Privacy Policy

1. Introduction

This Privacy Policy explains how Zande Technologies (Pty) Ltd(Registration No. K2025834311), in partnership with Rath Group (Pty) Ltd, operating the Ziyawa platform ("Platform"), collects, uses, stores, and protects your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA).

Zande Technologies is registered with the Information Regulator of South Africa as an information officer under reference number 2025-066656.

2. Information Officer

• Responsible Party: Zande Technologies (Pty) Ltd
• Information Regulator Ref: 2025-066656
• Email: info@zande.io
• Location: South Africa

You may contact the Information Regulator of South Africa at:
Email: enquiries@inforegulator.org.za | Tel: 012 406 4818

3. Personal Information We Collect

We collect the following categories of personal information:

3.1 Information You Provide

• Account data: Name, email address, phone number (optional), password (hashed).
• Profile data: Display name, bio, province, profile photo, genres (artists), services offered (crew/vendors).
• Identity verification: South African ID number or passport number, CIPC registration number (businesses), uploaded ID or registration documents.
• Financial data: Bank account details (for withdrawals), transaction history. Card details are processed by Paystack and never stored on our servers.
• Event data: Event details, ticket types, pricing, venue information.
• Communications: In-app messages between users (booking-gated), support tickets.
• Reviews: Written reviews and star ratings you submit.

3.2 Information Collected Automatically

• Usage data: Pages visited, features used, actions taken on the Platform.
• Device data: Browser type, operating system, screen resolution.
• Authentication data: Login timestamps, session tokens, two-factor authentication (TOTP) enrolment status.
• Cookies: Essential cookies for authentication and session management. See Section 10.

3.3 Information from Third Parties

• Google OAuth: If you sign in via Google, we receive your name, email address, and profile picture from Google.
• Paystack: Transaction confirmation data, payment status updates via webhooks.

4. Purpose of Processing

We process your personal information for the following purposes, each with a lawful basis under POPIA:

• Contract performance (Section 11(1)(b)): To provide the Platform services — account management, event listing, ticket sales, bookings, payments, messaging, and wallet operations.
• Legal obligation (Section 11(1)(c)): To comply with financial regulations, tax reporting, anti-fraud requirements, and consumer protection laws.
• Legitimate interest (Section 11(1)(f)): To improve the Platform, detect fraud, prevent abuse, and maintain security. We balance our interests against your rights.
• Consent (Section 11(1)(a)): Where applicable, for optional marketing communications. You may withdraw consent at any time.

5. How We Share Your Information

We share personal information only as necessary for Platform operations:

• With other users: Your public profile (name, bio, reviews, ratings) is visible to other users. Organizers and artists/crew can see each other's booking details. Messages are shared with conversation participants.
• Paystack (Payment Processor): Transaction data for payment processing. Paystack is PCI-DSS compliant and operates under its own privacy policy.
• Supabase (Infrastructure Provider): Your data is stored on Supabase infrastructure. Data is encrypted at rest and in transit.
• Resend (Email Service): Your email address for transactional emails (booking confirmations, password resets, notifications).
• Google (Authentication): If you use Google sign-in, authentication data is exchanged with Google under their privacy policy.
• Law enforcement: When required by law, court order, or to protect the rights, safety, or property of Ziyawa, our users, or the public.

We do not sell your personal information to third parties.

6. Cross-Border Transfers

Some of our service providers (Supabase, Resend, Google) may process data outside of South Africa. Where this occurs, we ensure that adequate safeguards are in place as required by POPIA Section 72, including ensuring that the recipient country has adequate data protection laws or that the recipient is bound by contractual obligations providing equivalent protection.

7. Data Retention

We retain your personal information for as long as necessary to:

• Provide Platform services while your account is active.
• Comply with legal obligations (e.g., financial records retained for 5 years as required by SARS).
• Resolve disputes and enforce our agreements.

After account closure, we retain essential records (transaction history, identity verification outcomes) for the legally mandated period, then securely delete them. Messages and non-essential profile data are deleted within 90 days of account closure.

8. Your Rights Under POPIA

As a data subject, you have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Object: Object to the processing of your personal information on reasonable grounds.
• Restrict processing: Request limitation of processing in certain circumstances.
• Data portability: Receive your personal information in a structured, commonly used format.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.
• Complain: Lodge a complaint with the Information Regulator if you believe your rights have been violated.

To exercise any of these rights, contact us at info@zande.io. We will respond within 30 days as required by POPIA.

9. Security Measures

We implement the following security measures to protect your personal information:

• Encryption: All data transmitted between your device and our servers is encrypted using TLS.
• Row-Level Security (RLS): Database-level access controls ensure users can only access data they are authorised to see.
• Password security: Passwords are hashed using industry-standard algorithms and never stored in plain text.
• Two-Factor Authentication (2FA): TOTP-based two-factor authentication is available for all users and mandatory for administrators.
• Secure document storage: Verification documents are stored in private, access-controlled storage buckets.
• Payment security: Card payments are processed by Paystack (PCI-DSS Level 1 compliant). We never store card numbers.
• Admin audit trails: Administrative actions are logged for accountability and oversight.

Despite these measures, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to support@zande.io immediately.

10. Cookies

The Platform uses the following types of cookies:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled as the Platform cannot function without them.
• Functional cookies: Remember your preferences (e.g., language, theme). Used to improve your experience.

We do not use advertising or tracking cookies. We do not use third-party analytics that track individual users. You can manage cookies through your browser settings, but disabling essential cookies will prevent you from using the Platform.

11. Children's Privacy

The Platform is not intended for persons under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete it. If you believe we have collected information from a child, please contact us at info@zande.io.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact and Complaints

For privacy-related queries, data subject requests, or complaints:

• Zande Technologies (Pty) Ltd
• Information Officer Email: info@zande.io
• Support: support@zande.io
• Information Regulator Ref: 2025-066656

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa:

• Email: enquiries@inforegulator.org.za
• Website: www.justice.gov.za/inforeg
• Tel: 012 406 4818

14. Applicable Law

This Privacy Policy is governed by the laws of the Republic of South Africa, including the Protection of Personal Information Act 4 of 2013 (POPIA), the Electronic Communications and Transactions Act 25 of 2002 (ECTA), and the Consumer Protection Act 68 of 2008 (CPA).