PRIVACY POLICY
Never at Home International Hostels (Pty) Ltd – POPIA Policy
At Never at Home International Hostel (Pty) Ltd (hereinafter the “Company”), we are committed to protecting the privacy of our clients, patrons, suppliers, contractors and employees. This policy outlines our approach to the collection, use, and protection of personal information in accordance with the Protection of Personal Information (POPIA) Act. The policy applies to all employees, customers, and any other relevant parties who interact with the Company.
This Policy is mandated by the introduction and enforcement of the requirements of the following South Africa Regulatory acts:
a) “Promotion of Access to Information Act” and
b) “Protection Of Personal Information Act”.
These Acts are more commonly referred to as “PAIA & POPIA”. The reason for the propagation of these acts was to ensure that both Individual (Person) and Juristic Persons (Entities) rights, which are part of The South African Constitution, are upheld. These reference documents and Acts are available to the Company employees, contractors and third parties on the internet.
Data Collection:
The Company collects personal information for various purposes, including but not limited to, providing services and support, processing payments, to support ongoing employer and employee relationships, as well as to communicate and engage with customers, service providers and contractors.
The Company undertakes that it shall only process information in a manner that is compliant with the regulations and is lawful and reasonable. Furthermore, where specific consent is required for the processing of information, such consent will be obtained.
In line with the regulations, Personal Information will be processed under the following (non- exhaustive) set of circumstances:
• for legal compliance
• for the conclusion or performance of a contract
• for the protection of a legitimate interest of the data subject
• for pursuing the legitimate interests of the Company
• for a legally authorised third party to whom the information is supplied.
The Company collects personal information through forms, emails, contracts, web browsers, website cookies, social media platforms, resumés and other means. In some cases, we may obtain personal information from third-party sources, such as credit bureaus or social media sites.
Data Processing Conditions:
As a Company, we shall abide by the processing conditions stipulated by the POPIA.
The eight conditions are:
(a) Lawfulness: Personal information may only be processed if it is done so in a lawful manner.
(b) Purpose specification: The specific purpose for which personal information is being processed must be specified.
© Further processing limitation: Personal information may only be processed for the purpose specified and cannot be processed for any other purpose.
(d) Minimization: The amount of personal information collected and processed must be limited to what is necessary for the specified purpose.
(e) Accuracy: Personal information must be accurate, complete, and up-to-date.
(f) Transparency: Individuals must be informed of the collection, use, and processing of their personal information.
(g) Security: Appropriate measures must be taken to ensure the security of personal information, including protection against unauthorized access, loss, theft, or destruction.
(h) Accountability: Those processing personal information must be accountable for ensuring that the above conditions are met and must take responsibility for any breaches of the POPI Act.
The Company shall ensure that all the conditions above are integrated into any Data Processing or operations to ensure that the Company is compliant with the provisions of the Act.
Data Special & Minor Information:
The Company may hold and collect Special and Minor data in relation to our Employees or Patrons. This is for the purpose of administration, management and concluding various agreements with the respective party and in compliance with applicable laws and regulations.
Compliance Obligation:
The Company will manage their compliance requirements based on laws, required policies and in respect of the assessed risks and liabilities in order to conduct business on a ‘day-to- day’ basis. These obligations shall be assessed, and appropriate policies developed and implemented by the Company to manage compliance requirements within the organisation and with relevant stakeholders.
Data Security:
The Company takes the protection of Personal Information very seriously and will implement appropriate measures to secure the personal information it collects. All personal information shall be stored on secure servers and will only be accessible by authorized personnel for specific, lawful purposes. The Company takes the stance that they do not share personal information with third parties unless it is necessary for the provision of our services or as required by law.
Data Records Schedule:
The Company in accordance with the POPIA, is obligated to maintain a Schedule of records. The Schedule of records will be maintained by the Company to ensure compliance regarding the defined access to these records from the public, our employees and appointed third parties.
Data Retention:
The Company shall only keep personal information for as long as necessary to provide the services or support requested by our customers and appointed operators. The Company shall establish conditions for determining when Personal Information is no longer needed and will ensure that it is deleted or destroyed in a secure manner once such conditions are met.
In accordance with the “Protection of Personal Information Act (POPIA)”, the Company is obligated to manage this retention of documentation, based on:
1. the different legal requirements which are imposed on the Company for document retention; and
2. the requirements imposed on the Company for the execution of contracts, agreements and/or association rules; and
3. internal policies regarding data retention.
Data Deletion:
The Company in accordance with the POPIA requires that the Company implement a record Deletion policy. This policy will manage and establish conditions for determining when data records are no longer needed and will ensure that it is deleted or destroyed in a secure manner once such conditions are met. This policy obligates the Company to manage the deletion of documentation, based on the different legal requirements which are imposed on the Company. Where document deletion and associated legal requirements are imposed on the Company for the execution of contracts, agreements and/or association rules and internal policies regarding data retention, the
Company shall adhere to all such obligations.
Data Sharing:
In some cases, it may be necessary for the Company to share information with third parties, in order to provide our services. In these instances, we shall ensure that the third party is also compliant with the POPIA and has appropriate measures in place to protect the data subject. We shall also have agreements in place with these third parties to ensure that information is used only for the purposes for which it was supplied.
Data Storage:
Based on the document classification, all information regarding the Company, clients, employees, subcontractors, and appointed third party/operators and/or service providers, may be stored on the Company IT Infrastructure or equipment and/or at appointed third party service providers and at their respective locations. The location of the storage of the data will be dependent on the provided IT Equipment and in accordance with the agreed-upon service being provided by the appointed third party service provider. Physical documentation and/or items will be access controlled or stored with a third party who specialises in the storage of physical documents and/or items in a secure manner.
Data Online:
The Company recognises that the access to or storage of information online is a major risk and as such shall implement all the appropriate and/or policies required for legal compliance and to mitigate and manage risk, to ensure that the organisation and all information captured, stored and/or held in any form electronically online or stored locally in physical form shall be secured, tracked and controlled.
Impact Assessments:
In line with the regulatory obligations, the Company shall perform an annual Data Processing Impact Assessment in order to evaluate any risks, and to the best of our ability, develop mitigating factors for each risk so identified and report annually to the board.
Data Breaches:
In the event of a data breach, the Company shall have established procedures in place to quickly respond and minimize the impact on those affected. This includes reporting the breach to the relevant authorities, notifying Data Subjects, and taking appropriate steps to prevent future breaches.
Rights of Data Subjects:
It is understood that Data subjects have the right to access, correct, and delete their personal information. They also have the right to know who is processing their personal information and for what purpose. By appointing an Information Officer, the Company will ensure that Data subjects can exercise these rights by contacting the Information Officer.
Reporting:
The Company has an obligation to report any Data Breaches to the regulator as well as to the Data Subjects who are affected. We commit to informing affected parties, as well as the Regulator as soon as a breach is identified, or within a maximum of 30 business days after identifying a Data Breach. Such breaches shall also be reported when they occur, and on an annual basis, to the board of directors. If a Data Subject exercises their rights under the act, this shall be reported on an annual basis to the board of directors.
This privacy notice forms part of your agreement with Activitar.
During our interactions, you share personal information with Tornado Tour Systems (Pty) Ltd, trading as Activitar, registration number 2004/000954/07.
This notice tells you what to expect when we collect information from you and how we use it.
It is part of our agreement with you, and we may need to update it occasionally. When we do, we will inform you. You should read this notice along with our terms and conditions that apply to the products and services you use.
If you have any questions about this policy, please contact us by email at privacy@activitar.com or by phone on +2787 250 0276
We collect your information in the circumstances outlined below. Sometimes we are required by law to collect your information, for instance, if tax legislation forces us to collect personal information.
We need some general information before we can enter into an agreement and you can begin to use our reservation system and online distribution service.
We collect your:
company name
contact details
VAT number
banking details
details related to your operating processes and offerings
details contained in your company registration documents
identity documents of your mandated officials
proof of address of your mandated officials
proof of banking details
We use this information to:
load you on our services and configure the system
set up and process payments via the payment gateway
communicate with you
provide training
process orders
provide your offerings to clients via activitar.com
provide support
send you statements, receipts, invoices or any other legal documents that relate to your transaction
fulfill our legal obligation to use or disclose your information
Legal basis for processing: Data protection legislation allows us to process personal information when it is necessary for the performance of a contract with you. In other instances, we are required by law to collect your information, for instance tax legislation forces us to collect personal information. |
In order for our service to function properly, ‘customer data’ is generated and collected. This includes your, and your clients’ personal information. We collect your clients’ names, contact details, and details about their bookings.
We use customer data to process bookings and reservations on our reservation system and distribution service, to analyse and improve our services and to identify and solve problems where they may appear.
Legal basis for processing: Data protection legislation allows us to process personal information when it is necessary for the performance of a contract with you. |
When you contact us by social media, email, our support service or telephone with a query, complaint, or request, we collect the information contained in your message. We use the information we collect to reply to, investigate, and resolve your query, complaint, or request.
Legal basis for processing: Data protection legislation allows us to process personal information when it is in our interest and we have chosen the least invasive way to process the information. It is in both our interest to reply to, investigate, and resolve your queries, complaints, and requests. |
We have a monthly newsletter that is delivered by email.
We’ll ask you whether you want to receive the newsletter, if you agree it is important that you know you can unsubscribe at any time by following the unsubscribe link at the bottom of the email or by contacting us.
Legal basis for processing: Data protection legislation allows us to process personal information when you have given us your express consent. |
We do not knowingly collect the personal information of children without the consent of a parent or guardian.
We use service providers and suppliers who we trust to assist us in providing our services to you. They have agreed to keep your information secure and confidential, and to only use it for the purposes for which we have sent it to them.
We share your information with service providers when they help us to:
store information
process payments
ensure you have access to the services you paid for
deliver our newsletter
help monitor the effectiveness of our promotions and advertising
help us manage our business, for instance accountants and professional advisors.
maintain our website
find and fix errors and performance issues on our website
Sometimes we will be required by law to share your information. For instance, we may be required to share your information with the South African Fraud Prevention Services. We will not sell your information or share information with third parties for the purposes of direct marketing (we don’t like spam either).
Some of the service providers that we use may be located in other countries; for instance, our cloud storage service. These countries may not have the same levels of protection of personal information as South Africa. If this is the case, we require that they undertake to protect the personal information of our customers to the same level that we do.
We will not retain your information for longer than we need to, unless we are legally required to do so. Most of your personal information will be retained for 5 years from the date of your last transaction with us. However, we may keep your contact details for longer for marketing and mailer purposes.
We have implemented reasonable security measures based on the sensitivity of the information we hold. These measures are in place to protect the information from being disclosed, from loss, misuse, and unauthorised access, and from being altered or destroyed.
We regularly monitor our systems for possible vulnerabilities and attacks, but no system is perfect and we cannot guarantee that we will never experience breach of any of our physical, technical, or managerial safeguards. If something should happen, we have taken steps to minimise the threat to your privacy. We will let you know of any breaches that affect your personal information and inform you how you can help minimise the impact.
You also have a role to play in keeping your information secure. For example, you should never share personal information with us in an email, because while our servers are protected, it is still possible that email can be intercepted. Instead, contact the Activitar support team at +2787 250 0276, which will connect you to Chris Coetzee, our information officer.
You have the right to know what kind of personal information we have about you, to correct it, and to opt out of marketing.
You have the right to
ask us what we know about you;
ask what information was sent to our suppliers, service providers, or any other third party;
ask us to update, correct, or delete any out-of-date or incorrect personal information we have about you;
unsubscribe from any direct marketing communications we may send you; and
object to the processing of your personal information.
You can request access to the information we have about you, or correct your personal information by contacting our deputy information officer at privacy@activitar.com. It can take us up to 21 days to respond to your request because there are procedures that we need to follow. In certain cases, we may require proof of your identity, and sometimes changes to your information may be subject to additional requirements such as valid proof of residence.
If you are in the European Union, you have these rights in terms of the GDPR:
The right to be informed about the collection and use of your personal information.
The right to access your personal information. You may make such a request from us by contacting privacy@activitar.com. We may take one month to respond to your request and may charge a fee in some circumstances. We will let you know if this is the case.
You have a right to have inaccurate personal information corrected or completed if it is incomplete. You may make such a request from us by contacting privacy@activitar.com. We may take one month to respond to your request and may refuse in certain circumstances.
You have the right to have your personal information erased, also known as the ‘right to be forgotten’. You may make such a request from us by contacting privacy@activitar.com. We may take one month to respond to your request and may refuse in certain circumstances.
You have the right to request that we restrict or suppress your personal information. You may make such a request from us by contacting privacy@activitar.com. We may take one month to respond to your request and may refuse in certain circumstances.
You have the right to reuse your personal information for your own purposes across different services, also known as the right to data portability.
You have the right to object to us processing your personal information in certain circumstances. You may make your objection by contacting privacy@activitar.com. We may take one month to respond to your request. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
You have the right to complain to a supervisory authority in the Member State where you live or work, or where the infringement took place.
You have the right to object to automated decision-making and profiling.
You may ask that a human review any automated decisions that we make about you, express your point of view about it, and obtain an explanation of the decision. You may challenge any automated decision made about you by contacting privacy@activitar.com. We may take one month to respond to your request.
© 2024 Tornado Tour Systems (Pty) Ltd ta Activitar.