Privacy Policy

1. Introduction

This Privacy Policy explains how BEVA Direct Services CC(trading as “TravelFlow”), a close corporation registered in the Republic of South Africa (“we”, “us”, or “our”), collects, uses, stores, shares, and protects your personal information when you access or use the TravelFlow platform, including all associated websites, applications, APIs, and services (collectively, the “Platform”).

This Policy is prepared in accordance with the Protection of Personal Information Act, 2013 (Act 4 of 2013)(“POPIA”) of South Africa and, where applicable, the General Data Protection Regulation (EU) 2016/679(“GDPR”). By using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Policy.

2. Responsible Party & Information Officer

For the purposes of POPIA, the responsible party is:

3. Personal Information We Collect

We collect the following categories of personal information, depending on your role and use of the Platform:

4. Legal Basis for Processing

We process your personal information on the following legal grounds under POPIA Section 11:

• Consent (Section 11(1)(a)) — Where you have given explicit consent, such as for marketing communications or optional data sharing.
• Contractual Necessity (Section 11(1)(b)) — Processing necessary to perform the services you have requested, including travel bookings, payment processing, and document generation.
• Legal Obligation (Section 11(1)(c)) — Processing required to comply with South African law, including tax legislation (VAT Act), financial record-keeping requirements, and regulatory reporting obligations.
• Legitimate Interest (Section 11(1)(f)) — Processing necessary for our legitimate business interests, such as fraud prevention, platform security, analytics, and service improvement, provided these interests do not override your rights.

For EU/EEA data subjects, we additionally rely on Article 6(1) of the GDPR with corresponding legal bases.

5. How We Use Your Information

• Processing and fulfilling travel bookings, including communication with airlines, hotels, and car rental providers
• Generating quotations, invoices, vouchers, itineraries, and other travel documents
• Processing payments through our payment gateway partner (PayU South Africa)
• Operating the accounting module, including journal entries, bank reconciliation, VAT calculations, and financial reporting
• Managing organisational travel policies, approval workflows, and budget enforcement
• Authenticating users, managing sessions, and enforcing role-based access controls
• Detecting, preventing, and responding to fraud, security incidents, and unauthorised access
• Maintaining audit trails for regulatory compliance and dispute resolution
• Providing customer support and resolving service enquiries
• Improving the Platform through analytics, error monitoring, and performance optimisation
• Complying with applicable laws, regulations, and lawful requests from authorities

6. Third-Party Data Sharing

We share your personal information with the following categories of third parties, strictly on a need-to-know basis and subject to appropriate data protection agreements:

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

7. Data Security

We implement the following technical and organisational measures to protect your personal information:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Sensitive financial data (bank account numbers, SWIFT codes, branch codes) is encrypted using AES-256-GCM before storage in the database.
• Authentication: Firebase Authentication with support for multi-factor authentication (MFA), password policies (complexity, expiration), and session management.
• Session security: Server-side session tracking with automatic invalidation on password change, administrative action, or idle timeout.
• Access control: Role-based access control (RBAC) with eight distinct user roles and granular permission profiles. Multi-tenant data isolation enforced at both the application and database layers.
• Rate limiting: All API endpoints are rate-limited to prevent abuse, brute-force attacks, and denial-of-service attempts.
• Audit trails: All significant operations (data creation, modification, deletion, approvals, login events) are logged with timestamps, user identifiers, and IP addresses.
• Environment security: Environment variables are validated at application startup using schema validation. Secrets are never exposed in client-side code.
• Firestore Security Rules: Database-level rules enforce ownership checks, organisational isolation, and role-based access independently of application code.

8. Cross-Border Data Transfers

Your personal information may be transferred to, stored in, or processed in countries outside the Republic of South Africa, including the United States and the European Economic Area, where our infrastructure providers (Google, Vercel) and GDS partners maintain data centres.

In accordance with POPIA Section 72, we ensure that such transfers are subject to appropriate safeguards, including:

• Standard contractual clauses or equivalent data protection agreements with all third-party processors
• Verification that the recipient country provides an adequate level of data protection, or that binding corporate rules apply
• Technical measures (encryption, access controls) that protect data regardless of where it is stored

9. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes described in this Policy, or as required by law:

• Account data: Retained for the duration of your account and for 12 months after account deletion or deactivation.
• Booking records: Retained for a minimum of 5 years from the date of travel, in accordance with travel industry record-keeping requirements.
• Financial records: Retained for a minimum of 5 years in accordance with the Companies Act, 2008 (Act 71 of 2008) and the Tax Administration Act, 2011 (Act 28 of 2011).
• Audit logs: Retained for a minimum of 3 years for compliance and dispute resolution purposes.
• Session data: Automatically purged within 30 days of session expiration.
• Communication records: Retained for 2 years from the date of the last interaction.

When personal information is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.

10. Your Rights as a Data Subject

Under POPIA (and GDPR where applicable), you have the following rights in relation to your personal information:

• Right of access — Request confirmation of whether we hold your personal information and obtain a copy of it (POPIA Section 23).
• Right to correction — Request correction or update of inaccurate, incomplete, or misleading personal information (POPIA Section 24).
• Right to deletion — Request destruction or deletion of personal information that is no longer necessary for the purpose for which it was collected (POPIA Section 24).
• Right to object — Object to the processing of your personal information on reasonable grounds (POPIA Section 11(3)).
• Right to withdraw consent — Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to data portability — Request a copy of your personal information in a structured, commonly used, machine-readable format (where technically feasible).
• Right to lodge a complaint — Lodge a complaint with the Information Regulator of South Africa if you believe your rights have been infringed.

To exercise any of these rights, contact our Information Officer at privacy@travelflow.co.za. We will respond within 30 days of receiving your request, as required by POPIA.

11. Cookies & Local Storage

The Platform uses browser session storage to maintain your booking basket and session state during your visit. We use Firebase Authentication tokens stored in browser memory for secure authentication. We do not use third-party advertising or tracking cookies.

Analytics data, if collected, is used solely for service improvement and is not shared with advertisers. You may configure your browser to block cookies or clear local storage at any time, though this may affect Platform functionality.

12. Children's Privacy

The Platform is not directed at children under the age of 18. We do not knowingly collect personal information from children. Where a booking includes minor travellers, the responsible adult provides the child's information and assumes responsibility for its accuracy and the consent to process it. If we become aware that we have inadvertently collected personal information from a child without appropriate parental consent, we will take steps to delete it promptly.

13. Data Breach Notification

In the event of a security breach that compromises your personal information, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with POPIA Section 22. Notification will include a description of the breach, the categories of information affected, the likely consequences, and the measures taken or proposed to address the breach.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. Material changes will be communicated through the Platform (via notification or prominent notice) and by updating the “Last updated” date at the top of this page. Your continued use of the Platform after such changes constitutes acceptance of the revised Policy.

15. Contact & Information Regulator

For privacy enquiries, data subject requests, or complaints: