Organiser and Admin Privacy Policy
1. Who We Are
Bookaroo is an online ticketing facilitation platform operated by FlowIQ (Pty) Ltd (Registration Number: 2025/503612/07).
For the purposes of the Protection of Personal Information Act, 2013 (POPIA), FlowIQ is the Responsible Party for personal information processed through the Bookaroo platform.
This policy applies to organisers, venue administrators, client administrators, staff users, and other authorised users who access the Bookaroo admin system or manage events through the Bookaroo platform.
Where an organiser uses attendee, booking, reporting, or exported information outside the Bookaroo platform, the organiser may act as a separate Responsible Party for that processing.
Contact Details:
Email: support@bookaroo.co.za
Website: https://www.bookaroo.co.za
2. Information Officer
For formal privacy inquiries and data subject requests, contact:
Jonathan Nel (Information Officer)
Email: legal@flowiq.africa
3. Information We Collect
When using Bookaroo, we collect personal information including:
Identity and Contact Information
- Full name and surname
- Email address
- Phone number
Account Information
- Login credentials and authentication data, processed securely through our authentication provider. We do not intentionally store plain-text passwords.
- Account preferences and settings
- Profile information
Technical and Usage Information
- IP address
- Browser type and operating system
- Device identifier
- Website usage analytics
- Pages visited and time spent
- Cookies and similar tracking technologies
- Admin actions taken in the platform
- Timestamps, access logs, security events, and audit records
- Multi-factor authentication setup, verification, and trusted-device status
Organisation and Tenant Information
- Organisation or business name
- Tenant or client association
- Admin role, permissions, and access level
- Invitation status and account status
Event Administration Information
- Events created or managed by you
- Venue, schedule, ticketing, pricing, seating, and capacity configuration
- Booking settings and communication preferences
- Operational notes and support requests
Sensitive Personal Information
We do not intentionally collect special categories of personal information (such as race, ethnicity, religious beliefs, political affiliations, or biometric data) unless you voluntarily provide it with your explicit consent or processing is required by law.
4. How We Use Your Information
We use personal information to:
- Create and manage your Bookaroo account
- Verify authorised access to organiser, venue, client, or tenant workspaces
- Apply role-based permissions and access controls
- Enable event setup, ticketing configuration, seating setup, booking management, reporting, and attendee support
- Send operational notices, account notifications, security alerts, and support responses
- Provide onboarding, support, billing, and service administration
- Protect Bookaroo, organisers, attendees, and platform users against misuse, fraud, unauthorised access, or security incidents
- Improve and optimize our platform
- Comply with legal and regulatory obligations
- Prevent fraud and protect security
- Understand how the admin system is used, identify errors, monitor performance, improve support, and improve the Bookaroo service
Lawful Basis for Processing
We process your personal information based on one or more of:
- Consent, you have voluntarily consented to the processing
- Contract Performance, processing is necessary to provide our services
- Legal Obligation, we are required by law to process the information
- Legitimate Interests, processing is necessary for our legitimate business interests (such as fraud prevention, security, and service improvement)
5. Who We Share Your Information With
Personal information may be shared with:
Within Your Organisation or Tenant
Your information may be visible to other authorised users in the same organiser, depending on their permissions. This may include your name, email address, role, account status, and activity related to event administration.
Service Providers
We use trusted service providers to operate the platform, including:
- Cloud hosting and infrastructure providers
- Customer support platforms
- Analytics services
- Email and SMS providers
- Identity verification services
- Security and fraud prevention services
These providers only process information as required to deliver the service and are contractually required to maintain confidentiality.
Law Enforcement and Legal Authorities
We may disclose personal information when required by law, court order, or to protect the security or integrity of our platform.
Business Transfers
If Bookaroo is involved in a merger, acquisition, or similar transaction, your personal information may be transferred as part of that transaction.
Aggregated and De-identified Information
We may share aggregated, anonymized, or de-identified information (that cannot identify you) for market research, analytics, and reporting.
No Sale of Personal Information
Bookaroo does not sell personal information to third parties for their independent commercial purposes.
6. International Data Transfers
Your personal information may be processed outside South Africa for cloud hosting, service provision and business operations. Where this happens, we apply appropriate safeguards in line with section 72 of POPIA, including (where applicable) data subject consent, contractual safeguards equivalent to POPIA, or transfers to jurisdictions with adequate data protection laws. The third-party service providers we currently use to operate the Bookaroo platform include: payment processing (Paystack); email delivery (Brevo); cloud hosting and infrastructure (Vercel); database and backend services (Supabase); analytics and performance monitoring tools (Microsoft); code hosting and security tools; and messaging services (e.g. WhatsApp integrations). These providers process personal information only as necessary to deliver their services and are required to maintain appropriate confidentiality and data-protection safeguards equivalent in substance to POPIA.
Transfer Safeguards
Where we transfer personal information outside South Africa (including to countries without adequate data protection), we implement the following safeguards:
Standard Contractual Clauses
We use legally binding Standard Contractual Clauses with third-party recipients to ensure equivalent protection of your information and enforceable rights.
Your Rights
You have the right to:
- Request information about safeguards protecting your data in transfer
- Obtain copies of transfer agreements (with commercially sensitive information redacted)
- Lodge a complaint with the Information Regulator if you believe your rights are violated
7. Cookies and Tracking Technologies
When organisers, venue administrators, or authorised users log into the Bookaroo admin system, we use cookies and similar technologies to provide secure access to the platform.
These cookies are necessary for authentication, session management, tenant or client context, admin security, idle timeout enforcement, and multi-factor authentication. For example, we may use cookies to keep you logged in, confirm which client or tenant account you are working in, detect when your admin session has been inactive, and remember recent multi-factor authentication verification on the same device for a limited period.
Admin security cookies are used only to operate and protect the Bookaroo platform. They are not used for advertising or behavioural tracking.
We may collect limited technical and security information when you use the admin system, such as login activity, IP address, browser information, device information, timestamps, and audit or troubleshooting logs. This helps us protect accounts, investigate issues, monitor platform health, and prevent unauthorised access.
Analytics tools used on public-facing pages are not intended to track activity inside the admin system. Where analytics or diagnostic tools are used for platform performance, troubleshooting, or security monitoring, they are used to support the operation and protection of the service rather than advertising.
You can control or delete cookies through your browser settings. However, disabling necessary cookies may prevent you from logging in, maintaining an admin session, using multi-factor authentication, or accessing tenant-specific admin features.
Examples of Admin Cookies and Similar Technologies We May Use
| Description | Purpose | Required |
|---|---|---|
| Authentication cookies | Keep you securely logged in and verify your session | Yes |
| Tenant/client context cookies | Confirm which organiser, venue, or client workspace you are accessing | Yes |
| Admin activity cookies | Detect inactivity and enforce idle timeout | Yes |
| MFA/trusted-device cookies | Remember recent multi-factor authentication verification on the same device for a limited period | Yes |
| Security and diagnostic logs | Detect suspicious activity, troubleshoot errors, and protect the platform | Yes |
Cookie Consent
When you first visit our website, you may see a cookie consent banner that explains the difference between necessary cookies and optional analytics cookies.
The banner may allow you to:
- accept optional analytics cookies;
- reject optional analytics cookies;
- manage your cookie preferences; and
- access this Privacy Policy.
Strictly necessary cookies cannot be disabled through the cookie banner because they are required for Bookaroo to operate securely and correctly.
You may manage your cookie preferences at any time by using the cookie preference tool, adjusting your browser settings, or contacting us at support@bookaroo.co.za.
8. Data Retention
Your Right to Deletion
You have the right to request deletion of your personal information. Requests will be evaluated against legal retention obligations, ongoing contractual obligations, and legitimate business interests. We will inform you of the outcome within 30 days.
9. Your Rights
Under POPIA, you have the following rights:
Right of Access
You can request confirmation of whether we process your personal information and obtain a copy in a structured, machine-readable format.
Right to Correct
You can request correction or amendment of inaccurate information.
Right to Delete
You can request deletion of your personal information under certain circumstances (where it is no longer necessary, you withdraw consent, processing is unlawful, or legal deletion requirements apply).
Right to Restrict Processing
You can request restriction of processing while you contest accuracy or processing is unlawful.
Right to Object
You can object to processing for direct marketing, profiling, or based on legitimate interests.
Right to Data Portability
You can receive your personal information in a portable, machine-readable format for transfer to another provider.
Right to Lodge a Complaint
You can lodge a complaint with the Information Regulator if you believe your rights have been violated.
How to Exercise Your Rights
Submit Your Request
Send a formal written request to:
Email: legal@flowiq.africa
Subject Line: "Data Subject Request - [Your Full Name]"
Include in your request:
- Your full name and registered email address
- The specific right you are exercising
- A detailed description of your request
- Any supporting documentation
Identity Verification
To protect your privacy, we will request identification verification. This typically requires 5–7 business days.
Response Timeline
We are committed to responding promptly:
| Type of Request | Timeline |
|---|---|
| Right of Access | 10 business days |
| Right to Correct | 10 business days |
| Right to Delete | 15 business days |
| Right to Restrict | 10 business days |
| Right to Object | 5 business days |
| Right to Portability | 15 business days |
For complex requests, we may extend the timeline by up to 30 days. You will be notified of any extension.
Appeal Process
If your request is refused, we will provide written reasons and explain the legal basis for refusal. You will be informed of your right to lodge a complaint with the Information Regulator.
10. Data Security
Your Responsibility
- Maintain confidentiality of your account credentials
- Log out when using shared devices
- Report suspicious activity immediately to Bookaroo support or your organisation’s account owner.
- Use strong, unique passwords
- Keep your device software updated
Organisers and authorised users are responsible for using attendee and booking information accessed through Bookaroo only for legitimate event-related purposes, and for ensuring that any exports, downloads, screenshots, reports, or offline copies are handled securely and lawfully.
Limitation on Security
While we implement industry-standard measures, no system is completely secure. We cannot guarantee absolute security of your personal information.
11. Data Breach Notification
What is a Data Breach?
A "Personal Data Breach" is an unauthorized or accidental event resulting in:
- Destruction of personal information
- Loss of personal information
- Alteration of personal information
- Unauthorized disclosure or access
Our Notification Obligations
Internal Notification (72 Hours)
If we discover a breach affecting your personal information, we will:
- Conduct an immediate investigation
- Take steps to contain and prevent further unauthorized processing
- Notify the Information Regulator within 72 hours of discovery (unless unlikely to result in harm)
- Document the breach, including:
- Date and time of discovery
- Categories of data affected
- Number of data subjects affected
- Likely consequences
- Measures taken to respond
Notification to You
If the breach is likely to result in high risk to your rights and freedoms, we will notify you:
- Timing: Without undue delay (as soon as possible)
- Method: Email, SMS, or written notice by mail
- Content:
- Nature of the breach
- Personal information affected
- Likely consequences
- Measures we have taken
- Your rights and remedies
- Contact information for more information
Exceptions to Notification
We may delay notification if law enforcement requests delay for their investigation or delaying notification is necessary for security reasons.
Your Right to Remedy
If your personal information is compromised in a breach, you have the right to:
- Lodge a complaint with the Information Regulator
- Seek damages for material or non-material harm
- Receive information about our response measures
12. Direct Marketing Communications
We may send organiser and admin users communications about Bookaroo products, features, service updates, onboarding, offers, or related services where permitted by law.
We will only send electronic direct marketing where you have consented, or where we are permitted to contact existing customers about our own similar services and you have been given a reasonable opportunity to object.
You can opt out of marketing communications at any time. Operational and transactional communications, such as account notices, security alerts, booking-related notices, invoices, payment confirmations, service updates, support responses, and legal notices, are not marketing and may still be sent where necessary to provide and protect the service.
13. Third-Party Links and Integrations
This Privacy Policy applies only to Bookaroo and does not cover:
- Third-party websites linked from our site
- Third-party services integrated with Bookaroo
- Social media platforms where you access Bookaroo content
We encourage you to review the privacy policies of third parties before providing them with personal information.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, new laws or regulations, or to improve clarity.
Material changes include:
- New categories of personal information collected
- New or different purposes for processing
- Changes in data sharing practices
- Changes to your rights or opt-out mechanisms
- Changes in data retention periods
We will notify you of material changes by:
- Posting the updated policy on our website with the new "Last Updated" date
- Sending you an email notification (if the change materially affects your rights)
- Requiring your explicit consent (if required by law)
Your continued use of Bookaroo after policy changes constitutes acceptance of the updated policy. If you disagree, you have the right to:
- Request deletion of your account and personal information
- Opt-out of specific processing activities
- Lodge a complaint with the Information Regulator
15. Complaints and Dispute Resolution
If you believe your privacy rights have been violated:
Step 1: Internal Complaint
Submit a written complaint to our Information Officer at legal@flowiq.africa with details of the alleged violation and requested remedy. We will investigate and respond within 15 business days.
Step 2: Internal Review
If unsatisfied with the initial response, you can request a formal internal review. Additional review will be completed within 15 business days.
Step 3: Information Regulator Complaint
If still unsatisfied, you may lodge a complaint with:
Information Regulator (South Africa)
Email: complaints@inforegulator.org.za
Telephone: +27 10 023 5207
Website: https://www.inforegulator.org.za
Postal Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Step 4: Legal Action
You may pursue legal remedies through the courts.
All complaints will be recorded, investigated thoroughly and impartially, and handled with appropriate confidentiality.
16. Contact Information
General Inquiries:
Email: support@bookaroo.co.za
Website: https://www.bookaroo.co.za
We will respond to general inquiries within 5 business days.
Information Officer (Formal Requests):
Jonathan Nel
Email: legal@flowiq.africa
Document Control
| Item | Detail |
|---|---|
| Policy Version | 3.0 (Final) |
| Effective Date | 7 April 2026 |
| Last Updated | 7 April 2026 |
| Next Review Date | 7 April 2027 |
| Responsible Officer | Jonathan Nel (Information Officer) |
| Approval Authority | FlowIQ (Pty) Ltd Management |
END OF PRIVACY POLICY
This Privacy Policy complies with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) and incorporates all critical data protection requirements including POPIA Section 18 collection notice, lawful basis for processing, cross-border transfer safeguards, cookie policy with opt-outs, 72-hour breach notification procedure, data retention schedule, and data subject rights under POPIA Sections 23–25.