Legal
Last updated: 8 July 2026
Flyhalf (Pty) Ltd ("Flyhalf", "we", "us") operates a gamification engine that processes events, rewards and messages on behalf of the businesses that use it. This policy explains what personal information we process, why, and the rights you have under the Protection of Personal Information Act, 4 of 2013 ("POPIA").
For information you give us directly (for example through our contact form or when you open an account), Flyhalf is the responsible party. For participant data our customers send us through the API — names, phone numbers, event payloads — the customer is the responsible party and Flyhalf acts as operator under section 20 and 21 of POPIA, processing only on their documented instructions. A Data Processing Agreement forms part of every contract, including the free Starter tier.
Our marketing website sets no tracking cookies. A session cookie is used only on the contact form, to protect it against forgery.
We do not sell personal information. We do not use participant data to train models.
Production data is hosted in South African data residency options where selected, with encrypted storage and encrypted transit everywhere. Cross-border transfers, where they occur (for example WhatsApp delivery via Meta), happen under section 72 of POPIA with appropriate contractual safeguards.
Account data for the life of the account plus the period required by law. Participant data for as long as our customer instructs us, and it is deleted or returned when the contract ends. Technical logs are rotated within 90 days.
Under POPIA you may request access to, correction of, or deletion of your personal information, object to processing, and complain to the Information Regulator (complaints.IR@inforegulator.org.za). Participants in a customer's programme should contact that business first — we support every such request with export and deletion tooling.
To exercise any right with us directly, email privacy@flyhalf.io. Our Information Officer can be reached at the same address. We respond within a reasonable time and at most within the periods POPIA prescribes.
Access controls per tenant, encryption at rest and in transit, signed webhooks, append-only ledgers and full audit trails. If a security compromise affects your personal information, we notify the Information Regulator and affected parties as section 22 requires.
We will post any changes here and, for material changes, notify account holders by email.