Privacy Policy.

This Privacy Policy explains how Alivo ("Alivo", "we", "us") collects, uses, shares, and protects personal information about customers, venue users, and website visitors. It applies to the alivo.live website, the Alivo app, and all related services.

Alivo acts as the Responsible Party under POPIA for most processing. Venues onboarded onto the platform act as Operators under POPIA s19 to s21 for specific processing on Alivo's instruction.

We collect the following categories of personal information:

• Identification: name, email address, mobile number, date of birth (for age verification).
• Payment information: card tokens and payment authorisation codes. We do NOT store card numbers, CVVs, or PINs. Card storage is handled by Paystack under PCI-DSS compliance.
• Order information: venue visited, items ordered, time, amount, tab history.
• Device and technical: device type, operating system, app version, IP address, approximate location while placing an order.
• Venue user information: business details, director details, licences, bank account for settlements, verification documents.
• Communications: support messages, dispute submissions, feedback.

We collect and process personal information for the following purposes:

• To create and manage your account.
• To process orders and payments.
• To confirm you are old enough to purchase age-restricted items.
• To prevent fraud, abuse, chargebacks, and money laundering.
• To comply with South African law, including POPIA, FICA, and Consumer Protection Act obligations.
• To resolve disputes between customers and venues.
• To improve the platform (aggregated, de-identified usage patterns).
• To communicate operational updates and service notices. Marketing communications are sent only with explicit opt-in consent.

We rely on the following lawful bases:

• Consent - for marketing communications and optional profile features.
• Contract performance - for order processing, payments, and tab management.
• Legal obligation - for tax, FICA, age-verification, and regulator compliance.
• Legitimate interest - for fraud prevention, platform security, and service improvement, balanced against your rights.

• We do not intentionally collect special personal information (health, religion, political views, biometrics).
• Alivo is not for anyone under 18. Customers must confirm they are 18 or older at signup.
• If we learn that we have collected information from a person under 18, we will delete it.

We share personal information only with parties who need it to deliver the service:

• Venues - limited to what is needed to fulfil your order (order items, table, tab amount). Venues do not see your full card details.
• Paystack - for payment processing, card tokenisation, chargeback handling.
• Supabase - for secure database hosting of account and order data.
• Push notification providers (Expo Push) - for operational notifications.
• South African authorities - where required by law (e.g., SARS, FIC, SAPS, Information Regulator).
• Professional advisers - lawyers, auditors, tax practitioners, bound by confidentiality.

We do not sell personal information. Ever.

Some of our service providers (for example Paystack infrastructure, Supabase hosting, Expo Push notifications) may process data outside South Africa. When that happens, we ensure that at least one of the POPIA s72 conditions is met, typically:

• The recipient is subject to a binding privacy regime substantially similar to POPIA, OR
• A binding contract requires the recipient to provide POPIA-equivalent protection, OR
• You have consented to the transfer, OR
• The transfer is necessary to perform a contract with you.

We keep a record of each cross-border transfer pathway and review it periodically.

• Customer account data - for as long as the account is active, plus up to 5 years after closure for tax, FICA, and dispute resolution.
• Order and transaction records - 5 years from the transaction date (tax and FICA).
• Venue onboarding documents - 5 years from end of the venue relationship (FICA).
• Communications and support - up to 2 years.
• Marketing consent records - for as long as the consent is active, plus 1 year.

When a retention period ends, we delete or de-identify the data unless a legal obligation requires longer retention.

• We use encryption in transit (HTTPS/TLS) for all connections to the app and the website.
• We do not store raw payment card data. Paystack handles card storage under PCI-DSS.
• Access to personal information inside Alivo is restricted on a need-to-know basis.
• Passwords are hashed. Sensitive tokens are stored in secure secrets stores.
• We have a documented breach-response process and notify the Information Regulator and affected data subjects where required under POPIA s22.

You have the following rights. We will respond within a reasonable time and without charge for ordinary requests:

• Access (s23): request a copy of the personal information we hold about you.
• Correction (s24): ask us to correct inaccurate information.
• Deletion (s24): ask us to delete information, subject to legal retention obligations.
• Objection (s11(3)): object to processing based on legitimate interest.
• Direct marketing opt-out (s69): unsubscribe at any time. Marketing is opt-in only.
• Complaint (s74): complain to the Information Regulator.

To exercise any right, email cobus.senekal@outlook.com with the subject "POPIA data subject request". Please include enough information for us to verify your identity.

If you are not satisfied with how we handle your personal information, you may complain to the Information Regulator of South Africa:

• The alivo.live website uses minimal cookies for session state and basic analytics.
• We do not use advertising trackers.
• The Alivo app does not use web cookies. It uses device identifiers and app tokens for authentication and push notifications.

When a customer places an order, the relevant venue processes limited personal information on Alivo's instruction as an Operator under POPIA s19 to s21. Each venue signs an operator agreement committing to:

• Process personal information only for the permitted purpose (fulfilling the order).
• Apply appropriate security safeguards.
• Not share customer data with third parties.
• Notify Alivo immediately of any security incident or data breach.

We may update this Privacy Policy from time to time. Material changes will be notified to account holders by email and via in-app notice. Continued use of the platform after a change means you accept the updated policy.

For any privacy question, contact: