Privacy Policy & POPIA Notice

The Responsible Party for the processing of your personal information is:

As the Responsible Party, Moyres Guest Farm determines the purpose and means of processing your personal information and is accountable for ensuring all processing is lawful, reasonable, and necessary.

In this Privacy Policy, the following terms have the meanings assigned to them in the Protection of Personal Information Act, 4 of 2013 (POPIA):

• Data Subject — the natural person to whom personal information relates (you, the user).
• Personal Information — any information that identifies or can identify you, including your name, email address, telephone number, date of birth, IP address, and browsing behaviour.
• Processing — any operation performed on personal information, including collection, storage, use, disclosure, and deletion.
• Operator — a third party that processes personal information on behalf of Moyres, under a written mandate (e.g., Cloudflare, Resend, Google).
• Information Regulator — the regulatory authority established under POPIA to enforce the Act.
• Special Personal Information — sensitive categories such as race, religion, health, or biometric data. Moyres does not collect special personal information.

We collect only the minimum personal information necessary for the specific purpose for which it is collected (principle of minimality). The categories of information we may collect are:

We do not collect, process, or store:

• Payment card details (all bookings are processed directly through RoomRaccoon's secure PMS).
• National Identity or passport numbers.
• Special personal information as defined in Section 26 of POPIA.

In accordance with Section 13 of POPIA, personal information is collected for specific, explicitly defined, and lawful purposes only. We process your information for the following purposes:

• Account Management: To create and maintain your Moyres website account, authenticate your identity, and manage your session.
• Booking & Reservation Facilitation: To process guest house booking requests forwarded to RoomRaccoon and venue inquiry submissions.
• Service Communications: To respond to inquiries, send booking confirmations, check-in instructions, and essential operational communications. These communications are not marketing and do not require a marketing opt-in.
• Marketing & Promotional Emails: To send promotional emails, seasonal offers, upcoming event announcements, and special packages — but only to users who have explicitly opted in to marketing communications.
• Birthday Personalisation: To send a personalised birthday greeting and special offer email — only for opted-in users who have provided their date of birth.
• Analytics & Performance: To understand how visitors interact with our website, identify performance issues, and improve the user experience (via Google Analytics 4 and Google Tag Manager).
• Legal Compliance & Security: To comply with applicable laws, prevent fraud, and protect the rights of Moyres and its guests.

We rely on the following lawful grounds under Section 11 of POPIA to process your personal information:

• Consent (Section 11(1)(a)): Where you have explicitly consented — for example, by ticking the marketing opt-in checkbox during registration, or providing your date of birth.
• Contract Performance (Section 11(1)(c)): Where processing is necessary to perform a contract with you — for example, facilitating a room booking or responding to an event inquiry.
• Legitimate Interest (Section 11(1)(f)): Where we have a legitimate business interest in processing your data that does not override your privacy rights — for example, website security monitoring and analytics.
• Legal Obligation (Section 11(1)(b)): Where we are required by law to retain or process certain records.

Moyres takes all reasonable, technical, and organisational measures to protect your personal information against loss, damage, unauthorised access, disclosure, or destruction (POPIA Section 19 — Security Safeguards).

Despite all reasonable precautions, no data transmission over the internet is 100% secure. In the event of a security breach that poses a risk to your rights and freedoms, Moyres will notify you and the Information Regulator as required by POPIA Section 22.

In accordance with Section 14 of POPIA, we will not retain your personal information longer than is necessary for the purpose for which it was collected, or as required by law.

Moyres respects your inbox. We will never send unsolicited marketing emails. Marketing communications are sent only to users who have explicitly opted in during registration by ticking the following unchecked-by-default consent checkbox:

“I agree to receive promotional emails from Moyres Guest Farm about special offers, upcoming events, and updates. You may unsubscribe at any time.”

You may withdraw your marketing consent at any time by:

• Clicking the Unsubscribe link included in the footer of every marketing email.
• Updating your preferences in your Moyres account dashboard.
• Emailing us at moyresgh@moyanga.co.za with the subject line “Unsubscribe Request”.

Withdrawal of marketing consent will be actioned within 3 business days and will not affect your ability to continue using the Moyres website or to receive essential service communications (e.g., booking confirmations).

Moyres does not sell, rent, or trade your personal information to any third party. We may share your personal information only in the following limited circumstances:

• Operators (Service Providers): We use third-party service providers (“Operators” under POPIA) who process your data on our behalf under written data processing mandates:

  Cloudflare Inc.	Database hosting (D1), CDN, and Pages Functions execution.
  Resend	Transactional and marketing email delivery.
  Google LLC	Authentication (OAuth 2.0), People API (birthday), Analytics (GA4), Tag Manager (GTM), and Maps Embed API.
  RoomRaccoon	Property Management System for guest house bookings (independent controller for booking data).
  n8n	Marketing automation workflow engine.

• Legal Requirements: Where we are required by law, court order, or government authority to disclose information.
• Business Transfers: In the event of a merger, acquisition, or sale of all or part of our business assets, your personal information may be transferred to the successor entity, subject to equivalent privacy protections.

The Moyres website uses cookies and similar tracking technologies to enhance functionality and analyse website traffic. By continuing to browse the website, you consent to the use of cookies as described below.

You may disable non-essential cookies at any time through your browser settings. Note that disabling cookies may affect the functionality of certain features on this website.

Under the Protection of Personal Information Act, you have the following rights as a data subject. To exercise any of these rights, contact us at moyresgh@moyanga.co.za with the subject line “POPIA Request — [Right You Are Exercising]”. We will respond within 30 days of receipt.

• Right of Access (Section 23): You have the right to request confirmation of whether Moyres holds your personal information, and to request a copy of that information.
• Right to Correction (Section 24): You have the right to request that we correct, update, or complete inaccurate or incomplete personal information we hold about you.
• Right to Deletion (Section 24): You have the right to request that we delete your personal information where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent. Deletions are completed within 30 days and cannot be reversed.
• Right to Object (Section 11(3)): You have the right to object to the processing of your personal information for direct marketing purposes at any time. We will comply without requiring justification.
• Right to Complain (Section 74): If you believe your privacy rights have been violated, you have the right to lodge a complaint with the South African Information Regulator (see Section 14 of this policy).

The Moyres website and its services are not directed at persons under the age of 18. We do not knowingly collect personal information from children under 18. Processing of a child's personal information (as defined in Section 34 of POPIA) requires the consent of a competent person (parent or legal guardian).

If you believe that a child under 18 has submitted personal information to us without parental consent, please contact us immediately at moyresgh@moyanga.co.za. We will delete the information promptly.

Some of our Operators (Cloudflare, Google, Resend) may store or process your personal information outside of the Republic of South Africa. In terms of Section 72 of POPIA, personal information may only be transferred to a foreign country if that country provides an adequate level of protection, or if the recipient is bound by enforceable data protection obligations equivalent to those required by POPIA.

All cross-border transfers made by Moyres are conducted under the following safeguards:

• Cloudflare Inc. operates under the EU-U.S. Data Privacy Framework and maintains SOC 2 Type II certification.
• Google LLC operates under the EU-U.S. Data Privacy Framework and is bound by its Data Processing Addendum applicable to its services.
• Resend maintains SOC 2 Type II compliance for transactional email processing.

If you are not satisfied with how Moyres has handled your personal information or a privacy rights request, you may lodge a complaint with the South African Information Regulator:

We encourage you to contact us first at moyresgh@moyanga.co.za so that we may resolve your concern directly before escalating to the Regulator.

Moyres reserves the right to update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will:

• Update the Effective Date and Version Number at the top of this page.
• Send an email notification to registered users with a marketing opt-in on file (where the change is material to their rights).
• Display a prominent notice on the Moyres website for a period of no less than 30 days following a material change.

Continued use of the Moyres website after the effective date of a revised policy constitutes your acceptance of the updated terms to the extent permitted by applicable law.

For all privacy-related queries, POPIA rights requests, or data protection concerns, please contact the Responsible Party directly: