1. Overview & Commitment
NowNow Services (Pty) Ltd ("NowNow", "we", "us") is committed to protecting your personal information and respecting your right to privacy as enshrined in the Constitution of the Republic of South Africa and the Protection of Personal Information Act 4 of 2013 (POPIA).
This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have regarding your data. It applies to all Users of the NowNow platform, including Customers, Service Providers, website visitors, and anyone who communicates with us.
2. Responsible Party
Under POPIA, the Responsible Party (the entity that determines the purpose and means of processing your personal information) is:
- Name: NowNow Services (Pty) Ltd
- Registration: 2026/000001/07
- Address: 42 Rivonia Road, Sandton, Johannesburg, Gauteng, 2196, South Africa
- Information Officer: See Section 15
3. Information We Collect
3.1 Information you provide directly
| Category | Data Collected | Who |
|---|---|---|
| Account registration | Full name, email address, mobile phone number, password (hashed), city, suburb/area | All Users |
| Provider onboarding | South African ID number or passport number, SAPS criminal record certificate, trade qualifications and certificates, profile photo, service areas, bank account details (for payouts) | Providers |
| Booking information | Service address, description of work required, preferred date and time, access instructions, photos of the job (optional) | Customers |
| Payment information | Card details are processed by Stitch Express — NowNow does not store your card number. We retain transaction records (amount, date, reference number, payment status). | Customers |
| Communications | Messages sent through the platform, support tickets, emails, and phone interactions. | All Users |
| Reviews & ratings | Star ratings, written reviews, and any photos attached to reviews. | Customers |
3.2 Information collected automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Device & browser | Device type, operating system, browser type and version, screen resolution, language preference | Platform optimisation, debugging |
| Location data | GPS coordinates (when permitted by you), IP-based approximate location | Matching with nearby Providers, real-time tracking during active Bookings, SOS/safety features |
| Usage data | Pages visited, features used, time spent on pages, search queries, booking patterns | Service improvement, analytics |
| Push notification tokens | Device push tokens for Web Push notifications | Sending booking updates, job alerts, and important notifications |
3.3 Information from third parties
We may receive information from SAPS or authorised verification services (criminal record check results), payment processors (transaction confirmation from Stitch Express), and publicly available professional registers (e.g., PIRB for plumbers, ECSA for electricians) to verify Provider qualifications.
4. How We Use Your Information
We use your personal information for the following purposes:
- Platform operation: Creating and managing accounts, processing bookings, matching Customers with Providers, processing payments and payouts, communicating booking updates via push notifications and SMS.
- Safety and trust: Verifying Provider identities and criminal records, enabling real-time tracking and SOS features during active bookings, investigating incidents and disputes, maintaining review and rating integrity.
- Quality improvement: Analysing service patterns and feedback to improve the platform, developing new features and service categories, training and quality assurance.
- Legal compliance: Complying with POPIA, the CPA, SARS requirements, and other applicable South African legislation, responding to lawful requests from law enforcement or regulatory authorities.
- Communication: Sending service-related notifications (booking confirmations, reminders, payment receipts), sending marketing communications (only with your consent, and you can opt out at any time).
5. Legal Basis for Processing (POPIA Section 11)
Under POPIA, we must have a lawful basis for processing your personal information. We rely on the following:
| Lawful Basis | What It Covers |
|---|---|
| Consent (s11(1)(a)) |
Marketing communications, location tracking when not during an active booking, push notification preferences, optional profile photos and information. |
| Contract performance (s11(1)(b)) |
Account creation and management, booking processing and payment, Provider-Customer matching and communication, payout processing for Providers. |
| Legal obligation (s11(1)(c)) |
Tax reporting (SARS), criminal record verification, responding to court orders or law enforcement requests, record-keeping as required by the Companies Act and ECT Act. |
| Legitimate interest (s11(1)(f)) |
Fraud prevention and platform security, service quality monitoring and improvement, anonymised analytics and market research, dispute resolution and investigation. |
6. Who We Share Data With
6.1 Necessary sharing for service delivery
- Between Customers and Providers: When a Booking is confirmed, we share the Customer's first name, service address, and booking details with the assigned Provider. We share the Provider's name, profile photo, rating, and real-time location (during active bookings) with the Customer. We do not share surnames, email addresses, phone numbers, or ID numbers between parties — all communication happens through the Platform.
- Payment processor: Stitch Express (Pty) Ltd processes card payments. Stitch Express's privacy policy governs their handling of your payment data.
- SMS provider: We use Africa's Talking Ltd to deliver SMS notifications. Only your phone number and the message content are shared, solely for delivery purposes.
6.2 Other sharing
- Law enforcement: We will disclose personal information when required by law, court order, or when we believe in good faith that disclosure is necessary to protect safety, prevent fraud, or comply with legal obligations.
- Professional advisors: Auditors, lawyers, and accountants who are bound by confidentiality obligations.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer.
- Anonymised data: We may share aggregated, anonymised data (that cannot identify you) with business partners, investors, or for research purposes.
7. Special Personal Information
POPIA defines "special personal information" as data relating to race, ethnicity, religious beliefs, political persuasion, health, sexual orientation, biometric data, criminal behaviour, and trade union membership. NowNow's handling of such data:
- Criminal records: We process SAPS criminal record certificates for Provider vetting as permitted under POPIA s27 (substantial public interest — safety of persons entering private homes). These records are stored securely and access is restricted to authorised personnel.
- Biometric data: If facial recognition is used for on-arrival Provider verification, this constitutes biometric data under POPIA. Processing is based on explicit consent from the Provider during onboarding. You may withdraw consent, which may affect your ability to accept certain Bookings.
- We do not process data relating to race, ethnicity, religion, political beliefs, health, sexual orientation, or trade union membership.
8. Data Retention
We retain your personal information only for as long as necessary for the purposes described in this Policy, or as required by law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 2 years | Service continuity, dispute resolution |
| Booking records | 5 years from completion | CPA warranty periods, tax records (SARS) |
| Payment records | 5 years | SARS requirements, financial auditing |
| Criminal record certificates | Duration of Provider account + 1 year | Ongoing vetting compliance |
| Communications & support tickets | 3 years | Dispute resolution, quality improvement |
| Location data (GPS logs) | 90 days | Safety investigations, dispute evidence |
| Usage analytics | Anonymised after 12 months | Service improvement |
| Marketing consent records | Duration of consent + 1 year | Proof of consent compliance |
When data is no longer needed, it is either securely deleted or irreversibly anonymised so that it can no longer be linked to you.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction, including:
- Encryption: All data in transit is encrypted using TLS 1.2+ (HTTPS). Sensitive data at rest (passwords, criminal records, ID numbers) is encrypted using industry-standard algorithms. Passwords are hashed using bcrypt — we cannot see your password.
- Access control: Staff access to personal information is restricted on a need-to-know basis. Administrative access requires multi-factor authentication.
- Infrastructure: Our servers are hosted in South African data centres (ensuring data sovereignty) with enterprise-grade physical and network security.
- Monitoring: We monitor for security incidents and have an incident response plan in place.
- Payment security: We do not store card numbers. All payment processing is handled by Stitch Express, which is PCI-DSS compliant.
While we take all reasonable steps to protect your data, no system is completely secure. In the event of a data breach that poses a risk to your rights, we will notify you and the Information Regulator as required by POPIA s22 without unreasonable delay.
10. Your Rights Under POPIA
As a data subject, you have the following rights under POPIA:
| Right | Description | How to Exercise |
|---|---|---|
| Access (s23) |
You can request confirmation of whether we hold your personal information and request a copy of it. | Email privacy@nownow.co.za |
| Correction (s24) |
You can request that inaccurate or incomplete personal information be corrected or updated. | Update in-app, or email us |
| Deletion (s24) |
You can request that we delete your personal information where it is no longer necessary, or where you withdraw consent. Subject to legal retention requirements. | Email privacy@nownow.co.za |
| Object to processing (s11(3)) |
You can object to processing of your personal information for direct marketing or where processing is based on legitimate interest. | Unsubscribe links, or email us |
| Withdraw consent | Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of prior processing. | In-app settings, or email us |
| Complaint (s74) |
You have the right to lodge a complaint with the Information Regulator if you believe your rights have been violated. | See Section 15 |
We will respond to all data subject requests within 30 days, as required by POPIA. We may ask you to verify your identity before processing your request. There is no fee for exercising your rights, unless the request is manifestly unfounded or excessive.
11. Cookies & Tracking
NowNow uses limited local storage and cookies for the following purposes:
- Essential (always active): Authentication tokens (keeping you logged in), CSRF protection, session management, PWA install preferences.
- Functional: Language preferences, theme settings, recently viewed services.
- Analytics (with consent): Anonymised usage analytics to understand how Users interact with the Platform. We do not use third-party tracking cookies or advertising cookies.
You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Platform from functioning correctly.
12. Children's Privacy
The NowNow Platform is not intended for use by children under the age of 18. We do not knowingly collect personal information from children. Under POPIA s35, processing of children's personal information requires consent from a competent person (parent or guardian). If we discover that we have inadvertently collected personal information from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@nownow.co.za.
13. Cross-Border Data Transfers
NowNow primarily stores and processes your data within the Republic of South Africa using South African data centre infrastructure. In limited circumstances, data may be transferred outside South Africa:
- Push notification delivery (to device platform servers operated by Google or Apple).
- SMS delivery infrastructure (Africa's Talking servers).
- Email delivery services.
Any cross-border transfer complies with POPIA s72, which requires that the recipient country has adequate data protection laws, or that the transfer is necessary for the performance of a contract, or that you have consented to the transfer. We ensure that appropriate safeguards (such as contractual clauses) are in place to protect your data during any cross-border transfer.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you via email, in-app notification, or prominent notice on the Platform at least 14 days before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was most recently revised.
15. Contact & Information Officer
If you have questions about this Privacy Policy, want to exercise your rights, or need to report a data privacy concern, please contact us:
Information Officer (POPIA)
- Name: Marius Divaris
- Email: privacy@nownow.co.za
- Phone: 0800 669 669 (0800 NOW NOW)
- Address: NowNow Services (Pty) Ltd, 42 Rivonia Road, Sandton, Johannesburg, Gauteng, 2196, South Africa
General support
- Email: support@nownow.co.za
Information Regulator (South Africa)
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with:
- The Information Regulator
- JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
- P.O. Box 31533, Braamfontein, Johannesburg, 2017
- Email: complaints.IR@justice.gov.za
- Tel: 010 023 5207
- Website: https://inforegulator.org.za