4×4 Epic Tours
Your Privacy Matters

Privacy Policy

How we collect, use, protect and share your personal information — and the rights you have over it under South Africa's POPIA and the EU/UK GDPR.

Last updated: 29 June 2026

Draft for legal review. Items marked [PLACEHOLDER] must be completed and the whole policy checked by a qualified attorney before launch. See the TODO list at the foot of this page.

1. Who we are

[PLACEHOLDER: 4x4 Epic Tours (Pty) Ltd] (“we”, “us”) operates 4x4 Epic Tours (4x4epictours.com). We are the responsible party under POPIA and the data controller under the GDPR for the personal information described here.

  • Registration number: [PLACEHOLDER: company registration no.]
  • Registered address: [PLACEHOLDER: registered address, Cape Town, South Africa]
  • Information Officer (POPIA): [PLACEHOLDER: Information Officer name] privacy@4x4epictours.com
  • EU/UK representative (GDPR Art. 27, if applicable): [PLACEHOLDER: name & address, or state “not required”]

2. What we collect

  • Contact & identity: name, email, phone/WhatsApp number, country.
  • Booking details: tour and departure chosen, number of guests, currency, special requests, booking reference and status.
  • Proof of payment: the document you upload to confirm an EFT deposit. We do not process card payments or store card details.
  • Enquiries & chat: messages you send via our forms or the on-site booking assistant.
  • Technical & usage: with your consent, anonymous analytics about how the site is used (see our Cookie Policy).

3. Why we use it & our lawful basis

We process your personal information for these purposes:

  • Managing your booking (quotes, confirmation, payment matching, trip logistics) — lawful basis: performance of a contract (GDPR Art. 6(1)(b)); POPIA s11(1)(b).
  • Replying to enquiries — lawful basis: legitimate interests / your request (GDPR Art. 6(1)(f)); POPIA s11(1)(f).
  • Marketing (trip ideas, dates, offers by email/WhatsApp/SMS) — lawful basis: your consent (GDPR Art. 6(1)(a)); POPIA s69. We send these only if you opt in, and you can withdraw at any time via the unsubscribe link or by emailing us.
  • Legal & financial records (tax, accounting, SATSA/consumer protection) — lawful basis: legal obligation (GDPR Art. 6(1)(c)); POPIA s11(1)(c).
  • Improving the site via analytics — lawful basis: your consent.

4. Who we share it with

We never sell your personal information. We share it only with operators (processors) who help us run the business, under contract and only as needed:

  • Website hosting: Hostinger (VPS) — stores everything you submit.
  • Analytics:Google Analytics 4 (Google) — only if you allow analytics cookies. We also use Google Search Console for SEO, which doesn’t track you on the site.
  • Email / SMS / WhatsApp: Twilio — to send booking and (if you opt in) marketing messages.
  • On-site chat assistant: OpenRouter, which routes your message to the DeepSeek AI model. Please don’t share sensitive personal details in the chat — use it for tour questions only.
  • Regulators, banks, our accountant or advisors where the law requires it.

We do not use any online card or payment processor — deposits are paid by EFT/bank transfer directly to our bank.

5. Sending data outside South Africa / the EEA

Some operators are located outside South Africa and the EEA, so your information may be transferred across borders (POPIA s72; GDPR Chapter V):

  • United States— Twilio, OpenRouter and Google. Safeguard: Standard Contractual Clauses / the provider’s data-processing terms. [PLACEHOLDER: confirm per provider.]
  • China — the DeepSeek AI model processes the messages you send to our chat assistant. China is not covered by an adequacy decision, so this is a higher-risk transfer; we rely on [PLACEHOLDER: safeguard — Standard Contractual Clauses and/or your consent] and we limit what the assistant handles. Avoid entering sensitive details in chat.
  • European Union — Hostinger (hosting). The EU benefits from a POPIA-comparable framework.

6. How long we keep it

  • Marketing contacts with no booking: removed after about 36 months of inactivity, or sooner if you unsubscribe and ask us to delete you.
  • Booking & financial records: kept for the period required by South African tax and consumer-protection law (typically 5 years), after which personal details are anonymised.
  • Proof-of-payment files: deleted once no longer needed for the booking or our legal record.

7. Your rights

Under POPIA and the GDPR you can ask us to:

  • access a copy of the personal information we hold about you;
  • correct or update anything inaccurate;
  • delete your information (where we don’t need to keep it by law);
  • object to or restrict certain processing, including marketing;
  • receive your data in a portable format;
  • withdraw consent at any time (without affecting prior processing).

To exercise any of these, email privacy@4x4epictours.com. We respond within the timeframes the law requires (POPIA: a reasonable time; GDPR: within one month). We may need to verify your identity first.

8. Cookies & local storage

We use a small number of cookies and browser-storage items — essential ones to run the site, plus optional functional and analytics storage you control. Full details are in our Cookie Policy. You can change your choices any time: .

9. Security

We protect your information with HTTPS across the site, access controls on our admin tools, and by limiting who can see your data. No system is perfectly secure, but we take reasonable, appropriate technical and organisational measures as POPIA s19 and GDPR Art. 32 require.

10. Children

Our services are aimed at adults. We don’t knowingly collect personal information from children under 18 without a competent person’s consent.

11. Complaints

Please contact us first and we’ll try to put things right. You also have the right to complain to a regulator:

  • South Africa: Information Regulator — inforegulator.org.za
  • EU/UK: your local data-protection supervisory authority [PLACEHOLDER: name the lead authority if you have an EU establishment].

12. Changes

We may update this policy from time to time. The “last updated” date above shows the current version; material changes will be highlighted on the site.

Owner TODO before launch:
  • Replace every [PLACEHOLDER] above (entity, reg no., address, officers, processors, safeguards).
  • Register the Information Officer with the SA Information Regulator and publish a PAIA manual.
  • Sign operator/processor agreements with each third party listed in §4.
  • Confirm retention periods with your accountant and SATSA obligations.
  • Have a qualified attorney review this policy and the Cookie Policy.
De nieuwsbrief · nooit spam

Field Notes in je inbox

Routeverhalen, beschikbare vertrekdata en af en toe een foto van de piste. Eén e-mail per maand.