Skip to content
TransfersCOOXP · TransfersCO

Privacy & Cookie Policy

How we handle your personal information, your rights under South Africa’s POPIA and the EU’s GDPR, and the cookies we use.

Last updated: 12 July 2026

This policy explains how TransfersCO (Pty) Ltd (“TransfersCO”, “we”, “us”) collects, uses, shares and protects your personal information when you use our website, apps and booking services across 89 countries. We are committed to processing your information lawfully, fairly and transparently in line with the Protection of Personal Information Act, 2013 (POPIA) and, where it applies to you, the EU General Data Protection Regulation (GDPR).

Who we are

TransfersCO (Pty) Ltd is the responsible party (POPIA) / data controller (GDPR) for the personal information described here. We are a ground-transport and tours booking platform connecting travellers with vetted drivers, fleet partners and suppliers.

Our Information Officer / Data Protection Officer can be reached at dpo@transfersco.africa.

Note for publication: before this policy goes live, add TransfersCO’s registered company number and physical office address here — POPIA and the GDPR require the responsible party’s full identity and contact details.

Information we collect

We collect only what we need to quote, book and deliver your transfer, and to run and improve the platform:

  • Booking details — pickup and drop-off locations, dates and times, passenger numbers, luggage, flight numbers, vehicle class and special requests.
  • Contact & account details — name, email address, phone number, and (if you create one) account credentials.
  • Payment information — processed by our regulated payment providers. We receive confirmation of payment and limited transaction details; we do not store your full card number.
  • Communications — messages you send us by email, WhatsApp, SMS or in-app, and our replies.
  • Partner & driver information — for drivers, fleet, provider, agent and corporate partners, we also collect onboarding, verification (KYC), banking/payout and compliance details.
  • Device & usage data — IP address, device and browser type, pages viewed and interactions, collected via cookies and similar technologies (see Cookies & analytics).

We collect this information directly from you, from your use of our services, and from partners acting on your behalf (for example a travel agent or corporate account making a booking for you).

How & why we use it

We use your personal information for the following purposes, each with a lawful basis under POPIA and the GDPR:

  • To provide the service — quoting, booking, dispatching a driver, and supporting your trip. (Basis: performance of a contract.)
  • To communicate with you — booking confirmations, driver details, e-receipts, and service updates. (Basis: contract / legitimate interest.)
  • To take payment and keep records — billing, refunds, invoicing, tax and accounting. (Basis: contract / legal obligation.)
  • To operate, secure and improve the platform — fraud prevention, safety, troubleshooting and, where you have consented, analytics. (Basis: legitimate interest / consent.)
  • Marketing — we only send marketing communications where you have opted in, and you can unsubscribe at any time. (Basis: consent.)
  • To meet legal obligations — responding to lawful requests and complying with applicable law. (Basis: legal obligation.)

We do not use your personal information to make decisions that produce legal or similarly significant effects about you based solely on automated processing.

Cookies & analytics

Cookies (and similar technologies such as browser localStorage) let the site work and, with your consent, help us understand how it is used. When you first visit, we ask for your choice through a consent banner. Analytics cookies are off by default and are only set once you select “Accept analytics”. You can change your choice at any time using the “Cookie preferences” link in the footer.

Cookie / storageTypePurposeSet when
tco-consentEssentialRemembers your cookie choiceAlways
Session / authEssentialKeeps you signed in and secures the sessionWhen you sign in
_ga, _ga_<id>Analytics (Google Analytics 4)Measures usage so we can improve the serviceOnly after you accept analytics

We use Google Analytics 4 with Google Consent Mode. Until you accept, no analytics or advertising storage is used. Essential cookies are required for the site to function and cannot be switched off. You can also block or delete cookies in your browser settings, though some features may not work as intended.

Who we share it with

We share personal information only as needed to deliver the service, and with operators (processors) bound to protect it:

  • Drivers, fleet, provider and agent partners — the trip details required to fulfil your booking.
  • Payment providers — to process payments and refunds securely.
  • Communication providers — email, WhatsApp, SMS and push-notification services used to send booking updates.
  • Suppliers and distribution partners — where your booking is fulfilled through a connected supply channel.
  • Technology & accounting operators — our hosting, analytics and accounting/e-invoicing providers.
  • Authorities — where required by law, or to establish, exercise or defend legal claims.

We do not sell your personal information.

International transfers

Some of our operators are located outside South Africa or your country. Where we transfer personal information across borders, we do so in line with POPIA (section 72) and, for GDPR-covered data, Chapter V — relying on appropriate safeguards such as adequacy decisions, standard contractual clauses, or your consent, so your information remains protected.

How long we keep it

We keep personal information only for as long as necessary for the purposes above, and to meet legal, tax and accounting obligations (which for financial records is typically several years under applicable law). When it is no longer needed, we delete or anonymise it.

How we protect it

We use appropriate technical and organisational measures — including encryption in transit, access controls and least-privilege practices — to safeguard your information against loss, unauthorised access and misuse. If a security compromise affecting your personal information occurs, we will notify you and the relevant regulator as required by law. To report a vulnerability, see our security policy.

Your rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you;
  • Correct or update information that is inaccurate or incomplete;
  • Delete your information where there is no lawful reason for us to keep it;
  • Object to or restrict certain processing, including direct marketing;
  • Withdraw consent at any time (this does not affect processing already carried out);
  • Data portability — receive certain information in a portable format (GDPR).

To exercise any of these rights, email dpo@transfersco.africa. We will respond within the timeframes required by law.

If you are not satisfied, you may lodge a complaint with the Information Regulator (South Africa) (inforegulator.org.za) or, if the GDPR applies to you, your local EU data-protection authority.

Children

Our services are intended for adults. We do not knowingly collect personal information from children without the consent of a competent person. If you believe a child has provided us information without such consent, contact us so we can address it.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you. Please review it periodically.

Contact us

Questions or requests about privacy and your personal information: