Privacy Policy

1. Introduction

Mendly (Pty) Ltd (“Mendly”, “we”, “us”, or “our”) is a company incorporated and registered in the Republic of South Africa. We operate the Mendly marketplace platform — a digital marketplace connecting clients with home service providers — available via our mobile application and web application.

We are committed to protecting your personal information in accordance with the Protection of Personal Information Act, 4 of 2013 (“POPIA”) and all applicable South African data protection legislation. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our platform.

By registering on or using the Mendly platform, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal information as described herein.

2. Information Officer

In accordance with POPIA, Mendly has designated an Information Officer who is responsible for ensuring compliance with this Policy and applicable data protection law.

• Name: [Information Officer Name]
• Organisation: Mendly (Pty) Ltd
• Email: privacy@mendlyglobal.com
• Country: Republic of South Africa

Any requests, queries, or complaints relating to the processing of your personal information should be directed to the Information Officer at the contact details above.

3. Information We Collect

We collect personal information that is necessary for the operation of our platform and the provision of our services. The type of information we collect depends on your role on the platform (client or service provider).

3.1 Information Collected from All Users

• Full name
• Email address
• Phone number
• Location data (general area and, where booking services, precise location)
• Profile photograph
• Device data (device type, operating system, unique device identifiers)
• Usage data (pages visited, features used, interaction logs, search queries)

3.2 Additional Information Collected from Service Providers

The following categories of information are classified as special personal information under POPIA or are otherwise sensitive in nature and are collected only from registered service providers for identity verification and payment purposes:

• South African identity document (ID number, ID copy) or foreign national passport
• Proof of residence
• Bank account details (for payment disbursements)
• Proof of qualification or professional certification (where applicable)

3.3 Automatically Collected Information

• IP address and approximate geographic location
• Browser type and version
• App version and session activity logs
• Crash reports and diagnostic data

4. Purpose of Processing

We process your personal information for the following purposes:

• Platform operation: creating and managing your account, facilitating bookings between clients and service providers, and enabling communication within the platform.
• Identity verification: verifying the identity of service providers to maintain the safety and integrity of the marketplace.
• Payment processing: facilitating booking deposits, platform fees, and payment disbursements to service providers via our payment processor, PayFast.
• Safety and trust: conducting background checks, reviewing ratings and reviews, investigating complaints, and enforcing our community standards and Terms of Service.
• Customer support: responding to queries, resolving disputes, and providing technical assistance.
• Platform improvement: analysing usage patterns to improve our features, user experience, and service quality.
• Legal compliance: complying with applicable laws, regulations, and court orders, including tax and financial reporting obligations.
• Marketing (opt-in only): sending promotional communications, service updates, and offers — only where you have explicitly opted in to receive such communications. You may withdraw consent at any time.
• AI-assisted features: powering intelligent booking recommendations, search functionality, and service matching using AI tools, where you have consented to such processing.

5. Legal Basis for Processing

We process your personal information on the following legal grounds under POPIA:

• Consent: where you have given us explicit consent to process your personal information, including for marketing communications and AI-assisted features.
• Contractual necessity: where processing is necessary to perform our obligations under our Terms of Service and any booking agreement you enter into on our platform.
• Legitimate interest: where processing is necessary for our legitimate business interests, such as fraud prevention, platform security, and improving our services, provided that such interests are not overridden by your rights and freedoms.
• Legal obligation: where processing is required to comply with a legal obligation, including tax laws, financial regulations, and court orders.

6. Sharing of Personal Information with Third Parties

We do not sell your personal information. We share your information only where necessary to operate our platform, comply with legal obligations, or with your consent. The following third-party operators and processors may receive your personal information:

6.1 Payment Processing

• PayFast (South Africa / Ireland): processes all booking payments, deposits, and service provider disbursements. PayFast is PCI-DSS compliant. Your card and banking details are processed directly by PayFast and are not stored on Mendly’s servers.

6.2 Database and Infrastructure

• Supabase (United States of America): provides our primary database and authentication infrastructure. All user account data, booking records, and associated personal information are stored on Supabase’s servers.

6.3 Email Communication

• Resend (United States of America): delivers transactional and notification emails on our behalf, including booking confirmations, account notifications, and system alerts.

6.4 Push Notifications

• Expo (United States of America): manages push notification delivery to mobile devices. Device tokens are shared with Expo solely for this purpose.

6.5 Artificial Intelligence Features

• OpenAI (United States of America): powers AI-assisted features on the platform. Where such features process personal information, only the minimum necessary data is shared. You will be informed before any AI processing of your data occurs.

6.6 Mapping and Location Services

• Google (United States of America): Google Maps and Google Places APIs are used to provide address autocomplete, map display, and location-based service discovery. Location data shared with Google is subject to Google’s own privacy policy.

7. Cross-Border Transfers of Personal Information

Several of our third-party processors are based outside the Republic of South Africa, including in the United States of America. As a result, your personal information may be transferred to, stored in, and processed in countries outside South Africa.

We take all reasonable steps to ensure that cross-border transfers of personal information comply with POPIA and that appropriate safeguards are in place. All third-party processors with whom we share personal information are bound by Data Processing Agreements (“DPAs”) that require them to protect your information to a standard equivalent to or exceeding that required under POPIA.

By using our platform, you acknowledge and consent to these cross-border transfers where they are necessary for the provision of our services.

8. Retention of Personal Information

We retain your personal information only for as long as is necessary for the purposes set out in this Policy, or as required by applicable law. Our standard retention periods are as follows:

• Booking and transaction records: retained for 7 years from the date of the transaction, in accordance with South African tax legislation and financial record-keeping requirements.
• Identity verification documents (ID copies, proof of residence): retained for 5 years from the date of verification or account closure, whichever is later.
• Account data following deletion request: where you request deletion of your account, your personal information will be permanently deleted within 30 days of the request, subject to any legal obligations requiring us to retain certain records for longer periods.
• Communications and support records: retained for 3 years from the date of the interaction.
• Marketing consent records: retained for as long as you have an active account or until you withdraw consent, plus a reasonable period thereafter to demonstrate compliance.

9. Your Rights

Under POPIA, you have the following rights with respect to your personal information:

• Right of access: you have the right to request a copy of the personal information we hold about you.
• Right to correction: you have the right to request that we correct any inaccurate or incomplete personal information we hold about you.
• Right to deletion: you have the right to request that we delete your personal information, subject to any legal obligations requiring us to retain it.
• Right to object: you have the right to object to the processing of your personal information on the grounds of legitimate interest or for direct marketing purposes.
• Right to restrict processing: you have the right to request that we restrict the processing of your personal information in certain circumstances, such as where you contest its accuracy.
• Right to withdraw consent: where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact our Information Officer at privacy@mendlyglobal.com. We will respond to your request within 30 days. We may require you to verify your identity before processing your request.

10. Security of Personal Information

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, loss, or destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS
• Encryption of sensitive data at rest
• Role-based access controls limiting staff access to personal information
• Regular security assessments and monitoring
• Contractual data protection obligations with all third-party processors

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your information.

11. Data Breach Notification

In the event of a personal information breach that poses a risk to your rights and freedoms, Mendly will:

• Notify the Information Regulator of South Africa within 72 hours of becoming aware of the breach, where feasible.
• Notify affected data subjects as soon as reasonably possible, providing details of the nature of the breach and the steps being taken to address it.
• Maintain an internal record of all breaches, including those that may not meet the notification threshold.

12. Cookies and Tracking Technologies

Mendly uses only functional and session cookies that are strictly necessary for the operation of our web platform. We do not use advertising cookies, behavioural tracking cookies, or any third-party cookies for the purpose of tracking your activity across other websites.

For full details of the cookies we use and how to manage them, please refer to our Cookie Policy.

13. Children’s Privacy

The Mendly platform is not intended for use by persons under the age of 18. We do not knowingly collect personal information from children. If you believe that a child has provided us with personal information, please contact us at privacy@mendlyglobal.com and we will take immediate steps to delete such information.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or platform features. When we make material changes, we will notify you via email or through a prominent notice on our platform prior to the change taking effect. The updated Policy will be identified by a new effective date and version number.

Your continued use of the platform after the effective date of any update constitutes your acceptance of the revised Policy.

15. Complaints to the Information Regulator

If you are not satisfied with our response to a privacy concern or believe that we are processing your personal information in a manner that is not compliant with POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa:

• Website: www.inforeg.org.za
• Email: inforeg@justice.gov.za

We encourage you to contact us first so that we may attempt to resolve your concern directly.

16. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal information, please contact our Information Officer:

• Email: privacy@mendlyglobal.com
• Organisation: Mendly (Pty) Ltd, Republic of South Africa