Privacy Policy

Gigster's designated Information Officer is Carina Bruwer, responsible for ensuring compliance with POPIA and handling all privacy-related requests.

Contact: privacy@gigster.co.za

We collect only the information necessary to operate the platform and facilitate bookings.

We process your personal information for the following specific purposes:

• Account creation and identity verification — to confirm you are who you say you are.
• Booking facilitation — to connect vendors and clients and manage the booking lifecycle.
• Payment processing and payouts — to transfer funds to vendors via EFT or Flutterwave.
• Communications — to send booking confirmations, application status updates, and important platform notices.
• Security and fraud prevention — to detect and prevent spam, bot submissions, and fraudulent activity.
• Dispute resolution — to review platform activity if a dispute is raised.
• Legal compliance — to meet our obligations under POPIA, tax law, and other applicable legislation.

We do not use your personal information for unsolicited marketing without your explicit consent.

We process your personal information on the following grounds under POPIA:

• Contract performance — processing is necessary to fulfil our agreement with you (e.g. facilitating your booking).
• Legal obligation — we are required to retain certain records for tax and compliance purposes.
• Legitimate interest — fraud prevention and platform security.
• Consent — for optional communications such as newsletters (you may withdraw consent at any time).

We share your personal information only where necessary and with appropriate safeguards:

• Supabase Inc. (USA) — our database and authentication provider. Your data is stored on Supabase-hosted infrastructure. Supabase is SOC 2 Type II certified.
• Flutterwave Inc. (pan-African) — our payment processor. Card and bank details are handled directly by Flutterwave and are subject to their privacy policy.
• Resend Inc. (USA) — our transactional email provider, used to send booking confirmations and notifications.
• Legal authorities — where required by South African law or court order.

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

Some of our service providers (Supabase, Resend) are based in the United States. By using the Platform, you acknowledge that your personal information may be transferred to and processed in countries outside South Africa. We ensure that such transfers are subject to appropriate contractual protections consistent with POPIA's requirements.

We retain your personal information for as long as your account is active, plus the following minimum periods after account closure:

• Financial records (booking amounts, payouts, invoices) — 5 years (SARS requirement)
• Identity information (ID numbers) — 5 years after last transaction
• Audit logs — 3 years
• Communications — 2 years

After these periods, your data is securely deleted or anonymised.

We take reasonable technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These include:

• Encrypted data storage and transmission (TLS/HTTPS)
• Row-level security on all database records
• Encrypted passwords (never stored in plain text)
• Banking details encrypted before storage (Phase 5 implementation)
• Admin-only access to sensitive financial data
• Audit logs for all data changes

In the event of a data breach that is likely to affect your rights and freedoms, we will notify you and the Information Regulator as required by POPIA.

As a data subject, you have the following rights:

• Access — request a copy of the personal information we hold about you.
• Correction — request that we correct inaccurate or incomplete information.
• Deletion — request deletion of your personal information, subject to our legal retention obligations.
• Objection — object to processing based on legitimate interest.
• Restriction — request that we restrict processing in certain circumstances.
• Data portability — request your data in a structured, machine-readable format.
• Withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email our Information Officer at privacy@gigster.co.za. We will respond within 30 days.

If you believe we have not handled your personal information lawfully, you may lodge a complaint with the South African Information Regulator:

The Platform uses only essential session cookies required for login and security. We do not use advertising cookies or third-party tracking cookies. You may disable cookies in your browser settings, but this may affect your ability to log in and use the Platform.

The Platform is not intended for persons under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a minor has provided us with personal information, we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users at least 14 days before taking effect. The effective date at the top of this page reflects the current version.

For any privacy-related queries, contact our Information Officer: