The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's data protection law. Booklink, operated by Tora Technologies (Pty) Ltd, is committed to full compliance with POPIA. This page explains how we meet our obligations as both a responsible party and an operator.

Booklink's Role Under POPIA

Booklink acts in two capacities:

Responsible party — for the personal information of account holders (service providers who sign up for Booklink). We determine the purpose and means of processing this data.
Operator — for the personal information of customers (people who make bookings). Service providers using Booklink are the responsible parties for their customers' data; Booklink processes this data on their behalf to provide the booking service.

POPIA Conditions We Satisfy

Condition	How Booklink Complies
1. Accountability	We have documented privacy policies, security measures, and data processing procedures. This page and our Privacy Policy serve as public-facing accountability documents.
2. Processing limitation	We collect only the personal information necessary to operate the booking service. We process data on lawful grounds: contract performance, legitimate interest, and legal obligation.
3. Purpose specification	Personal information is collected for specific, defined purposes (operating the booking platform, sending notifications, processing payments) and is not used for unrelated purposes.
4. Further processing limitation	We do not sell, rent, or share personal information for marketing purposes. Data is only shared with third-party service providers necessary to deliver the Service.
5. Information quality	Account holders can update their personal information at any time through the Booklink dashboard. Customers can request corrections through the service provider or by contacting us directly.
6. Openness	Our Privacy Policy, Terms of Service, and this POPIA page are publicly available. We notify users of material changes via email.
7. Security safeguards	We implement strong technical measures including: AES-256 field-level encryption of personal data (names, emails, phone numbers) Per-account unique encryption keys Encrypted integration credentials at rest TLS encryption in transit No storage of payment card data Google Cloud Platform infrastructure
8. Data subject participation	Data subjects can access, correct, and delete their personal information. Account holders manage this through the dashboard. Others can contact support@booklink.co.za.

Data Retention

We retain personal information only for as long as necessary:

Active accounts: Data is retained while your account is active
Deleted accounts: 30-day retention period, then permanent deletion
Inactive Free accounts: Accounts on the Free plan with no login activity for 60 days receive a warning. After a 7-day grace period, the account is scheduled for deletion and enters the 30-day retention window before permanent removal

Permanent deletion means all personal data, bookings, services, team members, and integration credentials are irreversibly removed from our systems.

Cross-Border Data Transfers

Some of our infrastructure and third-party providers operate outside South Africa. Where personal information is transferred across borders, we ensure adequate protection is in place as required by Section 72 of POPIA.

Your Rights Under POPIA

As a data subject, you have the right to:

Request access to your personal information
Request correction of inaccurate information
Request deletion of your personal information
Object to the processing of your personal information
Lodge a complaint with the Information Regulator

Information Officer

For POPIA-related enquiries, requests, or complaints:

Email: support@booklink.co.za
Entity: Tora Technologies (Pty) Ltd, Cape Town, Western Cape, South Africa

You may also contact the Information Regulator of South Africa:

Email: complaints.IR@justice.gov.za
Website: inforegulator.org.za