Privacy Policy

Last updated: June 2026

This Privacy Policy explains how [PLACEHOLDER: Company Legal Name], registration number [PLACEHOLDER: Registration Number] ("Roomza", "we", "us", "our"), collects, uses, and protects personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and, where applicable, the Electronic Communications and Transactions Act 25 of 2002 ("ECTA").

1. Responsible Party

Roomza is the responsible party for personal information processed through the Roomza platform. Our registered address is [PLACEHOLDER: Physical Address], South Africa. You can contact our Information Officer at [PLACEHOLDER: privacy@roomza.co.za].

2. Information We Collect

2.1 Account and Property Information

When you sign up we collect your name, email address, and the details of your property (name, address, room types, floor and ceiling prices, and channel manager credentials). Channel manager credentials are stored encrypted (AES-256-GCM) and are never transmitted in plain text.

2.2 Reservation Pace Data (not guest PII)

To compute occupancy-driven pricing, Roomza fetches aggregated availability and booking-pace figures from your channel manager. We extract only the counts needed for pricing calculations: total units, available units, and stay dates. We do not collect, store, or process guest names, email addresses, phone numbers, payment card details, or any other guest personal information. This is a deliberate design choice to minimise POPIA exposure and reduce data risk.

2.3 Competitor and Market Rate Data

Roomza fetches publicly visible competitor room rates from third-party rate-data providers. This information relates to businesses, not natural persons, and does not constitute personal information under POPIA.

2.4 Signal and Environmental Data

We fetch demand signals such as public holiday schedules, school holiday dates, local events listings, weather forecasts, and loadshedding schedules. None of these signals contain personal information.

2.5 Usage and Technical Data

We collect standard server logs (IP address, browser type, pages visited, timestamps) and error logs to operate and improve the platform. We use cookies as described in section 10 below.

2.6 Communications

If you email us or submit a support request, we retain that correspondence to resolve your query and improve our support.

3. Purpose of Processing

We process personal information to:

• Create and manage your account and property configuration.
• Provide the autonomous pricing service, including computing and pushing rates to your channel manager.
• Send transactional communications (rate-push confirmations, monthly summaries, billing receipts).
• Process subscription payments via PayFast.
• Provide the Ruby AI assistant where activated.
• Comply with legal obligations, including tax and financial reporting requirements.
• Detect, investigate, and prevent fraud or security incidents.
• Improve and develop the platform using aggregated, anonymised analytics.

4. Lawful Basis for Processing

Under POPIA, we process your personal information on the following grounds:

• Contract performance: processing your account details, property configuration, and reservation-pace data is necessary to deliver the Service you subscribed to.
• Legitimate interest: security monitoring, fraud prevention, and platform improvement using anonymised analytics, where those interests are not overridden by your rights.
• Legal obligation: retaining billing records and responding to lawful requests from authorities.
• Consent: where we ask for your explicit consent (for example, optional marketing emails), you may withdraw that consent at any time by contacting us.

5. How We Share Your Information

5.1 Third-Party Processors

We share personal information only with service providers who process it on our behalf and under our instruction. Our current processors are:

• Neon (database hosting): our PostgreSQL database is hosted on Neon infrastructure in the EU (eu-central-1 region). See section 6 for cross-border transfer disclosures.
• Netlify (web hosting): the Roomza web application and serverless functions are hosted on Netlify's global CDN.
• Resend (transactional email): we use Resend to deliver monthly summary emails and billing notifications.
• Anthropic (AI assistant): when you use the Ruby assistant, queries and your property context are sent to Anthropic's API. We send only the information needed to answer your question; we do not send guest personal information to Anthropic.
• PayFast (payment processing): subscription billing is handled by PayFast, a South African payment gateway. Roomza does not store your card details; PayFast processes them under their own PCI-DSS certification.
• Channel managers (Cloudbeds and others): we connect to your channel manager using the API credentials you provide to fetch pace data and push rates. We act as a data processor on your behalf in relation to that channel manager connection.
• Rate-data providers (Xotelo, Makcorps): we fetch publicly visible competitor rates; no personal information is shared with these providers.

5.2 Legal Disclosures

We may disclose personal information where required by law, court order, or the lawful request of a competent authority in South Africa.

5.3 Business Transfers

If Roomza is acquired or merges with another entity, personal information may be transferred as part of that transaction. We will notify you before your information becomes subject to a materially different privacy policy.

6. Cross-Border Transfers

POPIA requires that personal information transferred outside South Africa be protected to a standard substantially similar to POPIA. Our cross-border transfers are:

• Neon (EU): the EU's GDPR provides protections broadly equivalent to POPIA. Our agreement with Neon includes standard data-processing terms.
• Netlify and Resend (United States): we use contractual safeguards with these providers to ensure your information is handled to a POPIA-equivalent standard.
• Anthropic (United States): Anthropic operates under contractual data-processing terms. We limit what we send to the minimum necessary for each assistant interaction.

We work towards hosting more data in South Africa as compliant infrastructure becomes commercially available.

7. Security

We implement appropriate technical and organisational measures to protect personal information, including:

• AES-256-GCM encryption for channel manager credentials at rest.
• TLS encryption for all data in transit.
• Access controls limiting which personnel can access production data.
• Regular security reviews and dependency updates.

No system is perfectly secure. In the event of a data breach that is likely to harm you, we will notify you and the Information Regulator as required by POPIA.

8. Retention

We retain your personal information for as long as your account is active and for a period thereafter as required by law or legitimate business need (typically 5 years for financial records under South African tax law). Rate-push audit logs are retained for 3 years to support dispute resolution. Anonymised aggregated data may be retained indefinitely.

When you close your account you may request deletion of your personal information, subject to our legal retention obligations. We will action your request within 30 days.

9. Your Rights Under POPIA

You have the right to:

• Access: request a copy of the personal information we hold about you.
• Correction: ask us to correct inaccurate or incomplete information.
• Deletion: ask us to delete your personal information (subject to legal retention obligations).
• Object: object to processing based on legitimate interest, or to direct marketing.
• Withdraw consent: where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact [PLACEHOLDER: privacy@roomza.co.za]. We will respond within 30 days.

10. Cookies

We use strictly necessary cookies to maintain your login session and your selected property preference. We do not use third-party advertising or tracking cookies. You can configure your browser to refuse cookies, but the platform will not function correctly without session cookies.

11. Right to Complain to the Information Regulator

If you believe we have processed your personal information unlawfully or in breach of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa:

• Website: inforegulator.org.za
• Email: complaints.IR@justice.gov.za
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email at least 14 days before material changes take effect. The latest version is always available at roomza.co.za/legal/privacy.

13. Contact

For any privacy-related queries, contact our Information Officer at [PLACEHOLDER: privacy@roomza.co.za] or by post to [PLACEHOLDER: Physical Address], South Africa.