POPIA
POPIA, plainly.
South Africa's Protection of Personal Information Act protects your customers' data and yours. Here's how Booking·Tours is built to keep you compliant.
01How we help you comply
Compliance built in — not bolted on.
Every table, credential, and webhook is designed around POPIA so you inherit compliance instead of engineering it.
Your customer data lives in the South Africa region — it doesn't leave the country.
TLS 1.3 in transit; pgcrypto AES-GCM at rest for credentials and banking details, with no plaintext stored.
Every one of the 40+ public tables enforces row-level security, so a tenant only ever sees its own data.
Export a person's data for an access request, or fulfil a deletion that anonymises personal data while keeping financial records for audit.
Deletion requests carry a mandatory 30-day cooling-off period; unconfirmed requests expire after 24 hours.
Every admin action and edge-function call is logged for a full, reviewable trail.
02Your responsibilities
What stays on your side.
We give you the tools; a few things remain the operator's call. These are the basics every South African tour business should have in place.
- Publish a customer-facing privacy policy on your booking site
- Collect only the personal data you actually need at checkout
- Handle access and deletion requests via the Data Requests queue
- Keep marketing opt-ins honest — unsubscribes are always respected
Good to know
Deletion permanently anonymises personal data while retaining the financial records you're legally required to keep — so you stay compliant with POPIA and the tax authorities at the same time.
Not legal advice
Built to keep you compliant. Verified by you.
For the practical, twelve-step operator checklist, read our full POPIA guide.
This page explains our platform, not legal advice — confirm your obligations with your own advisor