Privacy Policy

The responsible party (as defined in POPIA) for personal information processed through the Platform is:

Questions about your personal information or this Policy should be directed to our Information Officer at the email address above.

We collect personal information only as necessary for the purpose of operating the Platform. This includes:

Account & Identity Information

• Full name, email address, and password (hashed — never stored in plain text).
• Profile photo (optional).
• Province and city of operation.
• Phone number (for booking notifications and urgent communications).

Pilot-Specific Information

• CAA Remote Pilot Licence number and expiry date.
• Proof of public liability insurance (insurer name, policy number, expiry).
• Drone make, model, and registration number.
• Bank account details for payout purposes (stored and encrypted by our payment processor — not retained by Lofft directly).
• Portfolio images and work samples you choose to upload.

Job & Transaction Data

• Job briefs, descriptions, location details, and attachments submitted by Clients.
• Booking records, including amounts, dates, and statuses.
• In-platform messages between Users.
• Payment data — processed and stored by our payment provider (PayFast). Lofft stores only a tokenised reference; full card details are never retained by Lofft.

Usage & Technical Data

• IP address, browser type, and device identifiers.
• Pages viewed, features used, and time spent on the Platform.
• Referring URL and search terms (where applicable).

Information from Third Parties

• Payment verification and fraud signals from our payment processor (PayFast).
• Any information you choose to provide when contacting our support team.

We process personal information on the following lawful grounds under POPIA:

To perform our contract with you:

• Creating and managing your account.
• Facilitating job postings and Pilot profile listings.
• Processing Bookings and managing payments.
• Sending booking confirmations, reminders, and payout notifications.
• Verifying Pilot credentials and CAA licence status.

To comply with legal obligations:

• Retaining transaction records as required by tax and financial services law.
• Responding to lawful requests from South African regulatory or law enforcement authorities.

For our legitimate interests (where these don't override your rights):

• Preventing fraud, abuse, and platform circumvention.
• Improving Platform features and user experience through aggregated usage analytics.
• Sending you relevant service updates and platform announcements.
• Resolving disputes between Users.

With your consent:

• Sending marketing communications about Lofft products, promotions, and news. You can withdraw this consent at any time by clicking "Unsubscribe" in any marketing email.

Lofft does not sell your personal information. We share it only as follows:

With other Users:

• Pilots' profile information (name, location, specialisations, rating, portfolio) is visible to Clients browsing the Platform.
• Client job briefs are visible to Pilots who are matched or invited to apply.
• In-platform messages are shared between the two parties to a conversation.

With service providers acting as operators (as defined in POPIA):

• Supabase — database and authentication hosting (EU/US data centres with GDPR-compliant data processing agreements).
• PayFast — payment processing. PayFast operates its own privacy policy and is independently responsible for payment data.
• Resend / similar email provider — transactional email delivery (booking confirmations, account notifications).
• Vercel — web hosting and edge network (used to serve the Platform).

All operators are contractually required to process your information only on our documented instructions and to implement appropriate security measures.

For legal and safety reasons:

We may disclose personal information to law enforcement or regulatory authorities where required by law, or where necessary to prevent fraud, protect the safety of any person, or enforce our Terms of Service.

Some of our service providers (including Supabase and Vercel) process data in the European Union and the United States. In accordance with POPIA Section 72, we transfer personal information outside South Africa only where:

• The recipient country provides an adequate level of data protection (e.g., the EU under GDPR);
• The recipient has entered into a binding agreement with Lofft that provides comparable protections to those under POPIA; or
• The transfer is necessary for the performance of a contract between you and Lofft (e.g., hosting the Platform so you can access your account).

PayFast processes all payment data within South Africa. Your payment information does not leave the country.

We retain personal information for as long as necessary to fulfil the purposes described in this Policy, subject to the following minimum periods:

After the applicable retention period, data is securely deleted or anonymised.

We implement industry-standard technical and organisational security measures to protect your personal information, including:

• TLS/HTTPS encryption for all data in transit.
• Encrypted storage for sensitive data fields (including credentials and licence details).
• Password hashing using bcrypt (passwords are never stored in plain text).
• Role-based access controls limiting which Lofft employees can access User data.
• Regular security reviews and penetration testing.

Despite these measures, no system is completely secure. You are responsible for keeping your account credentials confidential. Notify us immediately at support@lofft.co.za if you suspect unauthorised access to your account.

In the event of a security breach that is reasonably likely to result in a risk to your rights, we will notify you and the Information Regulator as required by POPIA Section 22 within 72 hours of becoming aware of the breach.

Lofft uses cookies and similar technologies to:

• Keep you logged into your account (session cookies — essential).
• Remember your filter preferences on the Platform (functional cookies).
• Collect aggregated, anonymous analytics on how the Platform is used (analytics cookies — e.g., page views and feature usage patterns). No personally identifiable information is included in analytics data.

We do not use third-party advertising cookies or sell browsing data to advertisers.

When you first visit the Platform, a cookie consent banner will appear asking you to accept or decline non-essential cookies. Analytics cookies are only activated after you give consent. You can withdraw consent at any time by clearing your browser's cookies or local storage for lofft.co.za. Disabling essential cookies will prevent you from logging in to the Platform.

Under POPIA, you have the following rights with respect to your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your information where it is no longer necessary for the purpose it was collected, subject to our legal retention obligations.
• Objection: Object to processing of your information where we rely on our legitimate interests as the lawful basis, if your particular circumstances justify it.
• Withdrawal of consent: Withdraw consent to marketing communications at any time.
• Portability: Request your data in a machine-readable format where technically feasible.
• Complaint: Lodge a complaint with the South African Information Regulator if you believe your rights under POPIA have been violated.

To exercise any of these rights, contact us at support@lofft.co.za. We will respond within 30 days. We may need to verify your identity before processing certain requests.

The Platform is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us at support@lofft.co.za and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email (to your registered address) and update the "Last updated" date at the top of this page. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

For any privacy-related questions, access requests, or concerns, contact our Information Officer:

If you are unsatisfied with our response, you have the right to escalate your complaint to the South African Information Regulator (see Section 9 above).