TravelSouth Logo
Hero background pattern
Hero accent design
policy icon
contract icon
copyright icon
license icon
gavel icon

Privacy Policy

Last updated: April 24, 2025

1. Introduction & Scope

  • Commitment: TravelSouth is committed to safeguarding the privacy and personal data of all its users.
  • Applicability: This policy applies to all personal data collected through the TravelSouth website, mobile applications, and related services. It covers data from all user categories: Travelers, Operators, Travel Agencies, and Influencers.
  • Governing Laws: This policy is designed to comply with major data protection laws, including the EU General Data Protection Regulation (GDPR), South Africa's Protection of Personal Information Act (POPIA), relevant ASEAN Personal Data Protection Acts (PDPA), and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
  • Data Controller: The data controller (or "Responsible Party" under POPIA) is Nfactorial Consulting, located at 10 Baltimore Village, Basson Ave, Radiokop, Roodepoort 1724, South Africa. The contact for data protection matters is [email protected]
  • Information Officer (POPIA): An Information Officer (IO) has been designated as required by POPIA. The IO can be contacted via [email protected].

2. Core Data Protection Principles

TravelSouth adheres to the following core data protection principles:

  • Lawfulness, Fairness, and Transparency: Processing is lawful, fair, and transparent.
  • Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not processed further incompatibly.
  • Data Minimization: Collection is limited to what is adequate, relevant, and necessary.
  • Accuracy: Reasonable steps are taken to ensure data is accurate and up-to-date.
  • Storage Limitation: Data is kept identifiable only as long as necessary for the purposes collected.
  • Integrity and Confidentiality (Security): Appropriate technical and organizational measures protect data security.
  • Accountability: Nfactorial Consulting is responsible for and must demonstrate compliance.
  • Openness (POPIA): Emphasis on transparency regarding data processing activities.

3. Information Collected

We collect various categories of personal data depending on your interaction with TravelSouth:

  • Travelers: Identification and Contact Data, Payment Data, Booking Data, Preference Data, Government-Issued ID Data, Loyalty Program Data, User-Generated Content (reviews, photos), Communication Data, Technical Data (IP address, device info), Location Data (with consent), Usage Data (website activity, cookies).
  • Operators: Business Contact Data, Service Listing Data, Financial Data (payouts), Communication Data.
  • Travel Agencies: Agency Identification Data, Agent Contact Data, Client Booking Data (subject to agency's privacy obligations), Financial Data, Usage Data.
  • Influencers: Contact Data, Social Media Data, Content Data, Financial Data, Travel Data (if sponsored).
  • Sensitive Personal Information: We may collect sensitive data (e.g., health information for accessibility needs) only for specific purposes and with explicit consent or another valid legal basis. California residents have specific rights regarding Sensitive Personal Information (SPI).
  • Sources of Information: Data is obtained directly from users, automatically through website/app usage (cookies, logs), and from third parties (affiliates, service providers, Operators/Agencies, social media platforms if linked).
  • CCPA Notice at Collection: We provide notice about data categories collected and purposes at or before collection, often via links to this policy.

4. Legal Bases for Processing

We process your personal data based on the following legal grounds:

  • Consent: For activities like direct marketing, non-essential cookies, processing sensitive data, and certain data sharing. Consent must be freely given, specific, informed, unambiguous, and easily withdrawable. Specific rules apply for minors under CCPA.
  • Contractual Necessity: Processing necessary to perform a contract with you (e.g., processing bookings, managing accounts, providing platform tools).
  • Legal Obligation: Processing necessary to comply with legal requirements (e.g., tax laws, lawful requests from authorities).
  • Legitimate Interests: Processing necessary for our legitimate interests (e.g., security, fraud prevention, service improvement, some marketing), provided these are not overridden by your rights. We clearly identify these interests.
  • Vital Interests: Processing necessary to protect someone's life.
  • Public Task/Interest: Generally less relevant for TravelSouth.

5. Use of Personal Data

Your personal data is used for the following purposes:

  • Service Provision & Operations: Account management, booking processing, payment facilitation, providing platform tools, managing affiliate programs.
  • Communication: Transactional messages, support responses, platform messaging, administrative notices.
  • Personalization: Customizing user experience, recommendations, and content.
  • Marketing & Promotions: Sending marketing communications (subject to consent/opt-out), managing campaigns.
  • Analytics & Service Improvement: Analyzing usage trends, monitoring performance, improving features, market research.
  • Security & Fraud Prevention: Identity verification, monitoring for suspicious activity, platform security.
  • Legal & Compliance: Complying with laws, responding to legal requests, enforcing terms, resolving disputes.

CCPA Purpose Limitation: We will not use data for materially different purposes than disclosed without notice and consent where required.

6. Data Sharing and Disclosure

We may share your personal data with the following categories of third parties:

  • Service Providers (Processors/Operators): Companies assisting us with operations like payment processing, hosting, analytics, CRM, email delivery, customer support, security. They act on our instructions under contract.
  • Trip Providers (Operators): Necessary booking information is shared with airlines, hotels, experience providers, etc., to fulfill your reservation. Their own privacy policies apply.
  • Travel Agencies: Relevant booking information is accessible to the agency managing the booking.
  • Affiliate Partners (e.g., Booking.com, Holafly): If you click an affiliate link, the partner collects data under their policy. We may receive referral data or share data (e.g., anonymized analytics, potentially booking data if legally permissible/consented) for commission tracking or reporting.
  • Integrated Third-Party Services (Social Media, Transport Apps): Using features like social login or booking integrated services (e.g., Grab, Uber) involves sharing specific data with that third party, governed by their policy.
  • Business Transfers: Data may be transferred during mergers, acquisitions, or asset sales, with user notification.
  • Legal Requirements & Law Enforcement: Disclosure if required by law, legal process, or governmental request, or to protect rights and safety.
  • Other Users: Publicly posted content (e.g., reviews with username) is visible. Limited Operator details may be shared with Travelers post-booking.
  • CCPA "Sale/Sharing": We disclose if we engage in activities defined as "sale" or "sharing" under CCPA (e.g., using certain advertising cookies). We provide a "Do Not Sell or Share My Personal Information" link for opt-out.
  • Robust Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) or equivalents are used, especially for cross-border data flows.

7. International Data Transfers

  • Global Operations: Your data may be transferred to and processed in countries outside your origin, potentially with different data protection standards.
  • Safeguards: We implement legal mechanisms for compliant transfers:
    • Adequacy Decisions: Transferring to countries deemed adequate by relevant authorities.
    • Standard Contractual Clauses (SCCs): For transfers from EEA/UK to non-adequate countries.
    • ASEAN Model Contractual Clauses (MCCs): As a basis for transfers involving ASEAN states, potentially adapted.
    • Binding Corporate Rules (BCRs): If applicable within a corporate group.
    • Derogations: Relying on explicit consent or contractual necessity where appropriate and lawful.
    • POPIA Specifics: Compliance with POPIA's conditions (adequacy, consent, safeguards).
    • CCPA Contractual Obligations: Contracts requiring service providers to maintain CCPA-level protection.
  • Partner Policies: Transfers to partners are also governed by their privacy policies and transfer mechanisms.

8. Data Security Measures

  • Commitment: We are committed to protecting your personal data's security, confidentiality, and integrity.
  • Measures: We employ technical and organizational measures, including encryption, firewalls, access controls, internal policies, staff training, supplier assessments, and incident response procedures.
  • Disclaimer: No system is 100% secure; users share information at their own risk.
  • Data Breach Notification: In case of a breach, we will assess risks and notify relevant authorities and affected individuals as required by law (e.g., GDPR, POPIA).

9. Data Retention

  • Policy: Personal data is retained only as long as necessary for the purposes collected, including service provision, legal compliance, dispute resolution, and fraud prevention.
  • Criteria: Retention periods depend on the duration of your relationship, data nature, legal requirements, and business needs.
  • Post-Retention: Data is securely deleted or anonymized upon expiry of the retention period.

10. User Rights

You have certain rights regarding your personal data under applicable laws. These may include:

  • Right to be Informed: Receive clear information on data processing (fulfilled by this policy).
  • Right of Access: Obtain confirmation and a copy of your data.
  • Right to Rectification/Correction: Correct inaccurate or incomplete data.
  • Right to Erasure/Deletion ('Right to be Forgotten'): Request deletion under certain conditions (not absolute).
  • Right to Restrict Processing: Temporarily halt processing under certain conditions.
  • Right to Data Portability: Receive data in a machine-readable format and transmit it elsewhere (where applicable).
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Rights Related to Automated Decision Making/Profiling: Rights concerning decisions made solely by automated means.
  • Right to Opt-Out of Sale/Sharing (CCPA/CPRA): For California residents, direct us not to sell/share personal information.
  • Right to Limit Use of Sensitive Personal Information (CCPA/CPRA): For California residents, limit the use of SPI.
  • Right to Non-Discrimination/No Retaliation: Not be discriminated against for exercising CCPA/CPRA rights.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is consent-based.

11. Exercising User Rights

  • Methods: Submit requests via:
    • A dedicated Data Subject Request form (if available).
    • Email: [email protected].
    • Account settings (for some rights).
    • A toll-free number (for CCPA compliance) - coming soon.
  • Verification: We will need to verify your identity before processing requests.
  • Response Timelines: We aim to respond within legal timeframes (e.g., one month under GDPR, 45 days under CCPA, subject to extensions).
  • Fees: Requests are generally free, but a fee may apply for unfounded, excessive, or repetitive requests as permitted by law.
  • Authorized Agents (CCPA): California residents can use authorized agents following specific verification procedures.
  • Complaints: You have the right to complain to your local data protection authority.

12. Children's Data

  • Age Limit: Users must generally be 18 years or older to create an account.
  • Collection Policy: We do not knowingly collect personal data directly from children under the specified age without verifiable parental consent. If discovered, such data will be deleted.
  • Bookings Involving Children: Adults may provide children's data for bookings (e.g., name, age for tickets), processed under contractual necessity.
  • CCPA/COPPA: Specific opt-in rules apply under CCPA if knowingly collecting data from minors under 16 for sale/sharing. Compliance with COPPA (US) is relevant if targeting users under 13.

13. Data Controller Information & Contact

  • Controller: Nfactorial Consulting.
  • Address: 10 Baltimore Village, Basson Ave, Radiokop, Roodepoort 1724, South Africa.
  • Data Protection Contact: [email protected].
  • POPIA Information Officer: Contact via [email protected].

14. Policy Updates

  • Modifications: This policy may be updated periodically. Check the "Last Updated" date.
  • Notification: Material changes will be communicated via prominent notice on the website or email.
  • Review: Please review this policy regularly.