🛡️ POPIA Compliant — Protection of Personal Information Act 4 of 2013
TORCH Collective, operated by Business Direct Media ("TORCH", "we", "our"), is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA). This Privacy Policy explains how we collect, use, store, and protect your personal data.
1. Information We Collect
We collect the following categories of personal information:
- Identity data: Full name, business name, contact person details
- Contact data: Email address, phone number, business address
- Business data: Company registration number, VAT number, TETA/SATSA accreditation numbers
- Booking data: Property bookings, room types, check-in/check-out dates, group sizes
- Technical data: IP address, browser type, login timestamps, audit logs
- Financial data: Invoice records, payment status (no card details are stored)
2. How We Use Your Information
We process your personal information for the following purposes:
- Processing and managing your TORCH membership application
- Operating the platform and facilitating bookings between operators and hotels
- Calculating and displaying collective volume and rate tier status
- Sending transactional communications (booking confirmations, tier alerts, invoices)
- Generating reports and analytics for platform governance
- Complying with our legal obligations under South African law
3. Legal Basis for Processing
We process your personal information on the following legal grounds:
- Contractual necessity: Processing required to fulfil your membership agreement
- Legitimate interests: Operating the platform and preventing fraud
- Legal obligation: Compliance with POPIA, tax laws, and other applicable regulations
- Consent: Where you have given explicit consent for specific processing activities
4. Data Minimisation
TORCH is committed to data minimisation. We only collect and store personal information that is necessary for the stated purposes. For booking submissions, we collect only the minimum guest information required for operational purposes — we do not store personal guest data beyond what is required.
5. How We Share Your Information
We do not sell your personal information to third parties. We may share your information with:
- Hotel partners: Booking details shared with the relevant property to confirm reservations
- Payment processors: PayFast processes payments on our behalf under their own privacy policy
- Service providers: Hosting, email delivery, and technical services under strict data processing agreements
- Legal authorities: Where required by law or court order
6. Data Retention
We retain your personal information for as long as your membership is active and for a period thereafter as required by law:
- Membership and profile data: Duration of membership + 5 years
- Booking records: 5 years from booking date
- Invoice and financial records: 5 years as required by tax law
- Audit logs: 2 years
7. Your Rights Under POPIA
As a data subject, you have the following rights:
- Right of access: Request a copy of the personal information we hold about you
- Right to correction: Request correction of inaccurate or incomplete data
- Right to deletion: Request deletion of your personal information (subject to legal retention requirements)
- Right to object: Object to processing of your personal information in certain circumstances
- Right to data portability: Request your data in a portable format
- Right to lodge a complaint: Lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, please contact us at support@torchcollective.co.za.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal information:
- HTTPS encryption for all data in transit
- Encrypted storage for sensitive fields
- Role-based access control — users only access data relevant to their role
- Full audit logging of all significant platform actions
- Regular automated backups with off-site retention
9. Cookies
The TORCH Platform uses session cookies to maintain your login state and CSRF protection tokens. We do not use tracking cookies or third-party advertising cookies. Session cookies are deleted when you close your browser or log out.
10. Information Regulator
If you are not satisfied with how we handle your personal information, you have the right to lodge a complaint with the Information Regulator of South Africa:
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to members via the platform notification system. The "Last updated" date at the top of this page reflects the most recent revision.
12. Contact Our Information Officer
For all privacy-related queries, requests, or complaints, please contact our Information Officer: