Facebook Instagram

Need help?

+27 (83) 956 1825

BOOK YOUR STAY

Privacy Policy

Privacy Policy (POPIA & GDPR)
Eingedi Retreat

Website: https://eingedi.co.za/
Business name: Eingedi Retreat (“we”, “us”, “our”)
Effective date: 21 December 2025
Contact email: info@eingedi.co.za
Physical address: KOMMISSIEPOORT Off, R26, Hospitaal Street, Kommissiepoort, Ladybrand, 9745, South Africa

This Privacy Policy explains how Eingedi Retreat collects, uses, stores, shares, and protects personal information when you visit our website, enquire, make a booking, purchase accommodation and game farm activities, or otherwise interact with us. It is designed to comply with South Africa’s Protection of Personal Information Act, 2013 (POPIA) (Government of South Africa) and the EU/EEA General Data Protection Regulation (GDPR), where applicable.

Important note: This policy is provided for transparency and informational purposes and does not constitute legal advice.

1) Scope and Who is Responsible

This policy applies to personal information we process as a Responsible Party (POPIA) / Controller (GDPR) in relation to:

  • Website visitors
  • Guests and prospective guests
  • Customers purchasing accommodation and/or game farm activities
  • People contacting us by email, phone, forms, messaging, or social media
  • Business partners and suppliers (where relevant)

Responsible Party / Controller: Eingedi Retreat
Contact: info@eingedi.co.za
Address: KOMMISSIEPOORT Off, R26, Hospitaal Street, Kommissiepoort, Ladybrand, 9745

If you are in the EU/EEA (or otherwise covered by GDPR), we may process your data under GDPR when offering services to you or monitoring website usage (e.g., analytics/cookies).

2) Definitions (plain language)

  • Personal Information / Personal Data: information relating to an identifiable person (e.g., name, email, ID number, booking details).
  • Special Personal Information / Special Category Data: sensitive information (e.g., health/allergy details) requiring extra protection.
  • Processing: any operation on personal data (collecting, storing, using, sharing, deleting).

Operator / Processor: a third party that processes data on our behalf (e.g., booking software, email hosting).

3) What We Collect

A. Information you give us

We may collect:

  • Identity & contact details: name, surname, email, phone number, nationality/residency (where needed), address (e.g., invoicing).
  • Booking & service details: dates of stay, number of guests, preferences, activity selections, special requests.
  • Payment and transaction details: payment confirmation, invoices/receipts, amounts, timestamps, payment reference numbers.
    • Card payments: if you pay by card via a third-party payment processor, we typically do not store full card numbers or CVV; those are handled by the payment provider.
  • Communications: emails, messages, call notes, support/enquiry logs.
  • Marketing preferences: whether you want to receive updates and what channels you prefer.

Guest safety and accommodation needs (optional): dietary requirements, accessibility needs, allergies, emergency contact, only where relevant and usually provided by you.

B. Information we collect automatically (website use)

  • Device & technical data: IP address, device type, browser, operating system, language, time zone, pages viewed, referring URLs.
  • Usage data: interactions with pages, clicks, approximate location (derived from IP), and performance logs.

Cookie data: see “Cookies” below.

C. Information from third parties

Where appropriate, we may receive information from:

  • Booking platforms or travel partners you used to book with
  • Payment providers confirming successful payment
  • Analytics and advertising partners (aggregated or cookie-based, where enabled)

We only use third-party data where lawful and relevant.

4) Why We Use Your Information

We process personal information for these purposes:

  1. To provide and manage bookings and services
    • Confirm reservations, provide accommodation and activities, handle check-in/out, manage guest requests.
  2. To communicate with you
    • Respond to enquiries, send booking confirmations, updates, and important service notices.
  3. To process payments and accounting
    • Collect payment, issue invoices/receipts, maintain financial records, handle refunds/cancellations.
  4. To operate, secure, and improve our website and services
    • Troubleshoot, maintain security, prevent fraud, improve user experience and offerings.
  5. Marketing (where permitted)
    • Send newsletters, promotions, and updates only where you have consented or where lawful under applicable rules (and always with an opt-out).
  6. Legal compliance and protection of rights
    • Comply with legal obligations, respond to lawful requests, and establish/exercise/defend legal claims.

5) Lawful Basis for Processing

Under GDPR (when applicable), we rely on:

  • Contract necessity: to perform a booking/transaction and provide services.
  • Consent: for certain marketing communications and non-essential cookies.
  • Legal obligation: tax, accounting, and other statutory compliance.
  • Legitimate interests: to run and secure our business and website (balanced against your rights).

Under POPIA, we process in line with its lawful processing conditions (including accountability, purpose limitation, minimality, openness, security safeguards, and data subject participation). 

6) How We Share Your Information

We may share personal information only when necessary and with appropriate safeguards:

A. Service providers (“operators/processors”)

Such as:

  • Website hosting, domain and email providers
  • Booking and reservation management tools
  • Payment processing providers
  • IT support and cybersecurity providers
  • Analytics providers (where enabled)

These parties may only process personal information under our instructions (or as independent controllers where they determine their own purposes, such as some payment providers)

B. Legal and regulatory disclosures

We may disclose personal information where required by law, court order, or lawful request, or to protect our rights, property, guests, or the public.

C. Business transfers

If our business is sold, merged, or restructured, personal information may be transferred as part of that transaction, subject to confidentiality and lawful processing.

We do not sell personal information to third parties.

7) International Transfers (cross-border)

Because we may use service providers with servers outside South Africa or the EU/EEA, your information may be transferred internationally.

Where cross-border transfer occurs, we take steps to ensure adequate protection, such as:

    • Using reputable providers with strong security controls
    • Contractual safeguards (including GDPR Standard Contractual Clauses where applicable)
    • POPIA-aligned protections for cross-border processing (e.g., ensuring similar protection standards)

8) Data Retention (how long will we keep your information)

We keep personal information only for as long as necessary for the purposes described above, including legal and operational needs. Typical retention periods may include:

  • Booking and transaction records: retained for statutory accounting/tax compliance and audit purposes.
  • Enquiry communications: retained for a reasonable period to manage customer service and disputes.
  • Marketing records: kept until you unsubscribe/withdraw consent, or until data is no longer needed.
  • Website logs/analytics: retained for limited periods depending on system settings and provider configurations.

When retention periods expire, we securely delete or anonymise the information.

9) Security Measures

We implement reasonable technical and organisational safeguards to protect personal information against loss, unauthorised access, misuse, alteration, or destruction. Measures may include:

  • Access controls (role-based access; least-privilege)
  • Strong authentication and password practices
  • Encryption in transit (e.g., HTTPS) and, where appropriate, encryption at rest
  • Secure backups and recovery procedures
  • Malware protection, patching, and monitoring
  • Contracts and confidentiality obligations with staff and service providers
  • Incident response processes and staff awareness

No method of transmission/storage is 100% secure, but we work to maintain an appropriate level of security risk management.

10) Data Breaches and Security Compromises

If we become aware of a personal data breach/security compromise, we will assess it and take steps to contain, investigate, and remediate.

  • Under GDPR, controllers must notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a notifiable breach. 
  • Under POPIA, notification must be made to affected data subjects and the regulator as soon as reasonably possible after discovery (subject to certain considerations). 

Where required, we will notify affected individuals with information about the breach, likely consequences, and steps to protect themselves.

11) Your Rights

A. POPIA rights (data subjects)

You generally have the right to:

  • Be notified that personal information is being collected
  • Access your personal information
  • Request correction, destruction, or deletion where appropriate
  • Object to processing in certain circumstances (including direct marketing)
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with the Information Regulator

B. GDPR rights (when applicable)

You may have the right to:

  • Access your data
  • Rectification (correct inaccurate data)
  • Erasure (“right to be forgotten”) in certain cases
  • Restriction of processing
  • Data portability (where processing is based on consent/contract and automated)
  • Object to processing based on legitimate interests and to direct marketing
  • Withdraw consent at any time (where consent is the basis)
  • Lodge a complaint with a supervisory authority and seek a judicial remedy

12) How to Exercise Your Rights

To request access, correction, deletion, objection, portability, or restriction, contact:

Email: info@eingedi.co.za
Include:

  • Your full name and contact details
  • The right you want to exercise
  • Sufficient information for us to verify your identity and locate the data
  • Any relevant booking reference (if applicable)

Identity verification: To protect you, we may request reasonable proof of identity before processing requests.

We aim to respond within a reasonable timeframe and in accordance with applicable legal deadlines.

13) Direct Marketing

If you opt in to marketing communications, you can opt out at any time by:

  • Using the unsubscribe link in an email (if provided), or
  • Emailing info@eingedi.co.za with “Unsubscribe” in the subject line.

We will not send unsolicited electronic direct marketing where consent is required by law.

14) Cookies and Tracking Technologies

We may use cookies and similar technologies for:

  • Essential functions (site security, load balancing, preferences)
  • Analytics (understanding how visitors use the site)
  • Marketing/advertising (only where enabled and lawful)

You can control cookies via:

  • Cookie consent banners (where implemented)
  • Browser settings (block/delete cookies)
  • Opt-out tools offered by certain analytics/advertising providers

Blocking cookies may affect site functionality.

15) Children's Privacy

Our services are intended for adults booking accommodation and activities. We do not knowingly collect personal information from children without appropriate authorisation. If you believe a child has provided personal information to us without proper consent, please contact info@eingedi.co.za so we can address it.

16) Third Party Links

Our website may contain links to third-party websites (e.g., booking partners, payment providers, social platforms). We are not responsible for their privacy practices. Please review their privacy policies before providing them with personal information.

17) Complaints

South Africa (POPIA)

You may complain with the Information Regulator (South Africa). The Regulator provides POPIA-compliant channels, including a designated POPIA complaints email. 

Information Regulator (SA) – Contact details (publicly listed):

  • Address: Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191
  • Phone: 010 023 5200 (and toll-free listed on their site)
  • Email: enquiries@inforegulator.org.za 

EU/EEA (GDPR)

If GDPR applies to your situation, you may complain with your local supervisory authority in the EU/EEA, particularly in the member state of your habitual residence, place of work, or where the alleged infringement occurred.

18) Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or business changes. The “Effective date” at the top shows when it was last updated. Material changes will be highlighted on the website where appropriate.

19) Contact Us

For privacy questions, requests, or concerns:

Eingedi Retreat
Email: info@eingedi.co.za
Address: KOMMISSIEPOORT Off, R26, Hospitaal Street, Kommissiepoort, Ladybrand, 9745, South Africa

Thank you for choosing Eingedi Retreat as your destination. May your stay with us create many happy memories! Aufwiedersehen! i.e. We hope to see you again!

Eingedi Retreat