Privacy Policy

1. Who We Are

Responsible Party: Business Direct Medi (BDM)
Platform: Digitot Loyalty (digitot-loyalty.co.za)
Email: support@digitot-loyalty.co.za
Phone: 0861 10 11 70

As the operator of the Digitot Loyalty platform, BDM acts as the Responsible Party for data collected directly from Business and Customer accounts. Individual Businesses act as Responsible Parties for their own customer loyalty data collected through the platform.

2. What Information We Collect

From Business Owners:

Name, email address, phone number
Business name, category, address, and city
Subscription and billing information
Login credentials (password stored as a secure hash)

From Customers:

Name, email address, phone number (optional)
Date of birth (optional)
Stamp collection history and reward records
Ratings and feedback submitted after visits

Automatically collected:

Session data and cookies necessary for platform functionality
Browser type and device information (for security purposes)
IP address (for fraud prevention)

We do not collect or store payment card details. All billing is handled externally.

3. How We Use Your Information

Purpose	Legal Basis (POPIA)
Creating and managing your account	Contractual necessity
Processing stamp collections and rewards	Contractual necessity
Sending account and transactional emails	Contractual necessity
Providing customer support	Legitimate interest
Preventing fraud and securing the platform	Legitimate interest
Syncing customer records with DigitotPOS	Contractual necessity / consent
Sending onboarding email sequences to new businesses	Legitimate interest
Generating invoices and billing records	Legal obligation
Improving the platform	Legitimate interest

We do not use your personal information for unsolicited marketing without your consent.

4. Who We Share It With

We do not sell personal information. We may share information with:

DigitotPOS — Customer profile data may be synced to your venue's DigitotPOS system if you are on the Advanced or Elite plan and have enabled the integration.
Email service providers — Used to deliver transactional and onboarding emails on our behalf.
Hosting and infrastructure providers — Our servers are hosted on cloud infrastructure. Data is processed within South Africa or in jurisdictions with equivalent data protection standards.
Legal authorities — Where required by law or court order.

All third parties are bound by confidentiality obligations and may only process data as instructed by us.

5. How Long We Keep It

Active accounts — Data is retained for as long as your account is active.
Terminated accounts — Data is retained for 30 days after termination, then permanently deleted.
Billing records — Invoice and payment records are retained for 5 years as required by South African tax law.
Stamp and reward history — Retained for the duration of the Customer's account.

6. How We Protect It

We implement appropriate technical and organisational measures to protect personal information, including:

All data transmitted over HTTPS (TLS encryption)
Passwords stored using one-way cryptographic hashing (bcrypt)
Database access restricted to authorised platform processes
Regular security updates and server hardening
Access controls limiting data access to authorised staff only

In the event of a data breach that is likely to result in harm, we will notify affected parties and the Information Regulator as required by POPIA.

7. Your Rights Under POPIA

As a data subject under POPIA, you have the right to:

Access — Request a copy of the personal information we hold about you
Correction — Request that inaccurate or outdated information be corrected
Deletion — Request that your personal information be deleted (subject to our legal obligations)
Objection — Object to the processing of your personal information
Withdrawal of consent — Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at support@digitot-loyalty.co.za. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Regulator of South Africa at www.justice.gov.za/inforeg/.

8. Cookies

The Platform uses cookies strictly necessary for operation, including:

Session cookies — To keep you logged in during your browser session
CSRF token cookies — To protect against cross-site request forgery attacks

We do not use advertising cookies, analytics cookies from third-party trackers, or tracking pixels. No cookie consent banner is required as we only use strictly necessary cookies.

9. Children's Privacy

The Platform is not intended for use by persons under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify registered Business users by email.

Continued use of the Platform after any changes constitutes your acceptance of the updated policy.

11. Contact & Complaints

For privacy-related requests or complaints, contact our Information Officer:

Business Direct Medi (BDM)
Email: support@digitot-loyalty.co.za
Phone: 0861 10 11 70
Subject line: Privacy Request

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa.

Contents