) or whether the processing can be limited.

More disclosures: all legal documents.

Payment:VISAMCAMEXpayFastEFT
Shipping:COURIER GUYARAMEXFASTWAYFree over R500 · 1–3 days
Security:SSLPOPIA