🔒 Privacy Policy

Effective Date: March 2026 | Version 1.0

This Privacy Policy is issued by CLUBRUGBY TICKETS in compliance with the Protection of Personal Information Act, 4 of 2013 (POPIA) and the Electronic Communications and Transactions Act, 25 of 2002 (ECTA). By using our platform, you consent to the processing of your personal information as described herein.

1. Responsible Party Details

Enterprise Name: CLUBRUGBY TICKETS

Registration Number: 2026 / 137720 / 07

Registered Country: Republic of South Africa

Website: www.clubrugbytickets.co.za

Email: clubrugbytickets@gmail.com

2. Information Officer Details

Information Officer: Latchmy Staal

Phone: 063 524 6921

Email: clubrugbytickets@gmail.com

Data subjects may direct all POPIA-related queries and requests to the Information Officer above.

3. Categories of Personal Information Collected

We collect personal information based on the service you use:

Ticket Purchases: Email address and mobile number for ticket delivery and communication.
Pensioner Tickets: ID number strictly for age verification purposes.
Merchandise Orders: Email, mobile number, and delivery address for order fulfillment.
Club Registration: Contact details of club administrators and banking information for administrative and operational purposes.

Additionally, we may collect:

Financial Information: Payment initiation data processed via PayFast (ClubRugbyTickets acts as the sole merchant of record; we do not store card or banking details).
Transaction Records: Purchase history, order IDs, and QR-code logs.
Technical Data: IP address and session cookies for secure authentication.

4. Purpose of Processing

We collect and process your personal information strictly for the following services:

Ticket Delivery: To generate and deliver QR-code tickets to your email/mobile.
Age Verification: To verify eligibility for Pensioner tickets in accordance with our fair-pricing policy.
Order Fulfillment: To ship and deliver physical merchandise to your provided address.
Club Partnership: To manage club registrations and administrative payouts.
Platform Security: To detect fraud, comply with POPIA, and ensure a secure merchant experience.

5. Lawful Basis for Processing

We process personal information on the following lawful grounds under POPIA Section 11:

Contractual necessity: Processing required to fulfill ticket/merchandise purchase contracts
Consent: Freely given, specific, and informed consent provided at time of purchase
Legal obligation: Processing required to comply with South African law (SARS, POPIA, ECTA)
Legitimate interest: Fraud prevention, platform security, and audit trail integrity

6. Data Retention Period

Transaction records (tickets, payments): Retained for a minimum of 5 years in compliance with South African tax legislation
Club registration and payout records: Retained for 5 years from the date of last activity
Account data (inactive): Deleted after 2 years of inactivity following written notice
Event QR codes: Retained for 6 months post-event for audit purposes

7. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We may share your data with:

PayFast (Pty) Ltd: Our payment gateway, which processes all financial transactions under their own Privacy Policy and PCI-DSS compliance
Registered Clubs: Limited to information relevant to their specific event (buyer name, ticket reference, and email for event management purposes only)
South African Revenue Service (SARS): Where legally required for tax reporting obligations
Law Enforcement / Courts: Where compelled by a valid court order or legal process

All third-party processors are contractually bound to process data only as instructed by CLUBRUGBY TICKETS and to maintain adequate security measures.

8. Cross-Border Data Transfers

Our platform is hosted on servers located in the Republic of South Africa. Email notifications may be delivered via Google Workspace infrastructure (Gmail), which may involve limited cross-border processing. Such transfers are governed by adequate safeguards in compliance with POPIA Section 72.

9. Data Security Measures

We implement the following technical and organisational security measures:

HTTPS / TLS encryption on all data in transit
Hashed passwords — passwords are never stored in plain text (bcrypt hashing)
JWT authentication with token expiry via secure HTTP-only cookies
Payment tokenisation — card data handled exclusively by PayFast (PCI-DSS Level 1)
Role-based access control — only authorised users can access sensitive data
Database access restricted to server-side application only (no public database exposure)

10. Data Subject Rights

Under POPIA, you have the following rights regarding your personal information:

Right of Access: Request a copy of the personal information we hold about you
Right to Correction: Request correction of inaccurate or incomplete information
Right to Deletion: Request deletion of your data where retention is no longer legally required
Right to Object: Object to the processing of your personal information on grounds related to your particular situation
Right to Data Portability: Request your data in a structured, machine-readable format

To exercise any of these rights, please contact our Information Officer at clubrugbytickets@gmail.com or 063 524 6921. We will respond within 30 days of receipt.

11. Objection to Direct Marketing

We do not currently conduct direct marketing campaigns. Should we introduce any in future, we will only do so with your express prior consent and will provide a simple opt-out mechanism in every communication, in compliance with POPIA Section 69.

12. Cookies & Tracking

We use session cookies only for the purpose of maintaining your authenticated login state during your session. These cookies:

Are HTTP-only (not accessible to JavaScript)
Expire automatically at the end of your session or after 6 hours
Do not track your behaviour across external websites
Are not used for advertising or profiling purposes

We do not use analytics, advertising, or third-party tracking cookies.

13. Complaints to the Information Regulator

If you are unsatisfied with how we have handled your personal information or a request related to your rights, you have the right to lodge a complaint with the South African Information Regulator:

Information Regulator (South Africa)

📧 inforeg@justice.gov.za

📧 Complaints: POPIAComplaints@inforegulator.org.za

🌐 www.inforegulator.org.za

📞 010 023 5207

14. Policy Updates

We reserve the right to update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or platform features. Material changes will be communicated via a notice on our website. The effective date at the top of this policy will always reflect the most recent revision. Continued use of the platform following a policy update constitutes acceptance of the revised terms.

CLUBRUGBY TICKETS · Reg. No. 2026/137720/07 · Operated in the Republic of South Africa · clubrugbytickets@gmail.com

Install ClubRugby App