Privacy Policy

1. Introduction

Seela ("we", "us", "our") is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all applicable South African data protection legislation.

This Privacy Policy explains how we collect, use, store, and share your personal information when you use the Seela platform ("the Platform"), whether as a business operator ("Business User") or as a customer of a business that uses Seela ("End Customer").

2. Information Officer

Our designated Information Officer, as required under POPIA, is responsible for ensuring compliance with the Act and for handling all data-related queries and requests.

3. Personal Information We Collect

We collect and process personal information that is necessary for the provision of our booking and business management services. The types of information we collect depend on whether you are a Business User or an End Customer.

3.1 Business Users

• Business name, address, and contact details
• Login email address and hashed password
• Staff names, email addresses, phone numbers, and working schedules
• Service and pricing information
• Financial data including revenue, payment records, and commission information

3.2 End Customers

• Full name
• Phone number (including WhatsApp number)
• Email address (where provided)
• Booking history and appointment details
• Payment amounts and payment method type (cash, card, EFT)
• Communication history (WhatsApp messages related to bookings)
• Notes and tags added by the Business User
• No-show and visit frequency data

3.3 Website Visitors

• Information provided via the waitlist form (name, email, phone, business name)
• Cookie and browser data (see Section 9)

4. Purpose of Processing

Under POPIA, we are required to have a lawful basis for processing your personal information. We process personal information for the following purposes:

• Service delivery: To provide booking management, scheduling, customer management, staff management, and analytics services
• Communication: To send booking confirmations, reminders, follow-ups, and other transactional messages via WhatsApp
• Payment processing: To record and track payments associated with bookings
• Business analytics: To provide Business Users with insights about their operations, revenue, and customer behaviour
• Platform improvement: To improve, maintain, and secure the Platform
• Legal compliance: To comply with applicable laws and regulations, including POPIA
• Legitimate interest: To detect and prevent fraud, abuse, or security threats

5. Legal Basis for Processing

Under POPIA Section 11, we process your personal information based on one or more of the following conditions:

• Consent: Where you have given us voluntary, specific, and informed consent
• Contractual necessity: Where processing is necessary to fulfil a contract with you or to take steps at your request before entering into a contract
• Legal obligation: Where we are required by law to process your information
• Legitimate interest: Where processing is necessary for our legitimate interests and does not unduly prejudice your rights

6. How We Store Your Data

We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it.

• All data is stored in a Neon PostgreSQL database with encryption at rest and in transit
• Passwords are hashed using industry-standard one-way hashing algorithms and are never stored in plain text
• All connections to our servers are encrypted using TLS/SSL (256-bit encryption)
• Access to personal information is restricted to authorised personnel on a need-to-know basis
• We maintain audit logs of data access and modifications
• Our infrastructure is hosted on enterprise-grade cloud platforms with ISO 27001 compliance

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

When personal information is no longer required, it is securely deleted or anonymised so that it can no longer be associated with a specific individual.

8. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights in relation to your personal information:

• Right of access (Section 23): You may request confirmation of whether we hold personal information about you and request a copy of that information.
• Right to correction (Section 24): You may request that we correct or update any inaccurate, incomplete, or misleading personal information we hold about you.
• Right to deletion (Section 24): You may request that we delete your personal information where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
• Right to object (Section 11(3)): You may object to the processing of your personal information on reasonable grounds, unless legislation provides for such processing.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right not to be subject to automated decision-making (Section 71): You may request that decisions that significantly affect you are not made solely by automated means.

9. Submitting a Data Request

To exercise any of your rights under POPIA, you may submit a request using any of the following methods:

When submitting a request, please provide sufficient information to verify your identity, including your full name, phone number, and email address registered with the service. We will respond to your request within 30 days as required by POPIA.

If your request relates to data held by a specific business that uses Seela, we may need to coordinate with that business to fulfil your request, as the business is the "responsible party" under POPIA for data they collect through the Platform.

10. Cookies and Tracking

Our website and Platform use cookies and similar technologies to enhance your experience and understand how our services are used.

Types of Cookies We Use

• Essential cookies: Required for the Platform to function correctly (e.g., authentication session cookies). These cannot be disabled.
• Functional cookies: Remember your preferences and settings to improve your experience.
• Analytics cookies: Help us understand how users interact with our Platform so we can improve it. Data is aggregated and anonymised where possible.

You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may affect the functionality of the Platform.

11. Third-Party Sharing

We do not sell your personal information. We may share your information with the following categories of third parties, strictly for the purposes outlined in this policy:

• Cloud infrastructure providers: For hosting and database services (Neon, Vercel). These providers process data on our behalf under strict data processing agreements.
• WhatsApp / Meta: For delivering messages through the WhatsApp Business API. Messages are subject to WhatsApp's privacy policy.
• Email service providers: For sending transactional emails such as password resets and account notifications.
• Payment processors: Where integrated, for processing card and electronic payments. We do not store full card numbers on our servers.
• Legal and regulatory authorities: Where required by law, court order, or regulation.

All third-party service providers are contractually required to handle your personal information in accordance with POPIA and to implement appropriate security measures.

12. Cross-Border Data Transfers

Some of our third-party service providers may process data outside of South Africa. In such cases, we ensure that adequate safeguards are in place as required by Section 72 of POPIA, including:

• The recipient country has adequate data protection laws
• The recipient is bound by a binding agreement that provides adequate protection
• You have consented to the transfer
• The transfer is necessary for the performance of a contract

13. Data Breach Notification

In the event of a data breach that poses a risk of harm to any data subject, we will:

• Notify the Information Regulator as soon as reasonably possible
• Notify affected data subjects as soon as reasonably possible after the discovery of the breach
• Provide sufficient information about the breach, including the nature of the compromise, the categories of data affected, and the measures taken to address it
• Recommend steps that affected individuals can take to mitigate potential harm

14. Children's Information

The Platform is not directed at children under the age of 18. We do not knowingly collect personal information from children. If a Business User books appointments for minors, the Business User is responsible for obtaining consent from the child's parent or legal guardian in accordance with Section 35 of POPIA.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website and updating the "Last updated" date at the top of this page. Where changes are significant, we will provide additional notice (such as an in-app notification or email).

16. Complaints

If you are dissatisfied with our handling of your personal information or believe that we have not complied with POPIA, you may lodge a complaint with our Information Officer at privacy@seela.co.za.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator:

17. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: