This Privacy Policy explains how Tora Technologies (Pty) Ltd ("we", "us", "our"), trading as Booklink, collects, uses, stores, and protects personal information when you use the Booklink platform ("Service"). We are committed to compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable South African privacy legislation.

1. Information We Collect

Account holders (service providers)

Business information: business name, email address, phone number, timezone, country
Account settings: booking preferences, branding (logo, tagline), slug/URL
Team member details: names, titles, bios, profile photos
Integration credentials: Google Calendar OAuth tokens, payment provider customer IDs

Customers (people who make bookings)

Booking details: name, email address, phone number, booking notes
Appointment information: service booked, date, time, assigned team member
Payment information: payment status and transaction references (card details are handled entirely by PCI-DSS certified providers and never touch Booklink servers)

Automatically collected

2. How We Use Your Information

We use personal information to:

Provide and operate the booking Service
Send booking confirmations, cancellations, and reminders via email and WhatsApp
Sync bookings with connected Google Calendars
Process payments through connected payment providers
Send account-related notifications (e.g. inactivity warnings, subscription updates)
Detect and prevent fraud or abuse
Improve the Service

3. Legal Basis for Processing

Under POPIA, we process personal information on the following grounds:

Contract: Processing necessary to provide the Service you signed up for
Legitimate interest: Account security, fraud prevention, and service improvement
Legal obligation: Where required by South African law

4. How We Protect Your Information

We take data security seriously:

Field-level encryption: Personal data (names, email addresses, phone numbers) is encrypted individually using AES-256 encryption before storage
Per-account encryption keys: Each account has its own unique data encryption key (DEK), which is itself encrypted with a master key
Integration tokens: Google Calendar OAuth tokens and other integration credentials are encrypted at rest
No card data: Payment card details are processed entirely by PCI-DSS certified providers (Yoco, Paystack, PayFast) and are never stored on or transmitted through Booklink servers
Infrastructure: The Service runs on Google Cloud Platform with encryption in transit (TLS) and at rest

5. Data Sharing

We do not sell personal information. We share data only with:

Payment providers (Yoco, Paystack, PayFast) — to process booking payments on your behalf
Email provider (SMTP2GO) — to deliver transactional emails (confirmations, reminders, account notifications)
Google — when you connect Google Calendar, to sync booking events
WhatsApp / messaging providers — to send booking reminders when enabled

All third-party providers are bound by their own privacy policies and data processing agreements.

6. Data Retention

Active accounts: Data is retained for as long as your account is active
Deleted accounts: When you delete your account, data is retained for 30 days (to allow recovery), then permanently and irreversibly deleted
Inactive Free accounts: Free accounts with no login activity for 60 days receive a warning email. If no login occurs within 7 days, the account is scheduled for deletion and enters the standard 30-day retention period before permanent deletion. See our Terms of Service for full details
Booking records: Retained for the lifetime of the account that created them

7. Your Rights

Under POPIA and other applicable law, you have the right to:

Access your personal information held by us
Correct inaccurate or incomplete personal information
Delete your account and associated data
Object to the processing of your personal information
Withdraw consent where processing is based on consent
Lodge a complaint with the Information Regulator of South Africa

Account holders can access, correct, and delete their data directly through the Booklink dashboard and account settings. For any other requests, contact us at support@booklink.co.za.

Customers who have made bookings and wish to exercise their rights should contact the service provider they booked with, or email us directly.

8. Cookies

The Booklink application uses essential cookies and local storage for authentication (JWT tokens) and session management only. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Children's Privacy

Booklink is not intended for use by children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. International Transfers

Your data is stored on Google Cloud Platform infrastructure. While we select infrastructure regions to minimise cross-border transfers, some data may be processed outside South Africa by our third-party providers in the course of delivering the Service. Where this occurs, we ensure adequate safeguards are in place as required by POPIA.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "last updated" date at the top of this page indicates the most recent revision.

12. Contact

For privacy-related enquiries, data access requests, or complaints, contact us at:

Email: support@booklink.co.za
Entity: Tora Technologies (Pty) Ltd, Cape Town, Western Cape, South Africa

You may also lodge a complaint with the Information Regulator of South Africa at complaints.IR@justice.gov.za.