Privacy Policy

Compano is a South African information society service. This notice explains how we collect, use, store, and disclose your personal information under the Protection of Personal Information Act, 2013 (POPIA). By using the Service you confirm you are 18 or older.

1Information we collect

• Account data: email address, hashed password, two-factor authentication seed (when enabled), and audit-log entries for security-relevant actions.
• Profile data: for Companions only - display name, city/suburb, age, demographic attributes, photos, rates and availability.
• Verification data: identity documents and selfie verification, retained encrypted and accessed only by authorised reviewers.
• Reviews & messages: content you submit, plus metadata (timestamps, recipient, moderation state). Direct messages are encrypted at rest and hard-deleted 7 days after they are sent (see the Retention section).
• Billing data: PayFast payment-token references for VIP and Companion paid features. Compano does not store card numbers.
• Technical data: IP address, user agent, and rate-limit counters. Used only to defend the Service against abuse.

2How we use it

We use your information to operate the Service: to authenticate you, render the directory and messaging features, process payments, prevent fraud, comply with the law, and respond to support enquiries. We do not sell personal information. We do not target you with third-party advertising.

3Lawful basis

We rely on the lawful bases set out in section 11 of POPIA: your consent (account registration, marketing emails); performance of a contract (running the Service for paying Members); compliance with a legal obligation (tax, anti-money-laundering); and the legitimate interests of Compano and other Members (fraud prevention, safety, security).

4Retention

• Account data: until you close the account, then 30 days.
• Audit logs: 12 months for security investigations, then aggregated.
• Verification data: 24 months after the Companion deactivates.
• Messages: hard-deleted 7 days after they are sent, including any photo attachments. We do not retain message bodies, attachments, or recency metadata (per-conversation last-message timestamp) beyond that window. Conversation rows themselves persist so blocks survive across re-engagement, but they carry no message content once the window has elapsed.
• Billing references: as required by tax law (currently 5 years under SARS rules).

5Disclosure

We disclose personal information only to: our hosting and email infrastructure providers under contractual confidentiality; PayFast for payment processing; and lawful authorities under a valid order. We do not transfer personal information outside South Africa except where the receiving party offers an adequate level of protection or you have explicitly consented.

6Cookies & similar technologies

Compano uses strictly necessary first-party cookies for session management, age-gate confirmation, and CSRF protection. With your opt-in consent we additionally load Plausible Analytics, a privacy-respecting analytics platform that does not track individuals or share data with third parties. You can change your consent any time via the cookie banner that appears on first visit. We do not embed advertising pixels.

7Your rights

Under POPIA you have the right to: access the personal information we hold about you; correct any inaccurate or out-of-date information; request deletion of your data; receive a portable export; object to direct marketing; and withdraw consent at any time. Self-service tools cover most of these:

• Download a copy of your data at /api/me/export.
• Edit or correct account and profile fields from the dashboard.
• Close your account from the dashboard; deletion completes within 30 days.
• For anything else, lodge a request via the POPIA request form. We respond within the 14-day SLA mandated by POPIA.

8Information regulator

You have the right to lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za). We would prefer the chance to address any concern first; our contact details follow.

9Security

Personal information is encrypted in transit (TLS) and at rest. Direct messages use end-to-end-style encryption with keys derived from your account. Photos served through our image proxy strip EXIF metadata (including GPS) before delivery.

10Children

The Service is for adults only (18+). We do not knowingly process the personal information of children. If you believe a minor has registered, contact us immediately and we will close the account and purge the data.

11Contact

Information Officer: privacy@compano.co.za. For data-subject requests please use the POPIA request form.

See also the POPIA / data rights overview.