Privacy Policy

1. Introduction

Seatly (Pty) Ltd ("Seatly", "we", "us", "our") is committed to protecting the privacy and personal information of all individuals who interact with our platform. This policy is drafted in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the EU General Data Protection Regulation (GDPR).

The right to privacy is enshrined in Section 14 of the Constitution of the Republic of South Africa. We recognise that every person has the right to control how their personal information is collected, used, and shared.

2. Definitions and Application

This policy applies to all of Seatly's electronic platforms, including our website, venue portal, WhatsApp booking service, and any related services. The following POPIA definitions apply:

• Data Subject — the natural or juristic person whose personal information is being processed (e.g. a guest making a booking, or a venue owner using the portal).
• Responsible Party — the venue (restaurant, bar, or hospitality establishment) that determines the purpose and means of processing personal information collected through Seatly.
• Operator — Seatly, as an independent service provider that processes personal information on behalf of the Responsible Party (the venue).

Seatly collects and stores personal information on behalf of venues (the Responsible Parties) and processes it solely for its intended purpose as described in this policy.

3. Information Officer

In terms of Section 55 of POPIA, our designated Information Officer is:

Ken Walton
Email: privacy@seatly.co.za

4. Accountability

Seatly is committed to ensuring compliance with POPIA and the principles set out in this policy. We take responsibility for the personal information we process and will take appropriate measures to effectively implement and monitor compliance.

5. Personal Information We Collect

We collect the following personal information on behalf of venues (the Responsible Parties):

• Guest name
• Telephone number (including WhatsApp number)
• Email address (where provided)
• Booking history and preferences
• Special requests or dietary requirements submitted with bookings
• Payment transaction references (where deposits are required)

From venue owners and staff who use the Seatly portal, we collect:

• Name and email address
• Venue details (name, address, contact information)
• Payment and billing information for subscription services

Should we require additional personal information in the future, the data subject will be informed prior to collection.

6. Purpose and Processing of Personal Information

Personal information is processed fairly, lawfully, and in a manner that does not exceed what is necessary. We process personal information for the following purposes:

• Facilitating and managing restaurant reservations via WhatsApp
• Processing booking deposit payments via integrated payment providers (e.g. Yoco)
• Sending booking confirmations, reminders, and cancellation notifications
• Enabling venues to manage their bookings, tables, and availability
• Managing venue subscriptions and billing
• Improving our services and platform functionality

Where the data subject has given consent directly to the venue (the Responsible Party), the venue bears primary responsibility for such consent. Seatly will not distribute or share personal information between separate legal entities, except:

• Where required by law or a court order
• In the event of a merger, acquisition, or sale of the business
• With third-party service providers necessary for platform operation (see Section 10)

7. Lawful Basis for Processing

We rely on the following lawful bases for processing personal information under POPIA:

• Consent — where the data subject has given voluntary, specific, and informed consent.
• Contractual necessity — where processing is necessary to perform a booking or provide our services.
• Legitimate interest — where processing is necessary for our legitimate interests, provided the data subject's rights are not overridden.
• Legal obligation — where processing is required by applicable law.

8. Rights of Data Subjects

Under POPIA, data subjects have the following rights:

1. Right to Access — you may request confirmation of whether we hold your personal information and request access to it.
2. Right to Correction or Deletion — you may request that we correct inaccurate information or delete your personal information where it is no longer necessary.
3. Right to Object to Processing — you may object to the processing of your personal information on reasonable grounds.
4. Right to Object to Direct Marketing — you may object to receiving direct marketing communications at any time.
5. Right to Complain — you may lodge a complaint with the Information Regulator of South Africa if you believe your rights under POPIA have been infringed.
6. Right to be Informed — you have the right to be notified that your personal information is being collected and the purpose thereof.
7. Right to Restriction of Processing — you may request that we restrict the processing of your personal information instead of deletion.

To exercise any of these rights, please contact our Information Officer at privacy@seatly.co.za.

9. Payments and Financial Information

Where a venue requires a booking deposit, Seatly facilitates payment collection through the venue's own Yoco account. This means:

• Deposit funds are paid directly to the venue's Yoco account — Seatly does not hold, receive, or have access to these funds.
• Seatly stores only a payment transaction reference for record-keeping purposes. We do not store credit card numbers, CVVs, or other sensitive financial data.
• Refunds are the sole responsibility of the venue. Seatly cannot initiate or process refunds on behalf of any venue.

All payment processing is handled by Yoco, which is a PCI DSS compliant payment provider. Please refer to Yoco's privacy policy for information on how they process payment data.

10. Security of Personal Information

We are committed to protecting personal information against misuse, loss, theft, and unauthorised access, modification, or disclosure. We implement the following measures:

• All data is stored in secure, encrypted databases hosted by Supabase (cloud infrastructure).
• Row-level security (RLS) policies ensure that venue data is isolated — each venue can only access their own information.
• All communication between our services is encrypted using TLS/SSL.
• Access to personal information is restricted to authorised personnel only.
• We use authentication and access controls on all administrative systems.

11. Third-Party Service Providers

We use the following categories of third-party service providers to operate our platform:

• Database and hosting — Supabase (data storage), Railway (application hosting)
• Communication — WhatsApp (guest messaging via Telegram bot), Resend (transactional email)
• Payments — Yoco (deposit processing), Paystack (subscription billing)
• AI services — Anthropic (AI-powered booking assistant)

Each of these providers is contractually obligated to protect personal information and may only process it for the purposes we specify. We do not sell personal information to any third party.

12. Cross-Border Transfer of Information

Some of our third-party service providers may store or process data outside of South Africa. In such cases, we ensure that adequate safeguards are in place as required by Section 72 of POPIA, and that the recipient is subject to comparable data protection laws or binding agreements.

13. Retention of Personal Information

We retain personal information only for as long as is necessary to fulfil the purpose for which it was collected, unless:

• We are required by law or a contractual obligation to retain it for a longer period.
• Retention is necessary for legitimate business record-keeping.

Booking records are retained for a period of 12 months after the booking date, after which personal information may be anonymised or deleted. Venue account data is retained for the duration of the subscription and for 12 months after account closure.

14. Direct Marketing

Seatly may send service-related communications (such as booking confirmations and reminders) which are not considered direct marketing. Where we send promotional or marketing communications:

• We will obtain prior opt-in consent from the data subject.
• Every marketing communication will include a clear opt-out mechanism.
• We will not share personal information with unaffiliated third parties for their direct marketing purposes.

15. Use of AI

Seatly uses an AI-powered booking assistant to process guest messages and manage reservations via WhatsApp. This AI service:

• Processes guest names, phone numbers, and booking details to facilitate reservations.
• Does not make autonomous decisions that have legal or significant effects on data subjects — it facilitates bookings based on venue availability.
• Conversation data is stored to maintain booking context and is subject to the same retention and security policies as all other personal information.

16. Consent

By using any of Seatly's services, the data subject:

• Acknowledges that they have read and understood this privacy policy.
• Agrees to be bound by the terms of this policy.
• Gives consent to the processing of their personal information as described herein.

Consent is obtained when a guest initiates a booking conversation via WhatsApp or when a venue owner registers for the Seatly portal.

17. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, services, or legal requirements. The updated version will be published on our website with a revised "Last updated" date. Continued use of our services after such changes constitutes acceptance of the updated policy.

18. Complaints

If you believe that your personal information has been processed in violation of POPIA, you have the right to lodge a complaint with:

• Seatly's Information Officer at privacy@seatly.co.za
• The Information Regulator of South Africa
  Website: inforegulator.org.za
  Email: complaints.IR@justice.gov.za