top of page

Pangea Rally — Privacy Policy (GDPR + POPIA)

Who we are: Pangea Partners (Pty) Ltd t/a Pangea Rally (“Pangea”).
Role: Responsible Party (POPIA) / Data Controller (GDPR).
Contact (Information Officer): Greg Bergh, info@pangearally.com.

Scope: This policy covers data processed via our website, email, forms, payments, and the
operation of the Pangea Rally.

Effective date: 18 September 2025.

1) Data We Collect

  • Identity & contact: name, ID/passport, nationality, email, phone, address, emergency contact.

  • Booking & payment: booking details, ticket class, invoice data, payment status and
    method (we do not store full card numbers).

  • Health & safety (special personal information): self-declared medical
    info/allergies for on-event safety.

  • Operational: GPS/telematics during the event (for safety/logistics), incident
    reports, waiver records, photography/videography.

  • Technical (website): device, IP, cookies/analytics (see Cookies below).

2) Why We Use Your Data & Our Legal Bases

  • To take and manage bookings; provide customer service; collect payment.
    Legal basis: Contract; legal obligation (tax).

  • To ensure safety and deliver the rally (including medical readiness and GPS
    tracking).  Legal basis: Legitimate interests (safe operations), vital interests, and explicit consent for health data.

  • To communicate about the event and service notices.
    Legal basis: Contract/legitimate interests.

  • Marketing to past/opt-in subscribers (email/social).
    Legal basis: Consent (where required) or legitimate interests with opt-out. We comply with POPIA s69 and CPA rules on direct marketing; you can opt out at any
    time.

  • Marketing to past/opt-in subscribers (email/social).
    Legal basis: Consent (where required) or legitimate interests with opt-out.

  • Analytics, security, fraud prevention and compliance.
    Legal basis: Legitimate interests/legal obligation.

3) Sharing Your Data

We use trusted operators/processors under written agreements: payment gateways,
email/SMS providers, cloud hosting/CDN, medical/evac providers, logistics,
photographers/videographers. We may share essential data with on-site partners strictly
for rally delivery. We do not sell personal data.

4) International Transfers

Where data leaves South Africa/EEA (e.g., global cloud services), we implement
appropriate safeguards, such as Standard Contractual Clauses and POPIA-compliant
operator agreements. Where required, we carry out transfer impact assessments and
apply supplementary measures.

5) Retention

  • Booking & tax records: 5 years.

  • Medical/safety data: event + 30 days (longer if an incident requires it).

  • GPS logs/operational telemetry: 90 days.

  • Marketing data: until you opt out or after 24 months of inactivity.
    We may keep minimal records to demonstrate compliance and consents.

6) Your Rights

Under POPIA/GDPR you may access, correct, and delete your data (subject to legal
limits), restrict or object to processing (including marketing), and withdraw consent at
any time (does not affect prior lawful processing). Under GDPR, you may also request data
portability. To exercise rights, contact info@pangearally.com; we will verify your identity
and respond within legal timeframes.

7) Security

We use industry-standard safeguards: TLS in transit, encryption for sensitive fields,
role-based access, MFA for admin systems, supplier due diligence and incident response
procedures.

8) Breach Notification

If we become aware of a personal data breach that creates a risk of harm, we will notify the
Information Regulator (South Africa) and affected individuals as required by POPIA and,
where applicable, notify the relevant EU/UK supervisory authority under GDPR/UK GDPR
(generally within 72 hours of becoming aware).

9) Cookies & Similar Tech

We use cookies for essential site functions and (with consent) analytics/marketing. In
jurisdictions that require consent (e.g., EU/UK), non-essential cookies are disabled by
default until you opt in. You can manage preferences via our cookie banner and change
them anytime through the “Cookie Preferences” link in the footer. Blocking some cookies
may affect site performance.

10) Children

The event is intended for adults (18+). We do not knowingly collect children’s data.

11) Complaints

If we can’t resolve your concern, you may contact the Information Regulator (South
Africa) or, if you are in the EU/UK, your local supervisory authority. We will provide details
on request.

12) Changes to this Notice

We may update this policy from time to time. We will post the updated version with a new
“Last updated” date.

bottom of page