PRIVACY

Privacy Policy

Version 2.0 · Last updated: June 29, 2026

This policy explains how we handle personal data when you use Tafika Booking as a Guest, Supplier, or visitor.

Data controller: Digital Africa Limited (operating Tafika Booking), Republic of Malawi.

1. Who we are

Tafika Booking is operated by Digital Africa Limited, a company registered in the Republic of Malawi. We provide a technology platform connecting Guests with accommodation Suppliers.

For privacy enquiries: privacy@tafika.co · General support: tafika.co/support

2. Information we collect

2.1 Guests

When you browse, create an account, or make a booking, we may collect:

  • identity and contact details (name, email, phone number);
  • account credentials (password is stored securely; we do not store full payment card numbers);
  • booking details (dates, property, room type, guests, special requests);
  • payment references and transaction status (processed by payment providers);
  • communications with us (support messages, WhatsApp or email where you contact us); and
  • technical data (IP address, device/browser type, log data, cookies or similar technologies where used).
2.2 Suppliers (property partners)

When you register or list a property, we may additionally collect:

  • business and property details (names, addresses, descriptions, amenities, policies);
  • listing content (photos, logos, rates);
  • staff and authorised user accounts;
  • billing, tax, and settlement information where applicable; and
  • operational data (availability, bookings, reception activity, analytics).
2.3 Payment data

Card and mobile-money payments are processed by third-party payment providers (including Stripe for cards and Paychangu for TNM Mpamba, and direct integrations such as Airtel Money where enabled). Those providers handle payment credentials under their own terms and security standards. We receive payment status, references, and limited transaction metadata needed to operate bookings and ledgers.

3. How we use your information

We use personal data to:

  • create and manage accounts;
  • process bookings, confirmations, cancellations, refunds, and payments;
  • enable communication between Guests and Suppliers (including sharing booking details with Suppliers when needed to fulfil or evaluate a reservation);
  • send operational messages — booking confirmations, request updates, security alerts, account notices — via email, SMS, WhatsApp, or in-app notifications;
  • provide platform features (dashboards, reception tools, invoicing, analytics for Suppliers);
  • prevent fraud, abuse, and platform misuse;
  • improve and secure the Platform; and
  • comply with legal, regulatory, tax, and accounting obligations.

Marketing: We may send promotional messages about Tafika where permitted by law and, where required, with your consent. You can opt out of marketing emails using the unsubscribe link or by contacting us. Operational booking messages are not marketing and may still be sent when you have an active booking or account.

We do not sell your personal data to third parties.

4. How we share your information

4.1 With Suppliers

We share Guest information with the relevant Supplier so they can manage bookings and provide accommodation services. This typically includes name, contact details, stay dates, room type, guest count, and booking reference. For Property Confirmation requests, we may share necessary details before approval so the Supplier can accept or decline. Suppliers must use Guest data only for booking fulfilment and related communications, as described in the Supplier Agreement and applicable law — not for unrelated marketing without a lawful basis.

4.2 With service providers

We use trusted providers who process data on our behalf, including for:

  • Hosting and infrastructure — to run the Platform;
  • Payment processing — Stripe, Paychangu, and mobile-money integrations;
  • Messaging — email, SMS, and WhatsApp delivery (e.g. via providers such as Twilio);
  • Analytics and security — to monitor performance and protect the Platform; and
  • Professional services — legal, accounting, or audit where necessary.

These providers are required to handle data securely and only for the purposes we specify.

4.3 Other disclosures

We may disclose information where required by law, to protect our rights or users, to prevent fraud or abuse, or in connection with a merger, acquisition, or asset sale (with appropriate safeguards).

5. International transfers

Tafika operates from Malawi. Some service providers may process data in other countries. Where data is transferred across borders, we take steps to ensure it is protected in line with this policy and applicable law, including contractual safeguards where appropriate.

6. Legal bases for processing

We process personal data where: (a) necessary to perform our contract with you (e.g. managing bookings and accounts); (b) necessary to comply with legal obligations; (c) necessary for our legitimate interests in operating, securing, and improving the Platform (balanced against your rights); or (d) based on your consent where required (e.g. certain marketing). You may withdraw consent where processing is consent-based, without affecting lawfulness of prior processing.

7. Data retention and security

We retain booking, account, payment, and invoicing records for as long as needed to provide services, resolve disputes, enforce agreements, and meet legal and regulatory requirements (including tax and audit). Retention periods vary by data type; when data is no longer required, we delete or anonymise it where feasible.

We use technical and organisational measures to protect information from unauthorised access, loss, or misuse. No system is completely secure; you are responsible for keeping your password confidential and notifying us of suspected unauthorised access.

8. Your rights

Depending on applicable law (including Malawi’s data protection framework), you may have rights to:

  • access a copy of your personal data;
  • correct inaccurate data;
  • request deletion or restriction of processing in certain circumstances;
  • object to certain processing based on legitimate interests;
  • withdraw consent where processing is consent-based; and
  • lodge a complaint with a supervisory authority where applicable.

To exercise your rights, use your account settings where available or email privacy@tafika.co. We will respond within a reasonable timeframe and may need to verify your identity. Some requests may be limited where we must retain data for legal or operational reasons.

9. Cookies and similar technologies

We use cookies and similar technologies where necessary for Platform operation (such as session management and security) and, where enabled, to understand usage and improve services. You can control cookies through your browser settings; disabling essential cookies may affect Platform functionality.

10. Children

The Platform is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected a child’s data, contact us at privacy@tafika.co and we will take appropriate steps to delete it.

11. Updates to this policy

We may update this Privacy Policy to reflect changes to our practices, the Platform, or legal requirements. Material changes will be indicated by updating the version and “Last updated” date, and where appropriate by notice on the Platform or by email. Continued use after the effective date constitutes acknowledgment of the updated policy where permitted by law.

12. Contact

Privacy enquiries: privacy@tafika.co
Legal enquiries: legal@tafika.co
Support: tafika.co/support
Controller: Digital Africa Limited, Republic of Malawi

© 2026 Tafika Booking · Operated by Digital Africa Limited · Terms of Service · Supplier Agreement