POPIA Privacy Policy

1. Who we are

GotTime (“we”, “us”, “our”) provides an online booking and appointment reminder layer that integrates with WhatsApp to help South African businesses manage bookings, send confirmations, reminders and review follow-ups.

For most processing activities, the subscribing business (our “Client”) is the Responsible Party in terms of the Protection of Personal Information Act, 2013 (“POPIA”). GotTime acts as an Operator by processing personal information on behalf of that Client.

2. Personal information we process

Depending on how the service is used, we may process the following categories of personal information:

• Business (Client) information: business name, contact person details, email address, WhatsApp number, billing information and subscription history.
• End-user (customer) information: name, mobile number (typically WhatsApp-enabled), appointment details (service, date and time), basic preferences and limited communication history related to bookings.
• Technical information: device, browser type, approximate location, IP address, and usage logs required to secure and operate the platform.

3. How we collect personal information

We collect personal information in the following ways:

• When a business signs up for GotTime and provides their details.
• When an end-user makes a booking through a Client’s public booking page or WhatsApp-driven flow.
• Via WhatsApp Cloud API webhooks when end-users receive or respond to messages (for example, confirmations, reminders, CANCEL or MENU commands).
• Through limited, privacy-conscious analytics and logging used to secure and improve the service.

4. Purposes and lawful basis for processing

We process personal information only for lawful, specific and explicitly defined purposes, including:

• To provide and maintain the GotTime booking, confirmation and reminder service.
• To send transactional WhatsApp messages related to bookings and attendance.
• To enable end-users to view, confirm, cancel or manage their bookings.
• To send post-visit review requests on behalf of Clients.
• To manage Client subscriptions, billing and support.
• To secure the platform, prevent abuse and comply with applicable laws.

Where GotTime acts as Operator, we process information on the documented instructions of the Responsible Party (our Client) and rely on their lawful basis (for example, performance of a contract with the end-user, consent, or legitimate interests).

5. Sharing and disclosures

We do not sell personal information. We may share personal information only with the following categories of recipients, where necessary to deliver the service:

• WhatsApp / Meta Platforms: for sending and receiving WhatsApp messages via WhatsApp Cloud API.
• Payment processors (such as Paystack): for handling subscription billing and related payment information.
• Hosting and infrastructure providers: that securely host our application, databases and logs.
• Authorised service providers: such as email delivery or monitoring tools, under strict data protection obligations.

Where required by law, we may also disclose personal information to regulators, law enforcement or other authorities, following appropriate due process.

6. Cross-border transfers

Some of the service providers mentioned above may process personal information in countries outside South Africa. Where this occurs, we take reasonable steps to ensure that the recipient is subject to data protection laws, binding corporate rules, or contractual safeguards that offer an adequate level of protection in line with POPIA.

7. Security and retention

We use appropriate technical and organisational measures to protect personal information against unauthorised access, loss, misuse or alteration. These measures may include encryption in transit, access controls, monitoring, and regular security updates.

We retain personal information only for as long as necessary to fulfil the purposes set out in this policy, to satisfy legal, accounting or reporting requirements, or as agreed with the Responsible Party. Thereafter, information is securely deleted or de-identified.

8. Data subject rights

Under POPIA, data subjects have a number of rights in relation to their personal information, including the rights to:

• request access to the personal information we hold about them;
• request correction or deletion of personal information that is inaccurate, irrelevant or excessive;
• object to certain forms of processing;
• withdraw consent where processing is based on consent; and
• submit a complaint to the Information Regulator.

Because we typically act as Operator, individuals should first contact the relevant business (Client) they booked with to exercise these rights. We will assist the Responsible Party in responding to such requests where required.

9. Children’s information

GotTime is not specifically targeted at children. Where our Clients offer services to children, they are responsible for ensuring that appropriate consents or authorisations are obtained before personal information of children is provided to or processed through GotTime, in line with POPIA requirements.

10. Updates to this policy

We may update this POPIA Privacy Policy from time to time to reflect changes in our service, legal requirements or industry best practice. The latest version will always be available on this page, with the effective date indicated below.

11. Contact details

If you have questions about this policy, or wish to exercise your data protection rights in relation to GotTime as Operator, you can contact us at:

Email: wayne@gottime.online

You may also contact the Information Regulator South Africa. Details are available at the Regulator’s official website.

Effective date: 13 March 2026