Privacy · POPIA · Version 1.0 · Effective July 2026

Privacy Policy & POPIA Notice

How LaterLarry collects, uses, stores and protects the personal information of hotel staff and the guests they report. Written to satisfy the Protection of Personal Information Act, 2013 ("POPIA").

Placeholder notice. This is a working draft. LaterLarry (Pty) Ltd will finalise this text with a POPIA-specialist attorney before public launch. Nothing here constitutes legal advice.

1. Who we are (responsible party)

The responsible party for personal information processed on this platform is LaterLarry (Pty) Ltd. Our appointed Information Officer can be reached at privacy@laterlarry.co.za.

2. Whose information we process

  • Hotel account users — staff who log in to use the platform.
  • Guests reported by member hotels — people who have been the subject of an incident report submitted by a member hotel.

3. What information we process, and why

CategoryPurposeLawful basis (POPIA §11)
Hotel contact details, staff name & emailProvide the platform, authenticate users, send account notificationsContract with the hotel
Guest identifiers (ID/passport number, mobile, email, name)Enable member hotels to search for prior incidents against the same guestLegitimate interests: fraud prevention & safety
Incident details (date, category, description, photos)Provide member hotels with evidence to make booking-risk decisionsLegitimate interests: fraud prevention & safety
Audit logs (IP, user agent, actions performed)Detect misuse, comply with POPIA §19 security safeguards, and support legal defenceLegitimate interests & legal obligation

4. How we protect your data (POPIA §19)

  • All guest identifiers are encrypted at the field level in our database. Lookups use per-field salted hashes so nobody — including us — can read a plaintext ID number from the database directly.
  • Passwords are hashed with Argon2id.
  • Every account has two-factor authentication available; admin accounts require it.
  • All access to the platform is over HTTPS. Rate-limiting protects login, search and report endpoints.
  • Every search, report and moderation action is logged in an immutable audit trail.
  • Our infrastructure sits inside South Africa where practical, and complies with the POPIA cross-border rules where not.

5. Who we share data with

  • Member hotels — verified paying hotels can see full report details; free-tier hotels see summarised results only.
  • Service providers (operators) — email delivery, payment processing (Paystack), server hosting. Each is bound by an operator agreement to process data only as instructed by us.
  • Law enforcement — only where compelled by a valid subpoena, court order, or statutory obligation.
  • We do not sell your personal information to anyone, ever.

6. How long we keep data (POPIA §14)

  • Incident reports — automatically redacted after 3 years from the incident date. After redaction, the free-text description and booking reference are removed but a minimal anonymised record remains to defend against duplicate reports.
  • Hotel account data — for as long as the account is active, plus 3 years for tax and legal purposes.
  • Audit logs — 5 years, for legal defence and misuse investigation.
  • Guest appeals & correspondence — kept for the life of the related report, then redacted with it.

7. Your rights as a data subject (POPIA §§23-25)

  • Right of access — you may request confirmation of what personal information we hold about you.
  • Right to correction or deletion — you may request that inaccurate information be corrected, or that information be deleted where we no longer have a lawful basis to hold it.
  • Right to object — you may object to processing on the grounds of your particular situation.
  • Right to complain — you may lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za.

If a report has been filed against you, you will also receive a POPIA §18 notification with a private appeal link, from which you can dispute the report directly. To exercise any of the above rights, use our data-subject request portal or email privacy@laterlarry.co.za.

8. Cross-border transfer

Our primary hosting is in South Africa. Where a service provider (for example an email delivery service) operates outside South Africa, we ensure the destination country has substantially similar data-protection laws or the provider is contractually bound to POPIA-equivalent standards.

9. Cookies

LaterLarry uses a single first-party session cookie to keep you signed in. We do not use advertising, tracking or analytics cookies. CSRF protection uses one additional cookie.

10. Data breaches

If we ever have reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, as required by POPIA §22.

11. Changes to this policy

We may update this policy. Material changes are emailed to hotel account owners and posted on the platform for at least 14 days before taking effect.

12. Contact

Information Officer / Privacy queries: privacy@laterlarry.co.za
Security incidents: security@laterlarry.co.za


Version 1.0 · 9 July 2026