Booking·Tours

POPIA

POPIA, plainly.

South Africa's Protection of Personal Information Act protects your customers' data and yours. Here's how Booking·Tours is built to keep you compliant.

01How we help you comply

Compliance built in — not bolted on.

Every table, credential, and webhook is designed around POPIA so you inherit compliance instead of engineering it.

Data hosted in SA

Your customer data lives in the South Africa region — it doesn't leave the country.

Encryption

TLS 1.3 in transit; pgcrypto AES-GCM at rest for credentials and banking details, with no plaintext stored.

Row-level security

Every one of the 40+ public tables enforces row-level security, so a tenant only ever sees its own data.

Data requests

Export a person's data for an access request, or fulfil a deletion that anonymises personal data while keeping financial records for audit.

Cooling-off & expiry

Deletion requests carry a mandatory 30-day cooling-off period; unconfirmed requests expire after 24 hours.

Audit logs

Every admin action and edge-function call is logged for a full, reviewable trail.

02Your responsibilities

What stays on your side.

We give you the tools; a few things remain the operator's call. These are the basics every South African tour business should have in place.

  • Publish a customer-facing privacy policy on your booking site
  • Collect only the personal data you actually need at checkout
  • Handle access and deletion requests via the Data Requests queue
  • Keep marketing opt-ins honest — unsubscribes are always respected

Good to know

Deletion permanently anonymises personal data while retaining the financial records you're legally required to keep — so you stay compliant with POPIA and the tax authorities at the same time.

Not legal advice

Built to keep you compliant. Verified by you.

For the practical, twelve-step operator checklist, read our full POPIA guide.

This page explains our platform, not legal advice — confirm your obligations with your own advisor