Privacy Policy

1. Who we are

VibesMap ("VibesMap", "we", "us", "our") operates the website vibesmap.co.za and related services (the "Platform"), a venue discovery and reservation platform focused on Cape Town, South Africa.

For purposes of POPIA, VibesMap is the Responsible Party in respect of the personal information described in this policy.

2. Information Officer

Our designated Information Officer (as required by section 55 of POPIA) can be contacted at:

• Name: Brendon Mapinda
• Email: privacy@vibesmap.co.za

3. Personal information we process

Depending on how you use the Platform, we may process the following categories of personal information:

• Account information: name, email address, hashed password, profile picture, authentication provider (Google or email), role.
• Reservation information: customer name, email address, phone number, party size, date and time, special requests, venue chosen.
• Reviews and ratings: the text, rating and identity associated with reviews you publish.
• Favourites and activity: venues you save, your itinerary or budget selections, recently viewed venues.
• Partner information (venues): business name, contact name, business email and phone, business address, payment reference, subscription tier and status.
• Payment information: we do not store your full card or banking details. Payments are processed by PayFast (Pty) Ltd, which collects and stores those details directly. We retain only the PayFast payment reference and subscription status.
• Location data: approximate location, only when you grant your browser permission, used to surface nearby venues.
• Technical data: IP address, browser type and version, device type, operating system, referring URL, pages visited, session timestamps, error reports.
• Communications: the content of any email, support request or form submission you send us.

We do not knowingly collect special personal information (as defined in section 26 of POPIA, e.g. religion, health, biometrics, criminal behaviour). Please do not share such information with us.

4. Sources

We collect personal information directly from you when you use the Platform. We may also receive information from third parties whose services you use to interact with us, such as Google (when you sign in with Google) and PayFast (when you pay for a subscription). Public venue data (e.g. business name, address, opening hours) may be sourced from publicly available datasets including the Google Places API.

5. Purposes and lawful basis for processing

In line with section 11 of POPIA, we only process personal information where we have a lawful basis to do so:

6. Sharing with operators and third parties

We do not sell your personal information. We share it only as needed to operate the Platform, with the following operators (processors) acting on our written instructions and under appropriate safeguards:

• Vercel Inc. — hosting, edge delivery, deployment logs.
• MongoDB Atlas (MongoDB Inc.) — primary database for accounts, reservations, reviews, favourites, venues.
• Google LLC — Google OAuth (sign-in), Google Places API (venue data), Google Analytics (usage analytics, only if enabled).
• PayFast (Pty) Ltd (South Africa) — payment processing for partner subscriptions, including ITN webhooks.
• Resend Inc. — transactional email delivery (booking confirmations, partner notifications).
• Cloudinary Ltd. — image and video storage and delivery for venue photos.
• Functional Software Inc. (Sentry) — error and performance monitoring.
• Cloudflare Inc. — Turnstile CAPTCHA verification and bot mitigation.

We may also share personal information (a) with venue partners, but only the booking details strictly required to honour your reservation; (b) with our professional advisers (legal, accounting, auditors) under confidentiality; (c) with law enforcement or regulators where legally compelled to do so; (d) with a successor in the event of a sale, merger or restructure of the business.

7. Cross-border transfers

Several of the operators above process data outside South Africa (primarily in the United States and the European Union). In line with section 72 of POPIA, we only transfer personal information to a country if (i) it is subject to a law, contract or binding rules providing an adequate level of protection; (ii) the transfer is necessary to perform a contract with you; or (iii) you have consented. By using the Platform you acknowledge that these transfers are necessary for us to provide the service.

8. Retention

We retain personal information only for as long as is necessary for the purpose for which it was collected, or as required by law:

• Account data: while your account is active, plus 30 days after deletion (to allow recovery of accidental deletion).
• Reservation records: 12 months from the reservation date for dispute resolution.
• Reviews: until you remove them or delete your account.
• Partner subscription and payment records: at least 5 years, as required by South African tax legislation (Tax Administration Act, 2011).
• Server logs and error reports: up to 90 days.
• Marketing consent records: for the duration of consent plus 3 years to evidence compliance.

After these periods we delete or de-identify the information.

9. Security

We take appropriate, reasonable technical and organisational measures to protect personal information against loss, damage and unauthorised or unlawful access. These measures include encryption in transit (HTTPS/TLS), encryption of databases at rest, hashed passwords (bcrypt), per-IP rate limiting, CAPTCHA, role-based access control, CSRF protection, secure session tokens, and ongoing security monitoring. No system is completely secure, and we cannot guarantee absolute security.

10. Data breaches

In line with section 22 of POPIA, where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and affected data subjects as soon as reasonably possible after becoming aware of the breach, unless a public body or law enforcement otherwise instructs us.

11. Cookies and similar technologies

We use a small number of cookies and similar technologies to operate the Platform:

• Strictly necessary: session cookies for authentication and CSRF protection. The Platform cannot function without these.
• Functional: theme preference (dark/light), recently viewed venues, currency selection.
• Analytics: Google Analytics (only if NEXT_PUBLIC_GA_ID is configured), Sentry (error monitoring).
• Security: Cloudflare Turnstile (CAPTCHA, may set short-lived cookies during challenges).

You can disable non-essential cookies by adjusting your browser settings. Disabling strictly necessary cookies will break sign-in and reservations.

12. Direct marketing

In line with section 69 of POPIA and section 45 of the Electronic Communications and Transactions Act, 2002 (ECT Act), we will only send you electronic direct marketing where you have given prior consent or where you are an existing customer who has not opted out and the marketing is for our own similar products or services. Every marketing message will identify the sender and include a free, easy way to unsubscribe. You can also opt out at any time by emailing privacy@vibesmap.co.za.

13. Your rights

Subject to POPIA, you have the right to:

• be notified that your information is being collected and of any unauthorised access;
• access the personal information we hold about you;
• request correction or deletion of inaccurate, out-of-date or unlawfully obtained information;
• object, on reasonable grounds, to processing carried out on the basis of legitimate interest;
• object to processing for direct marketing by means of unsolicited electronic communications;
• withdraw any consent you previously gave (without affecting the lawfulness of processing before withdrawal);
• not be subject to a decision based solely on automated processing that has legal effects on you (we do not currently undertake such processing); and
• complain to the Information Regulator (see below).

To exercise any of these rights, email privacy@vibesmap.co.za. We may need to verify your identity before responding. The official POPIA forms (Form 1 — request for correction or deletion; Form 2 — objection to processing; Form 3 — request access) are available from the Information Regulator's website. We will respond within a reasonable period, generally within 30 days.

14. Children

The Platform is intended for users aged 18 and over because much of the content relates to alcohol, nightlife and licensed venues. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please email privacy@vibesmap.co.za and we will delete it.

15. Complaints to the Information Regulator

If you are not satisfied with how we have handled your personal information, you may lodge a complaint with the Information Regulator of South Africa:

• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Postal: P.O. Box 31533, Braamfontein, 2017
• Email (general): inforeg@justice.gov.za
• Email (complaints): complaints.IR@justice.gov.za
• Web: inforegulator.org.za

We'd ask you to raise the issue with us first so we have a chance to put it right.

16. Changes to this policy

We may update this policy from time to time. The latest version will always be available at this URL with a revised "Last Updated" date. Material changes will, where reasonably practicable, be notified to registered users by email.