Privacy Policy

Version 1.0 - Updated: 16 February 2026

Kaya Club (Pty) Ltd ("Kaya Club", "we", "us", "our") respects your privacy and complies with South African data protection laws, including the Protection of Personal Information Act, 2013 (POPIA). This Policy explains what personal information we collect, why we collect it, how we use and share it, and your rights as a Data Subject.

By sending us your personal information (for example, when you apply for membership, borrow an item, or use our website, or app or social media pages ("channels")), you agree we may process it as explained here, and, where required, give your opt-in consent (for example, by ticking a box or clicking "I agree").

1. Important Information and Who We Are

Responsible Party

Kaya Club (Pty) Ltd is the Responsible Party for your personal information.

Information Officer (IO)

Our IO is:

(Our IO is registered with the Information Regulator and oversees privacy queries and requests.)

Complaints

You may complain to the Information Regulator (South Africa). We'd appreciate the chance to resolve your concerns first. The Regulator's latest contact details and forms are available via our PAIA Manual.

Changes to this Policy

We update this Policy from time to time. The "Updated" date at the end shows the latest version. We'll post changes on our website and/or share them during your engagement with us.

Integration into other sites

We do not control third-party sites or services that may be linked from our channels. Their privacy practices are their own - please read their privacy policies before you share information with them.

Third-party links

Our channels may include links to third-party websites, plug-ins and apps. Clicking those may allow third-parties to collect or share data about you. IF YOU DISCLOSE YOUR PERSONAL INFORMATION TO A THIRD-PARTY, SUCH AS AN ENTITY WHICH OPERATES A WEBSITE LINKED TO THIS OUR WEBSITE, WE SHALL NOT BE LIABLE FOR ANY LOSS OR DAMAGE, HOWSOEVER ARISING, SUFFERED BY YOU AS A RESULT OF THE DISCLOSURE OF SUCH INFORMATION TO THE THIRD-PARTY. You should always read the third-party's Privacy Policy.

2. The Data We Collect About You

We collect only the minimum personal information needed and only for specific, explicit and lawful purposes. This may include:

  • Identity Data: first/last name, date of birth/age, nationality, gender, job title, username/identifier.
  • Contact Data: email, telephone numbers, billing/physical/delivery addresses, public social media profiles.
  • Verification Data: identity number or similar identifier, date of birth/age confirmation, nationality, publicly available professional or social media profiles (e.g. LinkedIn, Instagram) and results of identity/eligibility checks for membership.
  • Membership Profile Data: application information, membership status and preferences, rental history.
  • Financial Data: payment card or banking details, and results of any credit check (where applicable).
  • Transaction Data: payments to/from us; services accessed on our site.
  • Technical Data: IP address, device and browser type/version, time zone, operating system, and other device/usage metadata (via cookies and similar technologies).
  • Usage Data: how you use our website/services (pages viewed, features used, interaction data, times/dates).
  • Marketing & Communications Data: preferences for receiving marketing and how we communicate with you.
  • Aggregate/Pattern Data: statistical/aggregated data that does not identify you. If we combine it with personal information so that you can be identified, we treat it as personal information.

You may choose to provide additional Personal Information to us, in which event you agree to provide accurate and current information, and not to impersonate or misrepresent any person or entity or falsely state or otherwise misrepresent your affiliation with anyone or anything.

Special Personal Information

We do not collect Special Personal Information unless it is needed for identity or membership checks. If such information is provided voluntarily, we process it as required by law and, when necessary, with appropriate consent.

Submission of personal information on behalf of another

If you submit someone else's information, you must have their consent or authority. We will process it as if you have such approval. By providing this information, you agree to protect us from any third-party claims regarding personal data shared without proper consent or a legal exception.

If you fail to provide information

Where we need personal information by law or to perform a contract with you and you do not provide it when requested, we may not be able to perform that contract (e.g., deliver services). We will tell you at the time if this applies.

3. How Is Personal Information Collected?

  • Direct interactions: when you apply for membership; request services; interact via Teams/Zoom; subscribe to newsletters/events; create a membership profile; download/access our technology; provide feedback; visit our offices or meet our staff; participate in surveys/promotions; receive or return rented items.
  • Automated technologies: as you use our channels, we automatically collect technical/usage data using cookies, server logs and similar technologies (see Cookies below).
  • Third-parties / publicly available sources: analytics (e.g., Google, Microsoft, Netlify), advertising networks, search information providers, IT/payment/delivery/verification providers (where lawful and/or with your authority).

4. Cookies

We use cookies and similar technologies to run our site and improve your experience. See our Cookies Policy.

5. How We Use Your Personal Information (And Our Lawful Grounds)

We process personal information only when lawful. The main grounds are: your consent; performance of a contract or steps at your request; compliance with law; protection of your legitimate interests; or our/third-party legitimate interests (balanced against your rights).

Purposes and lawful bases:

Purpose/Activity Data Lawful Basis
Sign you (non-Member) up for our newsletter Identity; Contact Consent (you can withdraw at any time)
Send newsletters/promotions to Members or previous clients Identity; Contact; Marketing & Comms Legitimate interests (promoting our services to existing customers), with opt-out in every message
Process membership applications and verify eligibility Identity; Contact; Verification Contract (to assess/create your membership); Legitimate interests (risk/fraud prevention)
Create and manage your Membership Profile Identity; Contact; Membership Profile Data Contract
Process and assist with payments (manage fees/deposits/charges and recover amounts due) Identity; Contact; Financial; Transaction; (and Comms for service notices) Contract; Legitimate interests (to recover debts)
Deliver our services (borrows, deliveries, returns) Identity; Contact; Transaction; Usage Contract
Manage our relationship with you (service delivery; changes to terms/policies; responses to "Contact Us") Identity; Contact; Financial (if relevant); Instructions; Marketing & Comms Contract; Legal obligation; Legitimate interests (keeping records; improving services)
Administer and protect our business, website and apps (troubleshooting, analytics, maintenance, security) Identity; Contact; Technical Legitimate interests (operate, secure, and improve our systems); Legal obligation (where applicable)
Deliver relevant content/ads and measure effectiveness (where we do advertising) Identity; Contact; Profile; Usage; Marketing & Comms; Technical Legitimate interests (understanding use; growth); Consent (for non-essential cookies/trackers)
Use analytics to improve our website, services, and customer experience Technical; Usage Legitimate interests; Consent where required for cookies
Make suggestions / recommendations about services that may interest you Identity; Contact; Technical; Usage; Profile; Marketing & Comms Legitimate interests

TAKE NOTE: WE DO NOT STORE CREDIT CARD DETAILS - WE USE THIRD-PARTY SERVICE PROVIDERS TO EXECUTE CARD TRANSACTIONS. YOU SHOULD READ THEIR PRIVACY POLICY.

Accurate personal Information

We strive to keep your Personal Information accurate and up to date. Please notify Kaya Club of any changes to your details during our relationship.

6. Marketing (Direct Marketing)

Non-customers (electronic channels): we need your opt-in consent before sending you electronic direct marketing (email, SMS, automated calls, and telephone calls). We may approach you once to request consent if you have not previously refused.

Existing customers (electronic channels): we may send marketing about our own similar products/services if we obtained your details in the context of a sale or use of our services, and you had (and still have) a clear, free opt-out at collection and in every message.

Every message will identify us and include an easy "unsubscribe/opt-out".

WE MAY SHARE ANONYMOUS AGGREGATE USER DATA WITH THIRD-PARTY MARKETERS OR ADVERTISERS TO HELP THEM TARGET SPECIFIC AUDIENCES. WE MIGHT USE YOUR INFORMATION TO SHOW ADS TO CERTAIN GROUPS BUT DO NOT DISCLOSE IDENTIFIABLE INDIVIDUAL DETAILS TO ADVERTISERS.

7. Automated Processing and Decision-Making

We do not make decisions based solely on automated processing (including AI) that produce legal or similarly significant effects. If that changes, we will tell you and provide a way to request human intervention, express your view, and contest the decision.

8. Change of Purpose

We will only use your personal information for the purpose we collected it for, unless the new use is compatible with the original purpose or POPIA otherwise allows it. For any other purpose we will obtain your consent first.

9. Disclosures of Personal Information

We share personal information only as needed for our purposes and as permitted by law:

  • Internal third-parties: Kaya Club personnel and group/collaborating partners who help provide our services (IT/admin/leadership reporting).
  • External third-parties:
    • Asset owners that grant us the right to make available certain assets to the Kaya Club members;
    • Service providers (operators): IT, hosting, security, analytics, verification, payment, delivery.
    • Professional advisers: lawyers, bankers, auditors, insurers.
    • Regulators and authorities (e.g., SARS; courts) where required by law.
    • Business transfers: if we sell/merge part of our business; the new owner may use information on the same terms as this Policy.

We may further share Personal Information outside to External Third-Parties if we have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to:

  • Satisfy any applicable law, regulation, legal process or enforceable governmental request;
  • enforce applicable Terms of Use, including investigation of potential violations thereof;
  • detect, prevent, or otherwise address fraud, security or technical issues; or
  • protect against imminent harm to the rights, property or safety of Kaya Club, users of this website or the public as required or permitted by law.

We require all third-parties to respect the security of your Personal Information and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Information for their own purposes and only permit them to process your Personal Information for specified purposes and in accordance with our instructions.

We may also disclose information if reasonably necessary to comply with the law, enforce our terms, detect/prevent fraud or security issues, or protect people from harm.

10. International Transfers

We may allow access to, or transfer, personal information to recipients outside South Africa (e.g., cloud hosting/support). We'll only do this when POPIA permits it - where the recipient is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection, or where another lawful ground applies (your consent; contract performance; contract in your interest; or benefit to you where consent is impracticable). We keep internal records of cross-border transfers and safeguards.

11. Data Security

We use appropriate technical and organisational measures to protect your information from loss, misuse, unauthorised access, alteration, or disclosure. Access is limited to people who need it and are bound by confidentiality.

12. Personal Information Breach

If we discover a security compromise involving personal information, we'll notify the Information Regulator and affected data subjects as soon as reasonably possible, with the information POPIA requires and practical steps you can take.

Under certain legislation we may have a duty to report certain offences to the authorities within a limited time period. We cannot be held liable for any consequences that may result from these said reporting.

WE MAINTAIN A RECORD OF ALL BREACHES, EVEN THOSE NOT REQUIRING NOTIFICATION, TO ENSURE COMPLIANCE WITH DATA PROTECTION LEGISLATION.

13. Data Retention

We keep personal information only as long as reasonably necessary for our purposes and to meet legal, tax, accounting or reporting requirements. We may keep it longer if needed (e.g., to resolve disputes, prevent fraud, or enforce agreements). We may also anonymise data for research/statistics and use it indefinitely.

14. Records

We will keep detailed, accurate and up-to-date written records regarding the processing of personal information we carry out, including access, control and security measures, approved subcontractors/operators, processing purposes, categories of processing, any transfers of personal information to a third country and related safeguards, the instructions as received from our customers and a general description of the technical and organisational security measures and retention and destruction of personal information.

15. Social Media

Our websites/apps/services may provide social plug-ins (e.g., Facebook, Instagram, LinkedIn). If you interact with these, your activity may be shared with that network per your privacy settings. If you would like to prevent this type of information transfer, please log out of your social network account before you enter our website(s), or change the necessary privacy settings, where possible.

Communication, engagement and actions taken through external social media networks that we participate in are custom to terms and conditions as well as the privacy policies held with each social media platform respectively. Ensure that you understand them.

PLEASE NOTE: WE WILL NEVER ASK FOR PERSONAL OR SENSITIVE INFORMATION THROUGH SOCIAL MEDIA NETWORKS AND ENCOURAGE USERS, WISHING TO DISCUSS SENSITIVE DETAILS OR TO RESOLVE ISSUES/CONCERNS, TO CONTACT US THROUGH PRIMARY COMMUNICATION CHANNELS SUCH AS BY TELEPHONE OR EMAIL.

Shortened links may appear on social platforms - please exercise caution before clicking.

16. Data Subject's Legal Rights

You may have the following rights under POPIA:

  • Request access to your personal information (commonly known as a "data subject access request").
  • Request correction of inaccurate/incomplete personal information.
  • Request deletion where POPIA allows.
  • Object to processing where we rely on legitimate interests, and to direct marketing at any time.
  • Request restriction of processing in certain scenarios.
  • Withdraw consent where processing relies on your consent.

How to exercise your rights. Contact our IO (see above). For objections and corrections/deletions, you may use Form 1 and Form 2 prescribed under the POPIA Regulations (or a substantially similar form). Our PAIA Manual and the forms are available here: kayaclub.co.za/paia.html. We usually respond within 30 (thirty) days.

Fees & verification: We may charge a reasonable fee for manifestly unfounded, repetitive or excessive requests and we will verify your identity before acting. Fees we may charge will be as per the details set out in our PAIA Manual and applicable regulations.

17. Subcontractors (Operators)

We may authorise third parties (operators) to process personal information on our behalf under written contracts requiring appropriate security and processing only on our instructions. We select operators carefully and remain responsible for processing they perform on our behalf.

18. Definitions (Plain-English)

  • Channels: our technology channels used to access services (e.g., website(s), app(s), social pages).
  • Consent: a voluntary, specific and informed expression of will giving permission to process personal information.
  • Data Subject: the person whose personal information is processed (you).
  • Information Regulator: South Africa's data protection authority.
  • Member/Membership: a person who has successfully registered and whose membership is active, with access to services subject to applicable terms.
  • Operator: a person who processes personal information for a responsible party under a contract or mandate.
  • Personal Information: as defined under the POPIA.
  • Responsible Party: the public/private body that decides the purpose and means of processing personal information.
  • Services: our services as described in our terms of services and on our channels.
  • Special Personal Information: sensitive categories such as race, health, biometric data (see POPIA).

WE DO NOT SELL YOUR PERSONAL INFORMATION.

Licensed to Kaya Club (Pty) Ltd by DKVG