Privacy Policy

Martket ("we", "our", or "us") operates the Martket mobile application (the "App"). This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our App to discover, book, and pay for local services in South Africa.

This policy is drafted in compliance with the Protection of Personal Information Act, 2013 (POPIA) and the Electronic Communications and Transactions Act, 2002 (ECTA) of the Republic of South Africa.

By using the App, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.

1. Information We Collect

1.1 Information you provide

• Account details: full name, email address, phone number, date of birth, province, and password when you register.
• Business details (SMME users): business name, description, phone, email, address, service categories, pricing, logo, cover photo, and gallery images.
• Verification documents (SMME users): ID document, proof of banking details, and optionally company registration documents, uploaded as part of the business vetting process.
• Payment information: PayFast merchant ID for SMME users. We do not store credit card numbers — all payments are processed by PayFast (Pty) Ltd.
• Profile preferences: preferred service categories, notification preferences.
• Reviews and ratings you leave for businesses.

1.2 Information collected automatically

• Location data: GPS coordinates and address when you grant location permission, used to show nearby businesses and calculate distances.
• Device information: device type, operating system, app version.
• Usage data: pages viewed, searches performed, bookings made.

2. Lawful Basis for Processing

Under POPIA, we process your personal information based on one or more of the following lawful grounds:

• Consent: you have given us clear consent to process your personal information for a specific purpose (e.g. location access, push notifications, marketing).
• Contract: processing is necessary to fulfil our contract with you (e.g. creating your account, processing bookings, facilitating payments).
• Legitimate interest: processing is necessary for our legitimate business interests (e.g. improving the App, preventing fraud, platform safety), provided these do not override your rights.
• Legal obligation: processing is necessary to comply with South African law (e.g. tax records, responding to lawful requests from authorities).

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account.
• Verify your identity and age eligibility.
• Connect you with local service providers.
• Process bookings and facilitate payments via PayFast.
• Show relevant businesses based on your location and preferences.
• Send booking confirmations, updates, and reminders.
• Improve the App experience and develop new features.
• Prevent fraud and ensure platform safety.
• Comply with legal obligations under South African law.

4. How We Share Your Information

We do not sell your personal information. We may share it with:

• Service providers (SMMEs): your name and booking details so they can fulfil your service request.
• PayFast (Pty) Ltd: to process payments securely.
• Google Maps Platform: your location to display maps and calculate distances. Subject to Google's Privacy Policy.
• Supabase (our database provider): stores your account data securely with row-level security.
• Law enforcement: if required by law, court order, or to protect the rights and safety of our users.

5. Data Storage and Security

Your data is stored on secure cloud servers provided by Supabase (hosted on AWS). We implement industry-standard security measures including:

• Encrypted data transmission (HTTPS/TLS).
• Row-level security policies on all database tables.
• Hashed passwords — we never store your password in plain text.
• API key restrictions and rotation.

We are committed to safeguarding your data and continuously review and strengthen our security practices to stay ahead of emerging threats. If a security incident were ever to occur, we will notify affected users promptly and take immediate corrective action.

6. Cross-Border Data Transfers

Your personal information may be transferred to and stored on servers located outside of South Africa. Our database provider, Supabase, is hosted on Amazon Web Services (AWS) infrastructure which may include servers in the United States and Europe.

In accordance with Section 72 of POPIA, we ensure that any cross-border transfer of your personal information is subject to binding agreements that provide an adequate level of protection comparable to the conditions set out in POPIA. By using the App, you consent to this transfer.

7. Your Rights Under POPIA

Under the Protection of Personal Information Act (POPIA) of South Africa, you have the right to:

• Access: request a copy of the personal information we hold about you.
• Correction: request that we correct inaccurate or incomplete information.
• Deletion: request that we delete your account and personal data.
• Object: object to the processing of your personal information.
• Withdraw consent: withdraw consent for location tracking or notifications at any time via your device settings.

To exercise any of these rights, contact us at privacy@martket.co.za or contact our Information Officer (see Section 17). We will respond within 30 days as required by POPIA.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:

8. Location Data

The App requests access to your device's location to show nearby businesses and calculate distances. Location permission is optional — you can deny or revoke it at any time through your device settings. Some features (e.g. "Near Me" search) will have limited functionality without location access.

We do not track your location in the background. Location data is only accessed while the App is in use.

9. Business Verification and Images

Business owners (SMME users) are required to upload verification documents during registration, including an ID document and proof of banking details. Company registration (CIPC) documents may be submitted optionally.

• Verification documents are stored in a private, encrypted storage bucket and are only accessible to the account holder and our admin review team.
• Documents are used solely for the purpose of verifying business legitimacy and are not shared with third parties.
• Business images (logo, cover photo, gallery photos) are stored in a public bucket so they can be displayed to customers browsing the App.
• You may update or remove your business images at any time through the Business Dashboard.

10. Direct Marketing

We may send you promotional messages about new features, services, or businesses on Martket. In accordance with POPIA and ECTA, we will only send direct marketing communications where:

• You have given us your prior consent (opt-in), or
• You are an existing user and the marketing relates to similar services you have previously used.

Every marketing message includes an option to unsubscribe. You may also opt out at any time by disabling notifications in your device settings or adjusting your preferences in the App under Profile > Notification Settings. We will honour your request within 5 business days.

11. Push Notifications

With your consent, we may send push notifications for booking updates, promotions, and service reminders. You can disable notifications at any time in your device settings.

12. Children's Privacy

The App is not intended for use by anyone under the age of 16. We enforce this restriction by requiring all users to provide their date of birth during registration. Users born in the year 2009 or later are blocked from creating an account.

This age restriction applies equally to both customer accounts and business owner (SMME) accounts.

We do not knowingly collect personal information from children under the age of 16. If we discover that a child under 16 has provided us with personal information, we will delete their account and associated data promptly.

13. Security Breach Notification

In the event of a security compromise that affects your personal information, we will, in accordance with Section 22 of POPIA:

• Notify the Information Regulator as soon as reasonably possible after becoming aware of the breach.
• Notify all affected data subjects (users) promptly, providing details of the breach and the steps we are taking to address it.
• Take immediate steps to mitigate the impact of the breach and prevent further unauthorised access.
• Provide recommendations on measures you can take to protect yourself.

14. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law (e.g. transaction records for tax purposes).

15. Third-Party Services

The App uses the following third-party services, each with their own privacy policies:

• Supabase — database and authentication (supabase.com/privacy)
• PayFast — payment processing (payfast.co.za/privacy-policy)
• Google Maps Platform — maps and location (policies.google.com/privacy)
• Expo / EAS — app build and delivery (expo.dev/privacy)

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in the App or sending you a notification. Your continued use of the App after changes are posted constitutes acceptance of the updated policy.

17. Information Officer and Contact Details

In terms of POPIA, Martket has appointed the following Information Officer who is responsible for ensuring compliance with the Act and handling all data-related enquiries:

If you have questions about this Privacy Policy, wish to exercise your rights as a data subject, or need to report a concern, please contact our Information Officer at the details above. We will acknowledge your request within 5 business days and respond substantively within 30 days.