1. Who we are
Yebo Yum (Pty) Ltd ("Yebo Yum", "we", "us") operates the Yebo Yum mobile application, partner application, website at yeboyum.co.za, and any related service (together, the "Services"). This Privacy Policy is published in line with section 18 of the Protection of Personal Information Act 4 of 2013 ("POPIA") and explains how we collect, use, store and share your personal information. Where a user is located in the European Economic Area, we apply equivalent protections under the General Data Protection Regulation ("GDPR").
Responsible Party: Yebo Yum (Pty) Ltd, registration number 2024/242332/07, registered office at 119 Beach Road, Mouille Point, Cape Town, 8005, South Africa.
Information Officer: Tyron Coomer, in his capacity as Director of Yebo Yum (Pty) Ltd, is the appointed Information Officer in terms of section 56(a) of POPIA. Contact: support@yeboyum.co.za.
2. Personal information we collect
2.1 Information you give us
- Identifying information — name, surname, profile picture (optional), email address, mobile phone number.
- Account credentials — your password is hashed and never stored in plain text.
- Payment information — card or bank-account details processed by our payment partner (Peach Payments). We do not store card numbers or CVVs; we hold transaction tokens only.
- Optional address information when collecting a Rescue Bag from a partner.
- Partner business details (partner accounts only) — business name, trading address, logo, and bank-account details for payouts. Bank details are stored encrypted and are accessible only via a restricted, audited internal function — never to other users.
- Yebo Jackpot free-route entries — full name, email, South African ID number or date of birth, and a physical address. This is collected only from entrants who choose to enter via the free-entry route under the Yebo Jackpot competition rules.
- Ratings, reviews and support correspondence — text and star ratings you leave about partners (shown publicly), and emails or chat messages you send to our support team.
2.2 Information collected automatically
- Device information — model, operating system, application version.
- Usage information — bag listings viewed, orders placed, screen interactions (aggregated, used to improve the Service).
- Location information — only if you grant permission, used to show partners near you. Location is not tracked in the background and is not stored server-side once you close the app.
- Push-notification tokens — if you opt in.
- Usage and diagnostic logs — anonymised request logs used for debugging and abuse prevention, kept for 90 days.
- Cookies and similar technologies on the website — see clause 8.
2.3 Information from third parties
- Partners may pass us information about your order collection (e.g., confirming that you collected the bag).
- Our payment processor confirms whether transactions succeeded.
2.4 Information we do not collect or store
We do not receive or store your full card number, CVV, or bank PIN — card payments are processed directly by Peach Payments. We do not collect your contacts, camera roll (beyond the single photo you choose to upload), health data, or advertising identifiers.
3. Why we process your personal information
We process personal information for the following purposes, each lawful under section 11 of POPIA:
| Purpose | Lawful basis under POPIA / GDPR |
|---|---|
| Creating and maintaining your account | Performance of contract |
| Showing Rescue Bags near your location | Consent (you can revoke location permission in your device settings at any time) |
| Concluding and performing the Rescue Bag purchase contract | Performance of contract |
| Sending transactional notifications (order confirmations, collection codes, refunds) | Performance of contract / legitimate interest |
| Running the Yebo Jackpot competition under section 36 of the Consumer Protection Act 68 of 2008 | Performance of contract / legal obligation |
| Verifying the identity of competition winners before paying out a prize | Legal obligation |
| Sending marketing communications | Consent (you can opt out at any time) |
| Fraud prevention and abuse detection | Legitimate interest |
| Paying partners out for completed orders | Performance of contract (partners only) |
| Tax, accounting, and regulatory audits | Legal obligation (SARS, Information Regulator, Consumer Protection Act) |
4. Special personal information
In limited circumstances we may collect personal information classified as "special personal information" under section 26 of POPIA — specifically the South African ID number of a Yebo Jackpot free-route entrant. We only do so where strictly necessary to verify identity at prize payout, we limit access to authorised personnel, and we redact this data within 90 days after the relevant draw (see clause 7).
5. Who we share your information with
We use a small number of specialised service providers ("operators" under POPIA, "processors" under GDPR). They act on our instructions under written agreements that comply with section 21 of POPIA. We do not sell personal information to anyone.
| Provider | Role | Where your data sits |
|---|---|---|
| Peach Payments (Pty) Ltd | Payment processing for Rescue Bag orders, refunds, and partner / prize payouts | Republic of South Africa |
| Supabase Inc. | Authentication, database, and file storage for the app | European Union or United States (Supabase region) |
| Google LLC (Google Maps Platform) | Rendering the in-app map and computing distances | Global; your approximate location is shared with Google only when the map is open |
| Netlify Inc. | Web hosting for the customer-facing site, partner portal, and admin dashboards | United States (with global edge caching) |
| Expo (650 Industries, Inc.) | Delivery of push notifications | United States |
| Partners | Information needed to fulfil your order (e.g., your name and collection code) | Republic of South Africa |
| Professional advisors (attorneys, auditors, accountants) | Bound by professional confidentiality | Republic of South Africa |
We may also share information where required by law — for example, in response to a valid subpoena, court order, or regulatory request. We will notify you of such a request where we are legally permitted to do so.
6. Cross-border transfers
Some of the operators listed above process your data outside South Africa. Where that happens, we rely on standard contractual clauses or equivalent safeguards approved under section 72 of POPIA, ensuring your data receives a comparable level of protection.
7. How long we keep your information
- Account profile — for as long as your account is active. When you delete your account (see clause 9), we anonymise your profile within 30 days. Where possible, we decouple linked records (e.g., orders) from your identity before retention.
- Order and payment records — 7 years, as required by South African tax law.
- Yebo Jackpot free-entry SA ID numbers — redacted within 90 days after the relevant draw, except where retained for an unresolved prize claim or dispute.
- Ratings and reviews — may remain visible after account deletion as anonymous ("Deleted user") to preserve partner-rating integrity. You can request removal of a specific review at any time.
- Support correspondence — two years from our last interaction.
- Marketing-consent records — until consent is withdrawn or the account is closed.
- Usage and diagnostic logs — 90 days.
8. Cookies and tracking
Our website uses essential cookies (login, payment session) and may use analytics cookies to understand usage. The mobile application does not use browser cookies but does use functionally similar local storage. You can disable cookies in your browser; some features may stop working.
9. Your rights
Under POPIA, and under GDPR where applicable, you have the right to:
- Be told what personal information we hold about you (POPIA section 23).
- Request correction or deletion of inaccurate, outdated, irrelevant or unlawfully obtained personal information (section 24).
- Object to processing for direct marketing (section 11(3)).
- Withdraw any consent you have given at any time (section 11(2)).
- Object to processing where it is based on legitimate interest.
- Lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za or inforeg@justice.gov.za — or with your local EU data-protection authority if you are in the EEA.
To exercise any of these rights, email support@yeboyum.co.za. We will respond within a reasonable time, normally not exceeding 30 days. You can also request deletion of your account directly within the app under Profile → Delete my account.
10. How we protect your information
We implement appropriate, reasonable technical and organisational measures (section 19 of POPIA) to protect personal information:
- All connections between your device and our servers use TLS 1.2 or higher.
- Passwords are hashed using industry-standard algorithms; we cannot recover your password — only reset it.
- Database access is restricted by row-level security; staff accounts use role-based access and, where available, multi-factor authentication.
- Partner bank-account details are accessible only via a restricted, audited internal function — not via general database reads.
- Card data is tokenised by Peach Payments; Yebo Yum servers never see your raw card number.
- We review our security controls before every major release and run external dependency audits.
No system is perfectly secure. If we become aware of a security breach affecting your personal information, we will notify you and the Information Regulator as required by section 22 of POPIA.
11. Children
The Yebo Yum Services are not intended for users under the age of 18 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has created an account, contact support@yeboyum.co.za and we will remove the account.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced in the application and on this page. The "Effective date" at the top of the page reflects the most recent revision. Continued use of the Services after a change constitutes acceptance.
13. Contact us
Yebo Yum (Pty) Ltd
Information Officer: Tyron Coomer
119 Beach Road, Mouille Point, Cape Town, 8005, South Africa
Email: support@yeboyum.co.za
Information Regulator of South Africa — inforegulator.org.za · inforeg@justice.gov.za