Data Processing Agreement
Last updated: 4 May 2026
1. Introduction and Parties
This Data Processing Agreement ("DPA") forms part of the agreement between GHM Suite ("Operator", "we", "us") and you, the guest house owner or operator using the GHM Suite platform ("Responsible Party", "you").
This DPA is entered into in accordance with section 20 and related provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa, which requires that operators who process personal information on behalf of responsible parties do so under a written authorisation or agreement.
By using GHM Suite, you agree to the terms of this DPA. This DPA is supplemental to our Terms & Conditions and Privacy Policy, which also apply.
2. Definitions
- "Personal Information" — as defined in POPIA: information relating to an identifiable, living natural person, including name, contact details, ID status, booking history, and similar data.
- "Responsible Party" — you, the guest house owner or operator who determines the purpose and means of processing personal information about your guests through GHM Suite.
- "Operator" — GHM Suite, which processes personal information on behalf of the Responsible Party, under the Responsible Party's instruction.
- "Processing" — any activity relating to personal information, including collection, storage, retrieval, updating, sharing, destruction, and all related operations.
- "Data Subject" — any identifiable person whose personal information is processed, including your guests.
3. Roles and Responsibilities
3.1 Responsible Party (You)
As the Responsible Party, you:
- Determine the purpose for which guest personal information is collected and used
- Are responsible for ensuring you have a lawful basis (including consent where required) for collecting and processing your guests' personal information
- Are responsible for your own POPIA compliance as a responsible party
- Must inform your guests that their information is stored and managed using GHM Suite
- Must comply with all applicable South African data protection laws
- Are responsible for responding to data subject rights requests from your guests
3.2 Operator (GHM Suite)
As the Operator, GHM Suite:
- Processes personal information only as instructed by you and only for the purpose of providing the GHM Suite service
- Does not use your guests' personal information for any other purpose, including our own marketing
- Implements appropriate technical and organisational security measures to protect personal information
- Will not disclose personal information to any third party except as described in our Privacy Policy (e.g. to our hosting provider Supabase) or as required by law
- Will assist you, where reasonably possible, in responding to data subject requests from your guests
- Will notify you of any confirmed or suspected data breach that involves your guests' personal information, as soon as reasonably possible
- Will delete or return your data on termination of the service, as described in section 7
4. Authorisation to Process
You hereby authorise GHM Suite to process personal information relating to your guests and your guest house operations for the following purposes:
- Storing and displaying booking records, guest profiles, and room data within the GHM Suite platform for your use
- Importing booking events from third-party iCal calendar feeds that you connect (Airbnb, Booking.com, LekkeSlaap)
- Enabling you to compose and send WhatsApp messages to your guests using the platform's messaging tools
- Generating reports and analytics for your own business management purposes
- Maintaining the technical infrastructure necessary to deliver these services securely
GHM Suite will not process your guests' personal information for any purpose outside of the above without your explicit instruction.
5. Security Measures
GHM Suite implements the following security measures to protect personal information:
- Row-level security (RLS) — database-level access controls ensuring only your account can access your data
- Encryption in transit — all data is transmitted over HTTPS/TLS
- Encryption at rest — data at rest is encrypted by our hosting provider (Supabase)
- Authentication controls — secure email/password authentication with hashed password storage
- Access control — staff access to customer data is restricted on a need-to-know basis
We acknowledge that no system can guarantee absolute security and we cannot be held liable for breaches that occur despite these measures, subject to the limitations set out in our Terms & Conditions.
6. Sub-Operators
GHM Suite uses the following sub-operators to deliver the service. By agreeing to this DPA, you authorise GHM Suite to engage these sub-operators:
| Sub-Operator | Role | Data Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, and edge functions. All personal information is stored on Supabase infrastructure. | EU / US (varies by region configuration) |
| Payment Processor | Processing subscription payments. Receives only your billing details — not your guests' data. | South Africa / International |
GHM Suite will inform you of any change to the above list of sub-operators that materially affects the processing of your guests' personal information by updating this DPA and notifying you by email.
7. Data Retention and Return on Termination
GHM Suite will retain personal information for as long as your account is active or as necessary to provide the service. Upon termination of your account:
- Your personal information and your guests' personal information will be deleted within 30 days of a confirmed account deletion request
- You may request an export of your data before deletion by emailing info@ghmsuite.co.za
- Financial records (subscription history) may be retained for up to 5 years to comply with South African tax and accounting laws
8. Cross-Border Transfers
Personal information stored in GHM Suite may be transferred to and hosted in countries outside South Africa (specifically by Supabase, as noted in section 6). GHM Suite takes reasonable steps to ensure that any cross-border transfer of personal information is protected to a standard equivalent to POPIA, including by relying on Supabase's own data processing agreements and Standard Contractual Clauses where applicable.
9. Data Breach Notification
In the event that GHM Suite becomes aware of a confirmed or suspected breach of security involving your guests' personal information, we will:
- Notify you by email as soon as reasonably possible
- Provide details of the nature of the breach, the data affected, and the steps we are taking to address it
- Cooperate with you to mitigate any harm to affected data subjects
- Notify the Information Regulator of South Africa as required under POPIA section 22
You, as the Responsible Party, are responsible for deciding whether and how to notify your affected guests, in compliance with your own obligations under POPIA.
10. Assistance with Data Subject Rights
Where a data subject (e.g. one of your guests) contacts GHM Suite directly to exercise their rights under POPIA (access, correction, deletion, objection), we will redirect them to you as the Responsible Party, since their rights in relation to that data must be exercised with you.
Where technically feasible and within our control, GHM Suite will assist you in responding to data subject requests (e.g. by providing data extracts or confirming deletion). Requests for such assistance should be sent to info@ghmsuite.co.za.
11. Audit Rights
You have the right to request, at most once per year and with reasonable notice, information demonstrating GHM Suite's compliance with this DPA. GHM Suite will respond to such requests in writing within 30 days.
12. Duration and Termination
This DPA takes effect when you first use GHM Suite and remains in force for as long as GHM Suite processes personal information on your behalf. It terminates automatically when your account is deleted and all personal information has been removed in accordance with section 7.
13. Governing Law
This DPA is governed by the laws of the Republic of South Africa, including POPIA. Any disputes arising from this DPA shall be subject to the jurisdiction of the South African courts.
14. Contact
For any questions regarding this DPA, data processing practices, or to make a data-related request, please contact:
GHM Suite
Email: info@ghmsuite.co.za
Website: ghmsuite.co.za
You may also lodge a complaint with the Information Regulator of South Africa at justice.gov.za/inforeg.