Privacy Policy

Effective 22 April 2026. This policy explains how Quest Portal collects, uses, and protects your personal information under the South African Protection of Personal Information Act (POPIA).

1. Who we are

Quest Portal is operated by Tuffle (Pty) Ltd, a South African company. For the purposes of POPIA, Tuffle is the responsible party for personal information processed on the platform.

2. What we collect

The categories of personal information we collect depend on how you use the platform:

Account information

Name, email address, password (stored as a one-way hash, never in plain text).
Phone number (optional for adventurers, required for vendors and organizers).
Role (adventurer, vendor, organizer, admin) and account creation date.

Activity information

Events you attend, applications you submit, tickets you buy or hold, vendor stamps you collect.
Messages you send through the in-app messaging surfaces.
Server log entries: IP address, browser type, request paths, timestamps. Retained for security and abuse-prevention.

Acquisition information

If you arrived via a marketing link with UTM parameters or a referral code, we record that source against your sign-up so we can measure which channels work. Stored against the session, not a long-lived tracking cookie.

Financial information

For ticket purchases: the order amount, status, and an opaque reference returned by our payment provider. We do not store your card details — the payment provider handles them under PCI DSS.

Consent records

The time and version of every Terms, Privacy, and marketing-opt-in choice you make. POPIA requires us to keep this evidence.

3. Why we collect it

We process personal information for the following lawful bases under POPIA section 11:

Performance of a contract: creating your account, processing ticket orders, delivering vendor applications to organizers.
Legitimate interest: preventing fraud, securing the platform, measuring acquisition channels, and improving the service.
Consent: sending you marketing emails (you can opt out at any time without affecting your account).
Legal obligation: retaining financial records for tax and audit purposes (SARS requires at least 5 years).

4. How we use your data

To run your account and the events you participate in.
To send transactional emails (order confirmations, password resets, ticket transfers, event announcements you opted into by following an organizer).
To send marketing emails only if you have opted in. You can withdraw this consent at any time on your account page.
To investigate fraud, abuse, or breach of our Terms.
To produce aggregated, non-identifying analytics for the platform's own decision-making.

We share personal information only in these situations:

With organizers, when you apply as a vendor or buy a ticket to their event — they receive the information they need to admit you, contact you about the event, and run their gate.
With our payment provider, to process card transactions. The provider is the operator of personal information for the duration of that transaction.
With our email and push provider, to deliver transactional and (with consent) marketing messages.
With law enforcement or regulators, where we are legally compelled to do so.

We do not sell your personal information. We do not share it with third-party advertisers.

6. How long we keep it

Account information: for as long as your account is active.
After account deletion: we anonymise your name, email, and phone in place. We keep order numbers and amounts because tax and dispute rules require it (typically 5 years from the transaction date).
Server logs: 90 days, then automatically purged.
Consent records: for as long as your account exists, plus the legally required retention window after deletion. POPIA section 23(2) lets us keep these for accountability.

7. Your rights under POPIA

You have the right, at any time, to:

Access the personal information we hold about you, in a portable form.
Correct information that is wrong or out of date.
Withdraw consent for marketing communication at any time.
Request deletion of your account, subject to the legal retention windows described above.
Object to processing for direct marketing.
Lodge a complaint with the Information Regulator (South Africa).

8. How to exercise your rights

Most rights are self-service:

Access: use the “Download my data” button on your account page (adventurer, vendor, or organizer).
Correction: edit your profile from your account page, or contact support if a field is locked.
Marketing opt-out: toggle marketing emails off on your account page.
Deletion: contact support — account deletion is irreversible and requires identity verification. Organizers must transfer or cancel any active events first.

If you cannot exercise a right through the platform itself, contact our Information Officer using the details below. We will respond within 30 days.

9. Security

All traffic to and from the platform is served over TLS.
Passwords are stored as bcrypt hashes — never in plain text.
Access to personal information by our team is restricted, audit-logged, and reviewed.
We notify you and the Information Regulator without undue delay if we suffer a security compromise that affects your personal information.

10. Contact and complaints

For privacy questions, requests, or complaints, contact our Information Officer:

Email: privacy@questportal.co.za
WhatsApp: Message us on WhatsApp (opens WhatsApp in a new tab)
Postal: Tuffle (Pty) Ltd, c/o Information Officer, South Africa

You also have the right to complain directly to the Information Regulator of South Africa: inforegulator.org.za (opens in a new tab).

11. Changes to this policy

When we make material changes, we update the effective date at the top of this page and record a new policy version. Your continued use of Quest Portal after a change means you accept the updated policy. We keep a versioned consent record so you can verify which version was in effect when you agreed.