Elite Hospitality South Africa (Pty) Ltd
Registration No.: K2020632150

Effective Date: 12 September 2025

Review Cycle: Annually, or sooner if required by law

1. Introduction

Elite Hospitality South Africa (EHSA, “we,” “our,” or “us”) is a corporate leasing, short-term rental, and property management company.
We are committed to safeguarding the privacy and protection of personal information in compliance with:
– POPIA – Protection of Personal Information Act (South Africa)
– GDPR – General Data Protection Regulation (EU/UK)
– CCPA – California Consumer Privacy Act (USA, where applicable)
– Applicable AML/FATF standards – For investor and financial data

By engaging with EHSA (via our website, direct bookings, investor agreements, or communications), you consent to the practices described in this Privacy Policy.

2. Definitions

– Personal Data: Any information relating to an identifiable natural or juristic person.
– Processing: Any operation performed on personal data, including collection, storage, use, transfer, or deletion.
– Data Subject: The individual or entity whose personal data is processed.
– Third Party/Processor: Any external service provider engaged by EHSA to process data on its behalf.
– Information Officer (POPIA) / Data Protection Officer (GDPR): The designated officer responsible for ensuring compliance.

3. Categories of Personal Data Collected

(a) Identity Data – Full name, ID/passport, company details, nationality.
(b) Contact Data – Email, phone, business/postal addresses.
(c) Financial & Legal Data – Bank details, invoices, contracts, investment agreements.
(d) Booking & Hospitality Data – Dates of stay, property preferences, guest IDs, corporate bookings.
(e) Digital Interaction Data – IP address, browser/device, cookies, WhatsApp/website form submissions.
(f) Special Categories (where required) – Background checks (KYC, AML), emergency contacts.

4. Purposes of Processing

We process personal data to:
1. Fulfil bookings, leases, contracts, and investor agreements.
2. Comply with legal, tax, financial, and housing regulations.
3. Conduct corporate leasing vetting and landlord compliance.
4. Manage investor relations, ROI tracking, and loan schedules.
5. Operate websites, portals, and digital communication platforms.
6. Send marketing communications and updates (with opt-out options).
7. Detect, investigate, and prevent fraud or money laundering.

5. Legal Basis for Processing

– Consent – Newsletter sign-ups, Academy enrolments.
– Contract – Lease, booking, or investment execution.
– Legal Obligation – Compliance with POPIA, GDPR, AML, tax laws.
– Legitimate Interest – Business protection, service improvement.

6. Data Retention

– Guest/Client Data – 5 years post-stay/contract.
– Investor/Financial Records – 7 years post-agreement (per Companies Act).
– Cookies/Tracking Data – Up to 12 months, unless manually cleared.

7. Data Sharing & Cross-Border Transfers

We may share data with:
– Landlords, investors, and property owners (for contractual purposes).
– Online Travel Agencies (Airbnb, Booking.com, VRBO).
– Service providers (payment processors, IT, cleaners, lawyers).
– Public authorities (tax authorities, regulators, courts).

Cross-border transfers are safeguarded by:
– GDPR Standard Contractual Clauses (SCCs).
– South African cross-border transfer requirements.
– Where applicable, U.S. Data Privacy Framework compliance.

8. Third-Party Processors

We ensure all service providers and contractors:
– Sign confidentiality and data protection agreements.
– Demonstrate POPIA/GDPR compliance.
– Limit processing to agreed purposes.

9. Security Safeguards

We employ enterprise-grade measures:
– AES-256 encryption for data storage.
– Multi-factor authentication for staff.
– Role-based access controls.
– Annual security audits and penetration testing.
– Incident response and breach notification protocol.

10. Data Breach Notification

In the event of a data breach:
– POPIA – We will notify the Information Regulator and affected individuals as soon as reasonably possible.
– GDPR – We will notify regulators within 72 hours and data subjects without undue delay if high risk is identified.

11. Your Rights

Under POPIA, GDPR, and CCPA, you may:
– Request access to your personal data.
– Correct or update information.
– Request deletion (“right to be forgotten”).
– Restrict or object to processing.
– Withdraw consent (marketing communications).
– Request a structured data export (portability).

Process: Requests can be sent to info@elitehospitalityza.com. They will be acknowledged within 7 business days and fulfilled within 30 days, subject to ID verification.

12. Cookies & Tracking

We use cookies for:
– Secure login/authentication.
– Saving user preferences.
– Analytics (Google Analytics, Meta).
– Retargeting ads (only with consent).

Users may manage cookies via browser settings.

13. Children’s Privacy

In compliance with POPIA, services are not directed at individuals under 18 years of age. If such data is inadvertently collected, it will be deleted immediately.

14. Liability Limitation

EHSA is not liable for data breaches caused by:
– Third-party platforms (Airbnb, Booking.com, etc.).
– User negligence (e.g., weak passwords).
– Force majeure events (cyberattacks, natural disasters).

Clients remain responsible for ensuring the accuracy of data provided to EHSA.

15. Policy Updates

This policy may be updated to reflect regulatory or operational changes. The latest version will always be available on our website.

16. Information Officer / Contact Us

Information Officer (POPIA):
Elite Hospitality South Africa (Pty) Ltd
Waterfall, Midrand, South Africa
📧 Email: info@elitehospitalityza.com
📞 Phone: +27 72 910 3508