Privacy Policy

Last updated (July 2025)

Purpose: This revised edition re-aligns every clause of the original CZApay Privacy Policy with the Protection of Personal Information Act 4 of 2013 (POPIA) and related South-African jurisprudence.

1. Definitions & Scope

“Personal Information” has the meaning assigned in section 1 of POPIA and includes, without limitation, identifying numbers (e.g., SA ID, passport, employee, or bank-account numbers), contact details, biometric data, financial history, employment records, passwords, and any information that can be linked to a living natural or juristic person in South Africa.

“Responsible Party” – CZA Investments Africa (Pty) Ltd, registration no. 2021/136329/07, with its registered address at 25 Redhill Road, Morningside, Sandton, 2196, South Africa.

2. Lawful Basis for Processing

We process Personal Information only when at least one of the following lawful grounds applies (POPIA §11):

1. Consent – you have given clear, specific, informed consent (opt-in).

2. Contractual necessity – processing is necessary to conclude or perform a contract with you. 3. Legal obligation – to comply with POPIA, FICA, ECTA, or other SA statute. 4. Legitimate interest – our legitimate interests do not override your right to privacy and we have conducted a Balancing of Interests Test (recorded and available on request).

3. Information We Collect

3.1 From You

We collect the minimum necessary Personal Information to achieve the specified purpose (POPIA §9).

Before any special personal information (e.g., race, health, biometric data) is collected, we obtain explicit consent and complete an Impact Assessment.

3.2 Automatically

We employ cookies, device identifiers and web beacons only after obtaining your granular consent via a POPIA-compliant cookie banner that records time-stamped accept/decline choices. IP addresses and location data are classified as Personal Information; they are pseudonymised where feasible.

4. Processing Purposes

Purpose

Lawful Basis (POPIA §11)

Retention Limit

Account on-boarding & KYC

Contract; Legal obligation (FICA)

5 yrs after account closure

Transaction processing

Contract

5 yrs (Financial Intelligence Centre Act)

Fraud detection

Legitimate interest

7 yrs (NCC guidelines)

Marketing e-mail

Consent (opt-in)

Until consent withdrawn

Analytics & product

improvement

Legitimate interest (Balancing Test on file)

3 yrs, then anonymise

5. Cross-Border Transfers

We will transfer Personal Information outside South Africa only if:

1. The recipient country has adequate data-protection laws (§72(1)(a)); or

2. Binding corporate rules or standard contractual clauses approved by the Information Regulator are in place; or

3. You provide explicit consent after being informed of the risks.

A list of all cross-border recipients, safeguards, and contact details is available on request.

6. Data Subject Rights (POPIA §5 & §23)

∙Access – obtain confirmation and a copy of your Personal Information (within 21 days). ∙ Correction – request rectification of inaccurate, irrelevant, excessive or outdated data. ∙ Deletion / Objection – request deletion or object to processing unless a lawful ground overrides. ∙ Restriction – temporarily halt processing while we verify a dispute.

Portability – receive data in a machine-readable format where technically feasible. ∙ Automated decisions – not be subject to a decision based solely on automated processing that produces legal effects, unless authorised by law or with explicit consent.

How to exercise rights: Email: support@CZApay.co.za or call +27 76 585 1140. No fee unless manifestly unfounded.

7. Security Safeguards (POPIA §19–22)

We implement reasonable technical and organisational measures including:

• ISO 27001-aligned ISMS.

• AES-256 encryption at rest; TLS 1.3 in transit.

• Role-based access control + multi-factor authentication.

• Annual penetration tests and POPIA compliance audits, summaries available on request.

• 72-hour personal data breach notification to the Information Regulator and affected data subjects.

8. Direct Marketing

We will only send electronic marketing with your explicit opt-in consent (§69 & ECTA §45). Every marketing message contains an unsubscribe link that takes effect within 24 hours. Opt-out logs are retained for 2 years to evidence compliance.

9. Sharing & Disclosure

All operators (processors) are bound by written contracts ensuring confidentiality, security, and POPIA compliance (§21).

We never sell Personal Information.

Disclosures to employers are limited to what is necessary for salary-linked services and are covered by a Data Sharing Addendum.

10. Retention & Deletion

We retain Personal Information only for the minimum period necessary for the lawful purpose (§14). A retention schedule is published at CZApay.co.za/privacy. Upon expiry, data is irreversibly destroyed or anonymised using NIST 800-88 media-sanitisation standards.

11. Information Officer & Regulator Contact

Information Officer: Andy Thupayatlase – support@CZApay.com – +27 76 585 1140 Information Regulator (South Africa):

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

complaints. IR@justice.gov.za | +27 10 023 5200

12. Changes to This Policy

Any material change will be notified via prominent banner and e-mail at least 30 days before it takes effect. The updated version will be placed at CZApay.com/privacy with an effective-date label.

13. Consent Clause (POPIA §11(1)(a))

By ticking “I Agree” or by continuing to use the Services after being presented with this Policy, you confirm that you have read, understood, and explicitly consent to the processing of your Personal Information as described herein. You may withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal.

The categories of personal information that the business disclosed about the consumer for a business purpose.

If you would like to request this information, please email your request to support@CZApay.com. In your request, please specify that you want a "Your CZApay Privacy Rights Notice".

Please allow 30 days for a response.

Do Not Track Disclosures

CZApay does not track you across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. Nor do we knowingly authorise third parties to conduct online tracking through CZApay Services.

Consent to Processing and Transfer of Information

The Services are governed by and operated in accordance with the laws of, the South Africa, and are intended for the enjoyment of residents of the South Africa. If you use the Services, or otherwise provide us with data, from outside the South Africa, you acknowledge and agree that your Personal Information may be transmitted outside your resident jurisdiction. In particular, please note that your Personal Information may be stored and processed in the South Africa. The laws pertaining to the collection, use, disclosure and protection of Personal Information in the South Africa may be more or less stringent than the laws of other countries. By using the Services, you (a) acknowledge that the Services are subject to the laws of the South Africa; (b) consent to your Personal Information being stored and processed in the South Africa and handled as described in this Policy; and (c) waive any claims that may arise under the laws of the country where you reside, are a citizen, and/or from where you access the Services.

Changes to this Policy

This Policy is the sole authorised statement of CZApay's practices with respect to the collection of Personal Information and the subsequent use and disclosure of such information. Any summaries of this Policy generated by third party software or otherwise shall have no legal effect, are in no way binding upon CZApay, shall not be relied upon in substitute for this Policy, and neither supersede nor modify this Policy. CZApay may revise this Policy from time to time without prior notice to you, and any changes will be effective immediately upon the posting of the revised Privacy Policy within the Services as indicated by the “Last Updated” date located at the top of the Policy. You should bookmark and periodically review this page to ensure that you are familiar with the most current version of this Policy. You can determine when this Policy was last revised by checking the "Last Updated" legend at the top of the Policy.

How can you ask questions about this Policy?

If you have any questions or concerns about this Policy, please contact us at support@czapay.com.