Privacy Policy

How Verandah collects, uses and protects your personal information.

Last updated: 6 May 2026

1. Who we are

Verandah is a property operations management platform provided by Authentic Retreats (Pty) Ltd, a company registered in South Africa. In this policy, "Verandah", "we", "our" and "us" refer to Authentic Retreats (Pty) Ltd trading as Verandah.

If you have any questions about this policy or how we handle your information, contact us at hello@verandah.app.

2. Who this policy applies to

This policy applies to three groups of people:

• Visitors to the Verandah website (verandah.app / verandah.cloud).
• Customers — the hotels and lodges who license Verandah to operate their property.
• Guests and contacts of our customers, whose data is processed through the Verandah platform on behalf of the customer.

For guest and contact data, our customer (the hotel or lodge) is the data controller. We act as a data processor, handling that data only on the customer's instructions and for the purposes of providing the service.

3. What information we collect

From website visitors

• Information you provide when you contact us (name, email, phone number, company name, message content).
• Basic technical information via our hosting provider (IP address, browser type, pages visited). We do not use tracking cookies.

From customers (hotels and lodges)

• Account information (name, email, phone, role, property details).
• Billing information for paid subscriptions (processed via our payment provider — we do not store card numbers).
• Operational data entered into the platform (rosters, bookings, stock, maintenance logs, etc.).

From guests and contacts (via our customers)

Depending on which Verandah modules the customer uses, we process:

• Contact details (name, phone number, email address) provided to the hotel for the purposes of a stay, treatment, reservation or enquiry.
• Booking and reservation details (dates, room, treatment, activity, number of guests, special requests).
• Messages exchanged between the customer and their guests via WhatsApp, Facebook Messenger, Instagram Direct, email, or the guest portal.
• Payment references (we do not store full card numbers — payment data is tokenised by our payment provider).

4. Meta integrations (WhatsApp, Messenger, Instagram, Ads)

Verandah integrates with several Meta platforms — operated by Meta Platforms, Inc. — to allow our customers (hotels and lodges) to communicate with their guests and review their own paid-social performance from inside Verandah. These integrations are activated only when the customer explicitly connects their accounts in our settings.

Messaging — WhatsApp, Facebook Messenger, Instagram Direct

The Verandah Inbox supports incoming and outgoing messages on the WhatsApp Business Platform, Facebook Messenger and Instagram Direct Messages through Meta's official APIs. When a guest messages a business that uses Verandah, we receive:

• The message content (text, attachments, voice notes, location).
• The sender's display name and profile picture, where the platform makes these available.
• A platform identifier — phone number for WhatsApp, a Page-scoped ID for Facebook Messenger, an Instagram-scoped ID and (where available) the Instagram handle for Instagram DMs.
• Click-to-message advertising attribution data when the guest has reached the business via a Meta ad — limited to the source ad and campaign reference.

We store these messages so that the customer's staff can read, respond and keep a record of the conversation. We use this data only to facilitate communication between the guest and the business that the guest contacted — we do not use it for marketing, profiling, or any purpose outside that conversation, and we do not analyse it across customers. Messages are retained on behalf of the customer for as long as the customer maintains their Verandah account; the customer (or the guest, via the customer) may request deletion at any time.

Meta Ads (Sales & Marketing module)

If the customer connects their Meta ad account, the Verandah Sales & Marketing module reads aggregate performance data — campaign names, ad spend, impressions, reach, click counts and message-conversation counts — so the customer can review their own paid-social performance inside Verandah. No guest-level data leaves the customer's tenant, and we do not use ad data for any purpose other than displaying it back to the customer who owns the ad account.

Meta's own processing of these messages and ad data is governed by Meta's privacy policies — see whatsapp.com/legal/privacy-policy and facebook.com/privacy/policy.

5. How we use information

We use the information described above to:

• Provide and operate the Verandah platform.
• Respond to enquiries, process subscriptions and provide support.
• Send service-related communications (account notifications, security alerts, important product updates).
• Comply with legal obligations.
• Improve the product — always using aggregated or anonymised information where possible.

We do not sell personal information to third parties. We do not use personal information for automated decision-making or profiling.

6. Who we share information with

We share information only with carefully selected service providers who help us operate Verandah:

• Supabase — our database and authentication provider (data hosted in the EU).
• Vercel — our website and application hosting provider.
• Meta (WhatsApp Business Platform) — for WhatsApp message delivery.
• Peach Payments — for processing card payments on behalf of our customers.
• Email service providers — for transactional emails (order confirmations, password resets, etc.).

Each of these providers is contractually required to protect your information and use it only for the purposes we instruct. We do not share personal information with any third party for marketing purposes.

We may disclose information if required by law, court order, or to protect the rights, property or safety of Verandah, our customers or the public.

7. How long we keep information

• Website enquiries — retained for up to 24 months unless you ask us to delete sooner.
• Customer account and operational data — retained for the duration of the subscription and up to 12 months after cancellation, to allow for reactivation and legal record-keeping.
• Guest and contact data — retained on behalf of the customer for as long as the customer maintains their account, or until the customer instructs us to delete it.
• Billing records — retained for 7 years to meet South African tax and accounting obligations.

8. Your rights

Under the South African Protection of Personal Information Act (POPIA) and equivalent laws (including the GDPR where applicable), you have the right to:

• Access the personal information we hold about you.
• Ask us to correct information that is inaccurate or incomplete.
• Ask us to delete your information, subject to legal retention requirements.
• Object to how we process your information.
• Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, contact us at hello@verandah.app. If your data is held by us on behalf of one of our customers (a hotel or lodge), we will direct your request to them.

9. Security

We take reasonable technical and organisational measures to protect your information, including encrypted connections (TLS/HTTPS), database-level access controls, role-based permissions within the platform, and regular security reviews of our infrastructure.

No system is perfectly secure. If you believe your information has been compromised, please contact us immediately.

10. International transfers

Verandah is operated from South Africa, but some of our service providers (Supabase, Vercel, Meta) process data in the European Union, the United States and other regions. Where information is transferred internationally, we rely on contractual safeguards and the providers' own compliance frameworks to ensure a level of protection comparable to POPIA and the GDPR.

11. Children

Verandah is a business-to-business product and is not directed at children. We do not knowingly collect information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. When we do, we will change the "Last updated" date at the top of this page and, for significant changes, notify our customers directly.

13. Contact

Questions, requests or complaints? Write to us at hello@verandah.app or:

Authentic Retreats (Pty) Ltd
Port Alfred
Eastern Cape, South Africa