Privacy Policy

www.directbooking.co.za

Direct Booking (Pty) Ltd (Reg. No. [Registration Number])

Physical address: [Physical Address, City, Province, Postal Code]

Effective Date: 1 August 2025

 

Direct Booking (Pty) Ltd (“Direct Booking”, “we”, “us”, “our”) is committed to protecting the personal information of all persons who use the Direct Booking platform at www.directbooking.co.za (“Platform”). This Privacy Policy describes how we collect, use, share, and protect personal information in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”) and other applicable South African law.

 

By using the Platform, you consent to the processing of your personal information as described in this Policy. If you do not agree to this Policy, you must not use the Platform.

 

 

1. Information Officer

 

Direct Booking has designated an Information Officer as required by POPIA. All data protection queries and requests may be directed to:

 

Information Officer: [Name of Information Officer]

Email: privacy@directbooking.co.za

Postal address: [Physical Address, City, Province, Postal Code]

 

You may also lodge a complaint with the Information Regulator of South Africa at inforeg.org.za.

 

 

2. Personal Information We Collect

 

We collect personal information that you provide to us and information generated through your use of the Platform. Categories of personal information we collect include:

 

2.1 Information You Provide

  • Identity information: full name, date of birth, identity or passport number (where required for verification).
  • Contact information: email address, telephone number, physical address.
  • Account credentials: username and hashed password.
  • Property information (Accommodation Owners): property address, description, photographs, pricing, and availability.
  • Payment information: bank account details (for Accommodation Owner payouts), billing address. Card details are processed directly by Paystack and are not stored by Direct Booking.
  • Communications: messages sent through the Platform’s messaging system, enquiries to our support team, and reviews.
  • Identity verification documents: copies of identity documents or other verification materials provided during account verification.

2.2 Information Collected Automatically

  • Usage data: pages visited, search queries, booking history, and interactions with the Platform.
  • Device and technical data: IP address, browser type and version, device type, operating system, and referring URLs.
  • Cookies and similar technologies: as described in Section 8 below.

2.3 Information from Third Parties

  • Payment data from Paystack (transaction confirmations, payment statuses).
  • Identity verification data from third-party verification service providers, where applicable.

 

 

3. Purpose of Processing

 

We process personal information only for specific, lawful purposes. Our purposes include:

 

  • Creating and managing Member accounts.
  • Enabling Guests to search for and book Properties.
  • Enabling Accommodation Owners to list Properties and receive payouts.
  • Processing payments and disbursing payouts via Paystack.
  • Facilitating communication between Guests and Accommodation Owners.
  • Administering the Resolution Centre and handling complaints.
  • Verifying Member identity and conducting fraud prevention and risk assessments.
  • Complying with legal and regulatory obligations, including tax reporting requirements.
  • Improving the Platform through analytics and usage data.
  • Sending transactional communications (booking confirmations, payout notifications, account alerts).
  • Sending marketing communications (with your consent, which you may withdraw at any time).

 

 

4. Lawful Basis for Processing

 

We process personal information on the following lawful grounds under POPIA:

 

  • Contract performance: processing necessary to give effect to a Reservation or other contract with you.
  • Legal obligation: processing required to comply with applicable South African law (e.g., tax reporting, FICA obligations).
  • Legitimate interest: processing necessary for Direct Booking’s legitimate business interests, including fraud prevention, platform security, and service improvement, where such interests are not overridden by your rights.
  • Consent: processing of personal information for marketing communications and non-essential cookies, where we have obtained your consent.

 

 

5. Sharing of Personal Information

 

We do not sell personal information. We share personal information only in the following circumstances:

 

5.1 Between Members

5.1       When a Reservation is confirmed, we share limited contact and identity information between the Guest and the Accommodation Owner to the extent necessary to facilitate the stay. Accommodation Owners must process Guest information only for purposes related to the Reservation and in compliance with POPIA.

5.2 Service Providers

5.2       We share personal information with third-party service providers who process information on our behalf under written data processing agreements, including:

  • Paystack (payment processing) — paystack.com/terms;
  • Email and SMS communication providers;
  • Cloud infrastructure and hosting providers;
  • Identity verification providers;
  • Analytics service providers.

5.2       These providers may only use personal information for the specific purposes for which it was shared.

5.3 Legal and Regulatory Disclosure

5.3       We may disclose personal information where required by law, court order, or request of a competent regulatory or law enforcement authority.

5.4 Business Transactions

5.4       In the event of a merger, acquisition, or sale of all or substantially all of Direct Booking’s assets, personal information may be transferred to the acquirer, subject to equivalent privacy protections.

 

 

6. Cross-Border Transfers

 

Some of our service providers (including cloud infrastructure and analytics providers) may process personal information outside the Republic of South Africa. Where we transfer personal information cross-border, we ensure that the recipient is subject to a law, binding agreement, or other instrument providing an adequate level of protection as required by section 72 of POPIA.

 

 

7. Retention of Personal Information

 

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our standard retention periods are:

 

  • Account information: retained for the duration of your account and for 5 years after account closure.
  • Transaction and booking records: retained for 7 years after the transaction date, in accordance with tax and financial record-keeping obligations.
  • Communications: retained for 3 years after the relevant interaction.
  • Verification documents: retained for the period required by applicable law and deleted thereafter.

 

After the applicable retention period, personal information is securely deleted or anonymised.

 

 

8. Cookies and Tracking Technologies

 

The Platform uses cookies and similar tracking technologies to operate the Platform, improve user experience, and analyse usage.

 

8.1 Types of Cookies

  • Strictly necessary cookies: required for the Platform to function (e.g., session management, security). These cannot be disabled.
  • Functional cookies: remember your preferences (e.g., language, login status).
  • Analytics cookies: collect anonymous usage statistics to help us improve the Platform (e.g., Google Analytics).
  • Marketing cookies: used to deliver relevant advertising, where applicable. Used only with your consent.

8.2 Cookie Consent

8.2       On your first visit to the Platform, you will be presented with a cookie consent notice. You may accept or decline non-essential cookies. You may withdraw cookie consent at any time by adjusting your browser settings or via the cookie preference centre on the Platform.

 

 

9. Security Safeguards

 

Direct Booking implements appropriate technical and organisational security measures to protect personal information against unauthorised access, loss, destruction, or disclosure. These include:

 

  • Encryption of personal information in transit (TLS/HTTPS) and at rest;
  • Access controls limiting personal information access to authorised personnel only;
  • Regular security assessments;
  • Incident response procedures.

 

Notwithstanding these measures, no system is entirely secure. Direct Booking cannot guarantee the absolute security of personal information transmitted over the internet.

 

In the event of a data breach that poses a real risk of harm to data subjects, Direct Booking will notify the Information Regulator and affected data subjects in accordance with section 22 of POPIA.

 

 

10. Your Rights Under POPIA

 

As a data subject, you have the following rights under POPIA:

 

  • Right of access: to request confirmation of whether we hold your personal information and to obtain a copy.
  • Right to correction: to request correction of inaccurate, incomplete, or outdated personal information.
  • Right to deletion: to request deletion of personal information where processing is no longer justified, subject to lawful retention obligations.
  • Right to object: to object to the processing of your personal information on grounds relating to your particular situation, or to direct marketing.
  • Right to withdraw consent: to withdraw consent to processing at any time where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint: to lodge a complaint with the Information Regulator at inforeg.org.za.

 

To exercise any of these rights, contact us at privacy@directbooking.co.za. We will respond within 30 days. We may require verification of your identity before processing a request.

 

 

11. Marketing Communications

 

We will send you marketing communications (including promotional emails and platform notifications) only where you have opted in to receive them. You may unsubscribe from marketing communications at any time by clicking the “unsubscribe” link in any email, or by adjusting your notification preferences in your account settings.

 

Withdrawing marketing consent does not affect transactional communications required for the operation of your account or a Reservation.

 

 

12. Children

 

The Platform is not directed at persons under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a person under 18 without appropriate consent, we will delete that information promptly.

 

 

13. Changes to This Policy

 

We may update this Privacy Policy from time to time. Material changes will be notified to registered Members by email at least 14 days before they take effect. The current version of this Policy is always available at www.directbooking.co.za. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

 

 

14. Contact Us

 

For any privacy-related queries, access requests, or complaints, please contact:

 

Information Officer: [Name of Information Officer]

Email: privacy@directbooking.co.za

Postal address: [Physical Address, City, Province, Postal Code]

 

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:

 

Information Regulator (South Africa)

Email: inforeg@justice.gov.za

Website: inforeg.org.za

 

Direct Booking (Pty) Ltd  |  www.directbooking.co.za  |  privacy@directbooking.co.za

Last updated: 1 August 2025