Home Hub

Home Hub Privacy Policy

Last Updated: [Insert date of first publication]

1. Introduction and Who We Are

This Privacy Policy explains how Home Hub (the "Platform," "we," "us," or "our") collects, uses, stores, shares, protects, and otherwise processes your personal information when you use the Home Hub platform, including when you browse as a visitor, register a free User account, subscribe as a Buyer, publish a Listing, interact with any feature of the Platform, or contact us for support or enquiries.

We are committed to the lawful, transparent, and responsible processing of personal information in full compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and all applicable South African privacy legislation. This Privacy Policy is designed to give you a clear, complete, and honest account of what personal information we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have over it.

We are the "responsible party" for the purposes of POPIA in respect of personal information collected through the Platform. As responsible party, we determine the purpose and means of processing and we are accountable for ensuring that all processing of personal information on the Platform complies with applicable law.

Responsible Party: Home Hub

Legal Entity: [Registered legal entity name — to be completed]

Registration Number: [Company registration number — to be completed]

Registered Address: [Physical registered address — to be completed]

Information Officer: [Name of registered Information Officer — to be completed]

Privacy Contact Email: [Privacy/POPIA requests email — to be completed]

POPIA Requests Postal Address: [Postal address for formal POPIA requests — to be completed]

If you have any questions about this Privacy Policy, about how we handle your personal information, or about exercising your rights as a data subject, please contact us using the details above.

2. Scope and Who This Policy Applies To

This Privacy Policy applies to all personal information we collect and process about:

  • Visitors who browse the Platform without registering an account;
  • Users who register a free consumer account to discover and connect with home-based service providers;
  • Buyers who register a Buyer account, publish a Listing, and pay a monthly subscription to maintain Listing visibility; and
  • Anyone who contacts us directly by email, through the Platform's contact form, or by any other means.

This Privacy Policy does not apply to personal information collected by Buyers in the course of their own independent business activities (such as the personal information of customers who contact them through the Platform). Buyers are independent responsible parties in respect of their own customer data and are solely responsible for their own POPIA compliance.

3. What Personal Information We Collect

3.1 Information You Give Us Directly

Account creation and registration: When you create a User account or Buyer account, we collect your name or display name, email address, and a password (stored in hashed form). For social login (Google or Facebook), we receive your name and email address from the provider.

Buyer profile and Listing data: When you set up your Buyer profile and publish a Listing, we collect your business name, contact person name, contact telephone number, contact email address, a business description and tagline, service categories and subcategories, optional social media profile links (such as Facebook, Instagram, or WhatsApp), and optional catalog or portfolio links. We also collect your location information at suburb, city, province, and postal code level for search and distance-matching purposes.

Location information: Users may optionally provide their suburb, city, province, and postal code to improve the relevance of search results. This location information is used only to calculate approximate distance to Buyers and to improve the relevance of discovery results. We do not require your full street address and do not publicly display your suburb or city to Buyers without your control. Buyers may optionally include a street address in their Listing profile for display to Users, with individual visibility controls allowing them to choose whether each line of their address is shown publicly.

Support and contact communications: When you contact us with a query, report, complaint, or request, we collect the information you provide in that communication, including your name, email address, and the content of your message.

Review and rating content: When a User submits a review or rating for a Buyer, we collect the review text, the star rating, and the metadata associated with the review (such as the timestamp and the User's and Buyer's identifiers). Reviews are published on the Listing and are publicly visible.

Consent and acceptance records: When you accept these Terms and Conditions, we record your acceptance, the version you accepted, and the date and time of acceptance. This is a legal compliance record.

3.2 Information Generated Through Your Use of the Platform

Technical and access data: When you access the Platform, our hosting infrastructure and authentication systems automatically collect certain technical information, including your IP address, the type of device and browser you are using, your operating system, the URLs of pages you visit on the Platform, the time and date of your visit, and session identifiers used to maintain your login session.

Session and authentication data: We use session cookies or equivalent authentication tokens to keep you logged in during your visit. These are essential for the operation of the Platform and cannot be disabled without affecting your ability to use authenticated features. See Section 14 (Cookies and Technical Identifiers) for more detail.

Usage and activity data: We may collect information about how you use the Platform, including which Listings you view, the searches you conduct, and the filters you apply, to the extent that such data is generated and retained by the Platform's technical infrastructure.

3.3 Information We Receive from Service Providers

Payment processing data: When a Buyer subscribes, payment is processed by Paystack. We receive confirmation of the transaction, the subscription status, and limited payment metadata from Paystack. We do not receive or store your full card number, CVV, or other sensitive payment card data. That information is handled exclusively by Paystack under their own privacy and security policies.

Authentication providers: Where you choose to log in using Google or Facebook OAuth, those providers supply us with your name and email address as part of the authentication flow. We do not receive access to your social media account content, contacts, or messages.

4. How We Collect Personal Information

We collect personal information primarily directly from you when you: register an account; complete or update your profile; publish or edit a Listing; subscribe to a paid plan; submit a review; contact us for support; or accept these Terms.

Some technical data is collected automatically when you access the Platform, as described above.

We do not purchase, rent, or obtain personal information from third-party data brokers or marketing lists. Where we receive information from third-party providers (such as authentication providers or payment processors), this is in connection with services you have actively chosen to use.

5. Why We Collect and Process Personal Information — Purposes and POPIA Justification Grounds

We only collect and process personal information for the specific, explicitly defined, and lawful purposes described in this section. We do not use your personal information for purposes that are incompatible with those described here without first notifying you and, where required, obtaining your consent.

5.1 Creating and Managing Your Account

Purpose: To create your User or Buyer account, verify your email address, manage your login, and administer your account. Without this information, you cannot register or use the Platform's authenticated features.

POPIA justification (section 11): Necessary to conclude or perform the contract for Platform access. Without this data, we cannot provide you with an account.

5.2 Publishing and Displaying Buyer Listings

Purpose: To allow Buyers to publish their service Listings on the Platform and to display those Listings to Users searching for relevant services. Buyer profile data, including business name, description, service categories, location (at suburb/city/province level), and optionally social links and catalog links, is stored and displayed on the Platform.

POPIA justification (section 11): Necessary to perform the Buyer subscription contract. Buyers pay for listing visibility, and storing and displaying Listing data is the core performance of that contract.

Note on public visibility: Buyer Listing data — including business name, contact details, description, categories, and location — is publicly visible on the Platform and may be indexed by external search engines. Buyers who include contact details or social links in their Listing do so with the knowledge and intent that those details will be visible to Users and potentially to the public internet. Personal contact details such as telephone numbers and email addresses displayed in a Listing are provided by the Buyer for the purpose of being contacted by potential customers.

5.3 Enabling Users to Find Relevant Listings

Purpose: To provide search, filtering, and distance-based ranking of Listings to help Users find service providers near them. We use User location information (at suburb, city, or province level, where provided) to calculate approximate distances and improve the relevance of search results.

POPIA justification (section 11): Necessary to perform the service provided to registered Users, and legitimate interest in providing accurate and relevant search results.

5.4 Processing Payments and Managing Subscriptions

Purpose: To process Buyer subscription payments through Paystack, manage subscription status, apply the correct subscription tier to Listing visibility, issue invoices and receipts, manage cancellations and renewals, and handle billing disputes.

POPIA justification (section 11): Necessary to perform the Buyer subscription contract and to comply with financial and tax record-keeping obligations.

5.5 Authentication, Security, and Platform Integrity

Purpose: To authenticate users, maintain login sessions, detect and prevent fraud and abuse, identify and investigate suspicious activity, enforce the Terms and Conditions, protect the Platform's infrastructure, and maintain audit logs for security purposes.

POPIA justification (section 11): Legitimate interests of the responsible party in keeping the Platform secure, preventing unauthorised access and fraud, and protecting the rights and safety of all users.

5.6 Communications Related to Your Account and Listing

Purpose: To send you transactional communications about your account, including registration confirmation, subscription confirmation, billing notifications, renewal reminders, payment receipts, account security alerts, and important platform or policy updates. These communications are necessary for the operation of the service and cannot be opted out of while you hold an account.

POPIA justification (section 11): Necessary to perform the contract for Platform access and to comply with legal obligations.

5.7 Customer Support and Complaints Handling

Purpose: To receive, investigate, and respond to support queries, complaint reports, takedown requests, and moderation reports. To maintain records of support communications for quality-assurance, legal, and audit purposes.

POPIA justification (section 11): Necessary to perform the contract for Platform access, to comply with legal obligations, and legitimate interests in operating a responsible and compliant platform.

5.8 Reviews and Ratings

Purpose: To allow Users to publish reviews and ratings of Buyer Listings on the Platform. Reviews are publicly displayed and are associated with the Buyer's Listing. The User's display name (as set in their profile) is associated with their review.

POPIA justification (section 11): Legitimate interests of the responsible party in providing a transparent review system for the benefit of the user community, balanced against users' privacy interests.

Note: Reviews are publicly visible. Users should be mindful of what personal information they include in the text of their reviews, as reviews are displayed publicly.

5.9 Legal Compliance and Dispute Resolution

Purpose: To comply with applicable South African law, to respond to lawful requests from courts or regulatory authorities, to preserve evidence relevant to disputes, complaints, or legal proceedings, and to enforce our rights and obligations under applicable law.

POPIA justification (section 11): Legal obligation and legitimate interests in managing legal risk and defending legal claims.

5.10 Platform Improvement and Analytics

Purpose: We may use aggregated, de-identified, or anonymised data derived from usage patterns, search activity, and Platform interaction to understand how the Platform is being used and to improve its features and user experience. Where such analysis involves any identifiable data, it is conducted under our legitimate interests and only to the extent compatible with the original collection purpose.

POPIA justification (section 11): Legitimate interests in improving the Platform, provided that the processing does not unduly prejudice the rights and interests of data subjects.

6. Mandatory Versus Optional Information

Not all personal information we collect is equally necessary for the operation of the Platform. The following describes what is mandatory (required for specific Platform functions) and what is optional:

Mandatory for account registration: Name or display name, email address, and password (or social login authentication). Without these, you cannot create an account.

Mandatory for Buyers to publish a Listing: Business name, contact email address, contact telephone number, service category selection, and province/city/suburb location. Without these, a Buyer cannot publish a complete, discoverable Listing.

Optional for Buyers: Street address (line 1 and line 2, each with individual visibility controls), postal code, business tagline, business description, social media links, and catalog or portfolio links. These fields improve Listing quality and discoverability but are not required to publish a basic Listing.

Optional for Users: Suburb, city, province, and postal code location information. Providing this improves the relevance of search results (distance-based ranking) but is not required to browse the Platform. Users who do not provide location information will see search results sorted by default proximity settings rather than their actual location.

Automatically collected and not optional: Technical data such as IP address, session identifiers, access logs, and device/browser information are generated automatically when you access the Platform and are required for its basic operation and security.

7. Who Can See Your Information — Recipients and Visibility

7.1 Home Hub Internal Access

Personal information is accessible internally to Home Hub's authorised personnel, including administration and technical staff, on a need-to-know basis and only to the extent required to perform their duties. Access controls limit which staff members can access which categories of personal information.

7.2 Buyer Listing Information Visible to Users and the Public

When a Buyer publishes a Listing, the following information is visible to all Users of the Platform and potentially to the public internet (including search engine indexing): business name; contact person name; contact telephone number; contact email address; business description and tagline; service categories and subcategories; optional social media links; optional catalog links; suburb, city, province, and postal code location; and optional street address lines (only if the Buyer has enabled their visibility). Profile images and listing photographs are also publicly visible. Buyers should not include information in their Listing that they do not wish to be publicly visible.

7.3 User Information Visible to Others

Users' display names are visible to others in connection with reviews they publish. A User's location (suburb and city level) is used internally for search ranking but is not prominently displayed to Buyers or other Users. User email addresses and account details are not publicly displayed.

7.4 Service Providers (Operators)

We share personal information with carefully selected service providers who process data on our behalf as "operators" under POPIA. These providers are bound by written data processing agreements that require them to process personal information only in accordance with our instructions and to maintain appropriate security measures. Our current service providers include:

  • Hosting and infrastructure: Vercel (website hosting and delivery infrastructure);
  • Database and backend services: Supabase (database, user authentication, and storage services);
  • Payment processing: Paystack (Pty) Ltd (subscription payment processing);
  • Email communications: [Email provider name — to be completed if applicable];
  • Other support tools: [Any additional service providers — to be completed].

We do not sell, rent, or trade personal information to any third party for their independent marketing or commercial purposes.

7.5 Legal Authorities and Regulatory Bodies

We may disclose personal information to law enforcement agencies, regulatory bodies, courts, or other governmental authorities where required by applicable law, lawful court order, or regulatory demand. We will only disclose personal information to legal authorities to the extent strictly required by the legal obligation concerned.

7.6 Business Transfers

If Home Hub undergoes a merger, acquisition, business sale, restructuring, or transfer of assets, personal information held by Home Hub may be disclosed to the prospective or actual acquirer as part of that transaction, subject to applicable privacy law requirements and appropriate confidentiality protections.

8. Cross-Border Transfers of Personal Information

Some of our service providers — including our hosting provider (Vercel) and our database and backend provider (Supabase) — operate infrastructure and may process data in jurisdictions outside the Republic of South Africa, including in the United States and other countries. In accordance with section 72 of POPIA, we ensure that appropriate protections are in place before transferring personal information outside South Africa.

We implement cross-border transfer safeguards through: written data processing agreements with our service providers that impose data protection obligations consistent with POPIA requirements; use of service providers who operate under comprehensive privacy and security frameworks; and selecting providers who contractually commit to processing personal information only for the purposes we specify and to maintaining appropriate technical and organisational security measures.

Where you provide personal information to us that is stored or processed by our infrastructure service providers, you acknowledge that your information may be transferred to and processed in foreign jurisdictions as part of the technical operation of the Platform, subject to the safeguards described above.

We do not transfer special personal information or children's personal information cross-border without additional safeguards and, where required, prior consent.

9. How Long We Keep Your Personal Information

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law, lawful operational need, or legal dispute preservation requirements. The following provides guidance on our retention approach by category:

Active account data: Retained for as long as your account remains active. If you choose to delete your account, your account data will be deleted or de-identified within a reasonable period after your deletion request is processed, subject to the exceptions below.

Buyer Listing data: Active Listing data is retained for as long as your Buyer account remains active or your subscription is maintained. Deactivated or deleted Listing data is removed from public display immediately and deleted or de-identified after a defined wind-down period.

Review and rating data: Reviews are retained for as long as they remain published on the Platform. Where a User deletes their account, we will remove identifying information from their reviews to the extent technically feasible, though the review content may be retained in a de-identified form for platform integrity purposes.

Payment and subscription records: Retained for a minimum of five (5) years from the date of the transaction to comply with South African financial record-keeping and tax obligations.

Support and complaint records: Retained for a period sufficient to allow for the resolution of any follow-up complaints, disputes, or legal proceedings, typically no longer than three (3) years after the last interaction, unless a longer period is required by law or active dispute.

Security and access logs: Retained for a short operational period (typically no longer than twelve (12) months) unless an active security incident or investigation requires longer retention.

Consent and acceptance records: Retained for a minimum of five (5) years from the date of acceptance to provide evidence of consent and compliance in the event of a dispute or regulatory inquiry.

Backup copies: Personal information in backup copies may be retained for a limited additional period consistent with our backup retention schedule, after which it will be deleted or de-identified as part of the backup management process.

We may retain personal information for longer than the standard periods described above where: a legal obligation requires it; a dispute, complaint, or legal proceeding is pending or anticipated; or we have a legitimate operational reason for retention that is not outweighed by your privacy interests.

10. Accuracy and Keeping Your Information Up to Date

POPIA requires us to take reasonably practicable steps to ensure that personal information we process is complete, accurate, not misleading, and updated where necessary. We rely substantially on you to provide accurate information and to inform us of any changes.

You can review and update your account and profile information at any time through your account dashboard on the Platform. If you are unable to update information through the dashboard, or if you wish to correct information held about you that you cannot update yourself, please contact us at the privacy contact address provided above.

Where corrected information has been shared with third parties (such as in published reviews or Listing data displayed to Users), we will take reasonable steps to notify those recipients of the correction where it is practicable to do so.

11. Security Safeguards

We implement appropriate, reasonable, and risk-proportionate technical and organisational measures to protect personal information against loss, damage, unauthorised access, disclosure, interference, modification, or destruction. Our security measures include:

  • Access control: Role-based access controls limiting access to personal information to authorised personnel who require it for their specific duties;
  • Encryption in transit: All data transmitted between your browser and the Platform is encrypted using industry-standard TLS/HTTPS protocols;
  • Authentication security: Password hashing using modern cryptographic techniques; secure session management; multi-factor authentication options where applicable;
  • Database-level security: Row-level security policies on our database layer to restrict access to personal information to authorised processes and users;
  • Vendor due diligence: We assess the security practices of service providers before engaging them and require written commitments to appropriate security standards;
  • Access logging and monitoring: Logging of access to sensitive systems and monitoring for anomalous activity;
  • Regular review: Periodic review and updating of security measures in response to new risks, vulnerabilities, and technological developments.

No absolute guarantee: While we take security seriously and implement substantial safeguards, no security system is impenetrable. We cannot guarantee that unauthorised access, interception, or disclosure will never occur. We encourage you to use a strong, unique password for your Home Hub account and to protect your login credentials.

11.1 Breach Notification

If there are reasonable grounds to believe that an unauthorised person has accessed, acquired, or interfered with personal information we hold, and that the data subject is likely to be adversely affected, we will notify the Information Regulator and affected data subjects as required by section 22 of POPIA and applicable regulations. Notifications will be provided through your registered email address and any other appropriate channel.

12. Your Rights as a Data Subject

POPIA gives you the following rights in respect of personal information we hold about you:

12.1 Right to be Notified. You have the right to be notified when your personal information is being collected and, in the event of a qualifying security compromise, to be notified thereof in accordance with POPIA.

12.2 Right to Access. You have the right to request confirmation of whether we hold personal information about you, and to request access to that information. Access requests are processed in accordance with POPIA and, where applicable, the Promotion of Access to Information Act (PAIA). We may require you to verify your identity before granting access. Access is subject to any grounds of refusal permitted under PAIA.

12.3 Right to Correction. You have the right to request that inaccurate, incomplete, misleading, or outdated personal information held about you be corrected or updated. You can update most of your information directly through your account dashboard. For information you cannot update yourself, please contact us.

12.4 Right to Deletion. You have the right to request the deletion or destruction of personal information that we are no longer authorised to retain under POPIA. We will process deletion requests within a reasonable time and will notify relevant recipients of deletions where practicable. Deletion requests are subject to applicable legal retention requirements and may not result in the immediate removal of all data (for example, where retention is required for tax, legal, or dispute-resolution purposes).

12.5 Right to Object. You have the right to object to the processing of your personal information in certain circumstances, including where processing is based on legitimate interests and you have grounds relating to your particular situation. You also have the absolute right to object to the use of your personal information for direct marketing purposes.

12.6 Right to Withdraw Consent. Where we process your personal information based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

12.7 Right to Lodge a Complaint. You have the right to lodge a complaint with the Information Regulator of South Africa if you believe that we have not complied with our obligations under POPIA in respect of your personal information. The Information Regulator's contact details are available at their official website.

How to exercise your rights: To exercise any of the above rights, please contact us at the privacy contact email or postal address provided above. We will acknowledge your request within fourteen (14) days of receipt and will process it as promptly as reasonably practicable. We may require identity verification before processing your request. Requests are generally processed free of charge, in accordance with applicable POPIA regulations.

13. Direct Marketing

What we do currently: We do not currently use your personal information to send you direct marketing communications — that is, we do not send promotional emails, commercial SMS messages, WhatsApp marketing messages, or similar communications unless required for the operation of your account (such as subscription confirmations and billing notices). Transactional and account-related communications are not direct marketing and will always be sent regardless of your marketing preferences.

Future direct marketing: If we introduce direct marketing communications in the future (including by email, SMS, or WhatsApp), we will only do so: (a) where you are an existing customer and we are marketing our own similar services to you under the POPIA "existing customer" exception, provided you have a clear and free opportunity to opt out; or (b) where you have given us specific, voluntary, informed, and unambiguous prior consent. We will not use pre-ticked consent boxes, silence, inertia, or bundled consent for direct marketing purposes.

Opting out: You have the absolute right at any time to object to the use of your personal information for direct marketing purposes by contacting us at the privacy contact address provided above or by using any opt-out mechanism included in any marketing communication you receive from us. We will act on all opt-out requests promptly and free of charge.

14. Cookies and Technical Identifiers

Essential session cookies: The Platform uses session cookies or equivalent secure authentication tokens to keep you logged in during your visit and to maintain your session state. These are strictly necessary for the authenticated features of the Platform (such as your account dashboard and Listing management) and cannot be disabled without preventing you from using those features.

No third-party advertising cookies: We do not currently use third-party advertising cookies, behavioural tracking cookies, or cross-site tracking technologies for advertising or retargeting purposes.

Analytics: We may use aggregated, privacy-protective analytics tools to understand usage patterns on the Platform. Where analytics tools involve any identifiable data, they are subject to the same data minimisation and purpose limitation principles described in this policy. We will update this section if we introduce new analytics tools.

Infrastructure cookies: Our hosting infrastructure (Vercel) may process certain technical data, including IP address and system configuration information, as part of the operation of the hosting and delivery network. Please refer to Vercel's privacy policy for more information about their data practices.

Managing cookies: You can configure your browser to block or delete cookies. Blocking session/authentication cookies will prevent you from using the authenticated features of the Platform. Blocking all cookies will not prevent you from browsing publicly available Listings.

15. Children's Personal Information

The Platform is not intended for use by persons under the age of 18 years. We do not knowingly collect, process, or store the personal information of children under the age of 18. If you are under 18, please do not register an account or submit any personal information to the Platform.

If we become aware that we have inadvertently collected personal information from a person under 18 without appropriate parental consent, we will take prompt steps to delete that information from our records. If you believe that we may have inadvertently collected personal information from a minor, please contact us immediately at the privacy contact address provided.

16. Special Personal Information

POPIA imposes heightened protections on certain categories of "special personal information," including information about religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinion, health or sex life, biometric data, and criminal behaviour.

The Platform does not request, require, or intentionally collect special personal information in the ordinary course of operating the directory service. We do not ask Users or Buyers to disclose their health status, racial background, political views, religious beliefs, or any other category of special personal information.

If any special personal information is inadvertently submitted through the Platform (for example, in the text of a review or a support message), it will be processed only to the extent necessary to fulfil the specific request and will not be retained beyond what is required for that purpose.

17. Automated Decision-Making

We do not currently use automated decision-making processes that produce legal or similarly significant effects on individual users without human involvement. Decisions regarding account suspension, Listing removal, and subscription management are subject to human review.

Algorithmic ranking and search result ordering is used to improve the relevance and quality of search results for Users. These processes affect Listing visibility but do not constitute legally significant automated decisions affecting Users' legal rights or obligations.

If we introduce automated decision-making processes with legal or significant effects in the future, we will update this Privacy Policy and provide appropriate disclosure.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in applicable law, our processing activities, our service providers, or our data practices. We will publish the updated Privacy Policy on the Platform with a revised "Last Updated" date. Where changes are material, we will notify affected users through their registered email address.

Your continued use of the Platform after any update to this Privacy Policy constitutes your acknowledgement of the changes and your agreement to the updated terms to the extent required by applicable law.

19. Contact and Complaints

For all privacy enquiries, data subject rights requests, and POPIA-related queries:

Email: [Privacy contact email — to be completed]

Postal Address: [Address for formal POPIA requests — to be completed]

Attention: Information Officer

We will acknowledge receipt of your request within fourteen (14) days and will process it as promptly as reasonably practicable.

To lodge a complaint with the Information Regulator:

If you are dissatisfied with our response to your privacy concern or request, or if you believe we have not complied with our POPIA obligations, you have the right to lodge a complaint with the Information Regulator of South Africa. The Information Regulator's contact details and online complaints portal are available at the Information Regulator's official website.

Last Updated: [Date to be inserted upon first publication]