1. Introduction

Synthetic DJ ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and protect your data when you use our website and purchase our music. We comply with the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa, as well as the EU General Data Protection Regulation (GDPR) and other applicable international privacy laws.

Responsible Party: Synthetic DJ / Zenith Frequency Audio
Contact: syntheticdj@qrmagic.co.za

2. What Information We Collect

We only collect information necessary to provide our services:

• Account Information: Name, username, email address, password (encrypted)
• Transaction Data: Purchase history, payment confirmation, download tokens
• Contact Information: Messages sent via our contact form
• Technical Data: IP address, browser type, device information (for security and analytics)
• Session Data: Login sessions stored securely on our server (not shared)

We do not collect or store your credit card details or banking information. All payments are processed securely by PayFast, our PCI-DSS compliant payment partner.

3. How We Use Your Information

We use your personal information strictly for the following lawful purposes:

• To create and manage your user account
• To process and fulfill your purchases
• To send you download links and purchase confirmations
• To respond to your inquiries and support requests
• To maintain platform security and prevent fraud
• To comply with legal obligations (tax, accounting, law enforcement requests)

We never sell your personal information to third parties. We never use your data for targeted advertising.

4. Legal Basis for Processing (POPIA & GDPR)

Under POPIA and GDPR, we process your data based on:

• Contractual necessity — to fulfill your purchase and provide access to your downloads
• Consent — when you create an account and agree to these terms
• Legitimate interest — for platform security, fraud prevention, and analytics
• Legal obligation — for tax records and regulatory compliance

5. Data Sharing & Third Parties

We share limited data only with:

• PayFast — for secure payment processing. PayFast receives your name, email, and transaction amount. View their privacy policy at payfast.co.za/privacy-policy
• Web Hosting Provider — for server infrastructure and security. They do not access your data.
• Law Enforcement — only when legally required by a valid court order or subpoena.

6. Data Security

We take data security seriously:

• Passwords are hashed using bcrypt with cost factor 12
• All database queries use parameterized statements to prevent SQL injection
• CSRF tokens protect all forms against cross-site request forgery
• Database files and logs are blocked from public access via .htaccess rules
• Download tokens expire after 7 days to prevent unauthorized sharing
• Sessions are stored server-side in a secured directory
• HTTPS encryption protects data in transit

7. Data Retention

We retain your personal information only as long as necessary:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Transaction records: Retained for 5 years to comply with South African tax law (Tax Administration Act).
• Contact form submissions: Retained for 1 year for customer service purposes.
• Server logs: Retained for 90 days for security monitoring.

8. Your Rights (POPIA & GDPR)

As a data subject, you have the following rights:

• Right to Access: Request a copy of all personal data we hold about you.
• Right to Correction: Request that we correct inaccurate or incomplete data.
• Right to Deletion: Request deletion of your personal data (subject to legal retention requirements).
• Right to Object: Object to the processing of your data for specific purposes.
• Right to Withdraw Consent: Withdraw your consent at any time.
• Right to Lodge a Complaint: File a complaint with the Information Regulator of South Africa at justice.gov.za/inforeg.

To exercise any of these rights, email us at syntheticdj@qrmagic.co.za with the subject line "Data Subject Request". We will respond within 30 days.

9. Cookies & Tracking

We use only essential cookies necessary for the functioning of our platform:

• Session Cookie: Maintains your login state while you browse. Deleted when you close your browser.
• CSRF Token Cookie: Protects form submissions from cross-site attacks.

We do not use tracking cookies, analytics cookies, or advertising cookies. We do not use Google Analytics, Facebook Pixel, or any third-party tracking tools.

10. Cross-Border Data Transfers

Our servers are hosted in South Africa. PayFast, our payment processor, operates within South Africa. We do not intentionally transfer your personal data outside of South Africa. If you are accessing our site from outside South Africa, you consent to the processing of your data in South Africa, which may have different data protection laws than your country of residence.

11. Children's Privacy

Our platform is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.

12. Contact Us

For privacy-related questions, data subject requests, or POPIA compliance inquiries:

Email: syntheticdj@qrmagic.co.za
Business Name: Synthetic DJ / Zenith Frequency Audio
Information Regulator (SA): justice.gov.za/inforeg