Privacy Policy
Last updated: 2026-04-28
This Privacy Policy explains what personal information mrpandadrawz.com collects, how we use it, who we share it with, and what rights you have. We try to keep it short and plain.
The site is operated by Marcel ("Mr. Panda", "we", "us"), a sole-proprietor digital artist based in the Republic of South Africa. Under South African law (Protection of Personal Information Act, PoPIA) we are the responsible party. For visitors in the EU/UK we are the data controller under the GDPR / UK GDPR.
1. What we collect
Depending on how you use the Site, we may collect:
| Category | Examples | Why we hold it |
|---|---|---|
| Account information | Email address, display name, password hash, MFA secret (encrypted) | To create and protect your account |
| Purchase information | Order references, amounts, currency, customer email | To process payments and provide receipts |
| Subscription information | Tier, status, period dates, processor reference | To grant the entitlements you paid for |
| Age-verification records | Pass/fail result + expiry date for the age-gate self-attestation. We never collect or store ID documents. | Legal compliance for adult content |
| Technical information | IP address, user-agent, request logs, audit log of admin actions | Security, abuse prevention, debugging |
| Optional analytics | Visit patterns, page-view counts | Only collected if you consent — see §5 |
| Communications | Newsletter sign-ups, email replies | To send things you asked for |
We do not sell your personal information.
2. How payments work
All paid transactions are processed by Paystack (Pty) Ltd, who are an independent controller for the payment data they receive (card details, billing address, fraud signals). Paystack provides us with confirmation of payment plus the customer email; we never see or store your card number. Paystack's privacy policy applies in addition to ours and is available at paystack.com.
3. How we use your data
We use the data above to:
- Provide the Site, your account, and any subscriptions or purchases you make;
- Verify your age where required by law for adult content;
- Send you receipts, account notices, and security alerts;
- Investigate fraud, abuse, or breaches of our Terms of Use;
- Comply with our legal obligations;
- (With your consent) understand how the Site is used and improve it.
The legal bases we rely on (where the GDPR applies) are: contract (giving you what you signed up for), legitimate interests (security, fraud prevention, basic analytics on essential cookies), and consent (marketing analytics, advertising pixels, optional cookies).
4. Who we share it with
We share personal data with the third parties below, only to the extent needed for them to do their job:
- Paystack — payments processor.
- Our hosting provider — runs the servers (currently OVH cPanel infrastructure in South Africa).
- Email delivery — transactional email is sent through cPanel SMTP on the same hosting infrastructure.
- MailerLite — newsletter / marketing list. Receives only your email address and (optional) display name when you tick the opt-in box at sign-up. You can unsubscribe at any time from any of our emails or by deleting your account, which removes you from the list as well.
- Print partners — when you buy a print through Displate, INPRNT, or TeePublic, you are buying from them under their terms; we do not pass your details across.
- Analytics / advertising (optional, only with consent) — Google Analytics, Google Ads, Meta (Facebook/Instagram) Ads. These see anonymised page views, click events, and IP-derived approximate location only after you consent.
We do not transfer your data outside South Africa except where one of the providers above does so as part of their normal operation. Where data leaves South Africa to providers in countries without an adequacy finding, those transfers are protected by Standard Contractual Clauses or equivalent safeguards from the provider.
5. Cookies and tracking
We use a small number of cookies, grouped as follows:
- Strictly necessary — login session, CSRF token, age-verification cookie. These cannot be turned off because the Site won't work without them.
- Preferences — remember things like font size on the lore reader. Set on use, not on visit.
- Analytics & advertising — Google Analytics, Google Ads conversion tracking, Meta Pixel. Off by default. Loaded only after you accept the consent banner. You can change your choice at any time from the cookie banner footer link.
6. How long we keep it
| Data | Retention |
|---|---|
| Active account information | While your account is open, plus 30 days after deletion (soft-delete window for recovery) |
| Purchase records | 5 years after the transaction (tax / accounting law) |
| Audit logs | 18 months |
| Age-verification records | 24 months from verification (then expires; you can re-verify) |
| Newsletter sign-ups | Until you unsubscribe |
| Analytics data | Provider default (typically 14–26 months) — you can also clear via the consent banner |
7. Your rights
Depending on where you live you have the right to:
- Access the data we hold about you;
- Correct information that is inaccurate;
- Delete your data ("right to be forgotten") — subject to retention obligations above;
- Object to processing based on legitimate interests;
- Withdraw consent at any time for things you previously opted into;
- Portability — receive your data in a portable format;
- Lodge a complaint with the South African Information Regulator (inforegulator.org.za), or — if you live in the EU/UK — your local data-protection authority.
To exercise any of these, email us at the address in §10. We will respond within 30 days.
8. Security
We hold passwords as Argon2id hashes with a server-side pepper, run admin sessions with MFA, store payment-card details only at Paystack, and protect originals of artwork outside the public web tree behind signed time-limited URLs. No system is perfectly secure — if we ever discover a breach affecting your data, we will notify you and the Information Regulator within 72 hours of becoming aware, in line with PoPIA / GDPR requirements.
9. Children
The Site is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has given us personal data, please email us so we can delete it.
10. Contact
Privacy questions, rights requests, or breach reports: Email: the contact address shown on the Site footer (currently routes to the artist directly).
11. Changes
We update this policy from time to time. The "Last updated" date above shows the most recent change. Material changes will be highlighted on the Site for at least 14 days.