top of page

Ezeepay Privacy Policy

 

  1. Definitions

The following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings:

  1. "Applicable Laws" means all applicable laws, rules, codes, regulations, and formal regulatory guidelines and standards, made by a Regulator, legislature or other public authority with binding effect in force from time to time (construed having regard to related guidance and codes of practice issued or approved by a regulator or other public body);

  2. "Ezeepay", "we", "our", "us",  means Ezeepay (Proprietary) Limited, a company registered in terms of South African law with registration number: 2022/250578/07;

  3. "CIPC" means the Companies and Intellectual Property Commission;

  4. "Responsible Party" and "Operator" have the meanings given to those terms in the Data Protection Laws, and where an equivalent term is used in Data Protection Laws (such as "Responsible Party" and "Operator", respectively) "Controller" and "Processor" are read to refer to those equivalent terms;

  5. "Data Breach" means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed;

  6. "Data Protection Laws" means any Applicable Laws which regulate the Processing of Personal Information that is received by Ezeepay;

  7. "Data Subject" means each identified or identifiable (whether directly or indirectly) legal or natural person to whom any Personal Information relates;

  8. "Personal Information" "Personal Information" means information relating to any natural or legal person, the Processing of which is regulated by Data Protection Laws including : (i) information relating to the race, gender, sex, marital status, national, ethnic or social origin, colour, age, disability, language and birth of the person; (ii) information relating to the education or the medical, financial, criminal or employment history of the person; (iii) information relating to the financial affairs of the person; (iv) credit card details and transactional data; (v) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person; (vi) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (vii) the views or opinions of another individual about the person; (viii) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;  and (ix) any other information the Processing of which may be treated or defined as "personal information" in terms of any Applicable Laws, including Data Protection Laws;

  9. "Policy" means this Privacy Policy;

  10. "Process" means to collect, receive, record, organise, collate, store, develop, update, modify, retrieve, alter, consult, use, disseminate or perform any other act or action, including any other act or action which may be treated or defined as “process” or “processing” (or any equivalent term for a similarly-regulated activity) in terms of any Data Protection Laws, and “Processed” and “Processing” shall have a corresponding meaning; and

  11. "Regulator" shall mean any court or public body having regulatory or supervisory authority over all Personal Information.

  1. Purpose of the Policy

    1. The purpose of this Policy is to inform Data Subjects about how Ezeepay Processes their Personal Information.

    2. Ezeepay, in its capacity as Responsible Party (and/or Operator, where applicable), shall strive to observe, and comply with its obligations under Data Privacy Laws as well as accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of a Data Subject.

    3. This Policy applies to Personal Information collected by Ezeepay in connection with the products and services which Ezeepay provides. This includes information collected directly from you as a Data Subject, as well as information we collect indirectly though our service providers who collect your information on our behalf.

    4. This Privacy Policy does not apply to the information practices of third party companies that Ezeepay may engage with in relation to its business operations (including, without limitation, their websites, platforms and/or applications) which we do not own or control; or individuals that Ezeepay does not manage or employ. These third party sites may have their own privacy policies and terms and conditions that people will have to comply with.

  2. Process of Collecting Personal Information

    1. Ezeepay collects Personal Information directly from Data Subjects as and when required for a defined purpose, unless an exception is applicable (such as, for example, where the Data Subject has made the Personal Information public or the Personal Information is contained in or derived from a public record).

    2. Ezeepay will always collect Personal Information in a fair, lawful and reasonable manner to ensure that it protects the Data Subject's privacy and will Process the Personal Information based on legitimate grounds in a manner that does not adversely affect the Data Subject in question.

    3. Ezeepay often collects Personal Information directly from the Data Subject and/or in some cases, from third parties. Where Ezeepay obtains Personal Information from third parties, Ezeepay will ensure that it obtains the consent of the Data Subject to do so or will only Process the Personal Information without the Data Subject's consent where Ezeepay is permitted to do so in terms of clause 3.1 above or the Data Protection Laws.

    4. An example of such third parties includes: (i) agencies; (ii) other companies providing services to Ezeepay; and (iii) where Ezeepay makes use of publicly available sources of information such as the CIPC.

  3. Lawful Processing of Personal Information

    1. Where Ezeepay is the Responsible Party, it will only Process a Data Subject's Personal Information (other than for Special Personal Information) where:

      1. consent of the Data Subject (or a competent person, where the Data Subject is a Child) is obtained;

      2. Processing is necessary to carry out the actions for conclusion of a contract to which a Data Subject is party;

      3. Processing complies with an obligation imposed by Data Protection Laws on Ezeepay;

      4. Processing protects a legitimate interest of the Data Subject; and/or

      5. Processing is necessary for pursuing the legitimate interests of Ezeepay or of a third party to whom the information is supplied.

    2. Ezeepay will only Process Personal Information where one of the legal bases referred to in paragraph 4.1 above are present.

    3. Ezeepay will make the manner and reason for which the Personal Information will be Processed clear to the Data Subject.

    4. Where Ezeepay is relying on a Data Subject's consent as the legal basis for Processing Personal Information, the Data Subject may withdraw his/her/its consent or may object to Ezeepay's Processing of the Personal Information at any time. However, this will not affect the lawfulness of any Processing carried out prior to the withdrawal of consent or any Processing justified by any other legal ground provided under Data Privacy Laws.

    5. If the consent is withdrawn or if there is otherwise a justified objection against the use or the Processing of such Personal Information, Ezeepay will ensure that the Personal Information is no longer Processed.

  4. Special Personal Information and Personal Information of Children

    1. Special Personal Information is sensitive Personal Information of a Data Subject and Ezeepay acknowledges that it will generally not Process Special Personal Information unless:

      1. Processing is carried out in accordance with the Data Subject's consent;

      2. Processing is necessary for the establishment, exercise or defence of a right or obligation in law;

      3. Processing is for historical, statistical or research purposes, subject to stipulated safeguards;

      4. information has deliberately been made public by the Data Subject; or

      5. specific authorisation applies in terms of Data Privacy Laws.

    2. Ezeepay acknowledges that it may not Process any Personal Information concerning a child and will only do so where it has obtained the consent of the parent or guardian of that child or where it is permitted to do so in accordance with applicable laws.

  5.  Purpose for Processing Personal Information

    1. Ezeepay understands its obligation to make Data Subjects aware of the fact that it is Processing their Personal Information and inform them of the purpose for which Ezeepay Processes such Personal Information.

    2. Ezeepay will only Process a Data Subject's Personal Information for a specific, lawful and clear purpose (or for specific, lawful and clear purposes) and will ensure that it makes the Data Subject aware of such purpose(s) as far as possible.

    3. It will ensure that there is a legal basis for the Processing of any Personal Information. Further, Ezeepay will ensure that Processing will relate only to the purpose for and of which the Data Subject has been made aware (and where relevant, consented to) and will not Process any Personal Information for any other purpose(s).

    4. Ezeepay will generally use Personal Information for purposes required to operate and manage its normal operations and these purposes include one or more of the following non-exhaustive purposes:

      1. for the purposes of providing or services to clients;

      2. for purposes of onboarding suppliers or service providers as approved suppliers/service providers of Ezeepay. For this purpose, Ezeepay will also Process a service provider's/supplier's Personal Information for purposes of performing the necessary due diligence checks;

      3. generally for procurement and supply purposes;

      4. for purposes of monitoring the use of Ezeepay's electronic systems and online platforms by Data Subjects. Ezeepay will, from time to time, engage third party service providers (who will Process the Data Subject's Personal Information on behalf of Ezeepay) to facilitate this;

      5. for purposes of preventing, discovering and investigating violations of this Policy, the applicable law and other Ezeepay policies;

      6. in connection with the execution of payment processing functions, including payment of Ezeepay's suppliers'/service providers' invoices;

      7. for employment-related purposes such as recruiting staff, administering payroll, background checks, etc.;

      8. in connection with internal audit purposes (i.e. ensuring that the appropriate internal controls are in place in order to mitigate the relevant risks, as well as to carry out any investigations where this is required);

      9. in connection with external audit purposes. For this purpose, Ezeepay engages external service providers and, in so doing, shares Personal Information of the Data Subjects with third parties;

      10. for company secretarial related purposes. For this purpose, Ezeepay will, from time to time, collect information relating to Data Subjects from third parties such as CIPC;

      11. for such other purposes to which the Data Subject may consent from time to time;

      12. for such other purposes as authorised in terms of Data Protection Laws; and

      13. to comply with any Data Protection Laws or any query from a Regulator.

  6. Keeping Personal Information Accurate

    1. Ezeepay will take reasonable steps to ensure that all Personal Information is kept as accurate, complete and up to date as reasonably possible depending on the purpose for which Personal Information is collected or further Processed.

    2. Ezeepay may not always expressly request the Data Subject to verify and update his/her/its Personal Information unless this process is specifically necessary.

    3. Ezeepay, however, expects that the Data Subject will notify Ezeepay from time to time in writing of any updates required in respect of his/her/its Personal Information.

  7. Storage And Processing of Personal Information

    1. Ezeepay may store the Data Subject’s Personal Information in hardcopy format and/or in electronic format using Ezeepay's own secure on-site servers or other internally hosted technology. The Data Subject’s Personal Information may also be stored by third parties, via cloud services or other technology, with whom Ezeepay has contracted with, to support Ezeepay's operations.

    2. Ezeepay's third party service providers, including data storage and processing providers, may from time to time also have access to a Data Subject's Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.

    3. Ezeepay will ensure that such third party service providers will Process the Personal Information in accordance with the provisions of this Policy, all other relevant internal policies and procedures and Data Privacy Laws.

    4. These Third Parties do not use or have access to the Data Subject’s Personal Information other than for purposes specified by Ezeepay, and Ezeepay requires such parties to employ at least the same level of security that Ezeepay uses to protect the Data Subject’s Personal Information.

    5. The Data Subject’s Personal Information may be Processed in South Africa or another country where Ezeepay, its affiliates and their third party service providers maintain servers and facilities and Ezeepay will take steps, including by way of contracts, to ensure that it continues to be protected, regardless of its location, in a manner consistent with the standards of protection required under applicable law, including Data Privacy Laws.

  8. Personal Information for Direct Marketing Purposes

    1. To the extent that Ezeepay acts in its capacity as a direct marketer, it shall strive to observe, and comply with its obligations under Data Privacy Laws when implementing principles and practices in relation to direct marketing.

    2. Ezeepay acknowledges that it may only use Personal Information to contact the Data Subject for purposes of direct marketing from time to time where it is permissible to do so.

    3. Ezeepay may use Personal Information to contact any Data Subject and/or market Ezeepay's services directly to the Data Subject(s) if the Data Subject is one of Ezeepay's existing clients, the Data Subject has requested to receive marketing material from Ezeepay or Ezeepay has the Data Subject's consent to market its services directly to the Data Subject.

    4. If the Data Subject is an existing client, Ezeepay will only use his/her/its Personal Information if it has obtained the Personal Information through the provision of a service to the Data Subject and only in relation to similar services to the ones Ezeepay previously provided to the Data Subject.

    5. Ezeepay will ensure that a reasonable opportunity is given to the Data Subject to object to the use of their Personal Information for Ezeepay's marketing purposes when collecting the Personal Information and on the occasion of each communication to the Data Subject for purposes of direct marketing.

    6. Ezeepay will not use your Personal Information to send you marketing materials if you have requested not to receive them. If you request that we stop Processing the Data Subject’s Personal Information for marketing purposes, Ezeepay shall do so.

  9. Retention of Personal Information

    1. Ezeepay may keep records of the Personal Information, correspondence, or comments it has collected in an electronic or hardcopy file format.

    2. In terms of Data Privacy Laws, Ezeepay may not retain Personal Information for a period longer than is necessary to achieve the purpose for which it was collected or processed and is required to delete, destroy (in such a way that it cannot be reconstructed) or de-identify the information as soon as is reasonably practicable once the purpose has been achieved. This prohibition will not apply in the following circumstances:

      1. where the retention of the record is required or authorised by Applicable Laws or by any Regulator;

      2. Ezeepay requires the record to fulfil its lawful functions or activities;

      3. retention of the record is required by a contract between the parties thereto;

      4. the Data Subject (or competent person, where the Data Subject is a Child) has consented to such longer retention; or

      5. the record is retained for historical, research, archival or statistical purposes provided safeguards are put in place to prevent use for any other purpose. Accordingly, Ezeepay will, subject to the exceptions noted in this Policy, retain Personal Information for as long as necessary to fulfil the purposes for which that Personal Information was collected and/or as permitted or required by Data Protection Laws.

    3. Where Ezeepay retains Personal Information for longer periods for statistical, historical, archival or research purposes, Ezeepay will ensure that appropriate safeguards have been put in place to ensure that all recorded Personal Information will continue to be Processed in accordance with this Policy and Data Protection Laws.

    4. Once the purpose for which the Personal Information was initially collected and Processed no longer applies or becomes obsolete, Ezeepay will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that a person cannot re-identify such Personal Information. In instances where we de-identify the Personal Information, Ezeepay may use such de-identified information indefinitely.

  10. Failure to Provide Personal Information

Should Ezeepay need to collect Personal Information by Applicable Laws or under its obligations as a service provider, and the Data Subject fails to provide the Personal Information when requested, Ezeepay may be unable to perform its duties as a service provider in terms of the Data Protection Laws.

  1. Safe-Keeping of Personal Information

    1. Ezeepay shall preserve the security of Personal Information and, in particular, prevent its alteration, loss and damage, or access by non-authorised third parties.

    2. Ezeepay will ensure the security and integrity of Personal Information in its possession or under its control with appropriate, reasonable technical and organisational measures to prevent loss, unlawful access and unauthorised destruction of Personal Information.

    3. Ezeepay has implemented physical, organisational, contractual and technological security measures (having regard to generally accepted information security practices or industry specific requirements or professional rules) to keep all Personal Information secure, including measures protecting any Personal Information from loss or theft, and unauthorised access, disclosure, copying, use or modification. Further, Ezeepay maintains and regularly verifies that the security measures are effective and regularly updates same in response to new risks.

  2. Breaches of Personal Information

    1. Ezeepay will address any Data Breach in accordance with the terms of Data Privacy Laws.

    2. Ezeepay will notify the Regulator and the affected Data Subject (unless the applicable law or a government authority requires that we delay notification to the Data Subject) in writing in the event of a Data Breach (or a reasonable belief of a Data Breach) in respect of that Data Subject's Personal Information.

    3. Ezeepay will provide such notification as soon as reasonably possible after it has become aware of any Data Breach in respect of such Data Subject's Personal Information.

    4. Where Ezeepay acts as an 'Operator' for purposes of Data Privacy Laws and should any Data Breach affect the data of Data Subjects whose information Ezeepay Processes as an Operator, Ezeepay shall (in terms of Data Privacy Laws) notify the relevant Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of relevant Data Subjects has been accessed or acquired by any unauthorised person.

  3. Provision of Personal Information to Third Party Service Providers

    1. Ezeepay may disclose Personal Information to third parties and will enter into written agreements with such third parties to ensure that they Process any Personal Information in accordance with the provisions of this Policy, and Data Privacy Laws.

    2. Ezeepay notes that such Third Parties may assist Ezeepay with the purposes including but not limited to:

      1. data storage;

      2. assisting Ezeepay with auditing processes (external auditors);

      3. for providing outsourced services to Ezeepay, including in respect of its (i) legal, (ii) data storage requirements and (iii) upskilling of its employees; and/or

      4. to notify the Data Subjects of any pertinent information concerning Ezeepay.

    3. Ezeepay will disclose Personal Information with the consent of the Data Subject or if Ezeepay is permitted to do so without such consent in accordance with Data Protection Laws.

    4. Further, Ezeepay may also send Personal Information to a foreign jurisdiction outside of the Republic of South Africa, including for Processing and storage by third parties.

    5. When Personal Information is transferred to a jurisdiction outside of the Republic of South Africa including to any cloud, data centre or server located outside of the South Africa, Ezeepay will obtain the necessary consent to transfer the Personal Information to such foreign jurisdiction or may transfer the Personal Information where Ezeepay is permitted to do so in accordance with the provisions applicable to cross-border flows of Personal Information under Data Privacy Laws.

    6. The Data Subject should also take note that the Processing of Personal Information in a foreign jurisdiction, if and to the extent such Processing does occur, may be subject to the laws of the country in which the Personal Information is held, and may be subject to disclosure to the governments, courts of law, enforcement or regulatory agencies of such other country, pursuant to the laws of such country.

  4. Access to Personal Information

    1. Data Privacy Laws read with the relevant provisions of the Promotion of Access to Information Act, No. 2 of 2000 ("PAIA") confers certain access rights on Data Subjects.

    2. Ezeepay's PAIA Manual can be found on [please insert] ("PAIA Manual"). These rights include:

      1. a right of access: a Data Subject having provided adequate proof of identity has the right to: (i) request a Responsible Party to confirm whether any Personal Information is held about the Data Subject; and/or (ii) request from a Responsible Party a description of the Personal Information held by the Responsible Party including information about Third Parties who have or have had access to the Personal Information. A Data Subject may request:

        1. Ezeepay to confirm, free of charge, whether it holds any Personal Information about him/her/it; and

        2. to obtain from Ezeepay the record or description of Personal Information concerning him/her/it and any information regarding the recipients or categories of recipients who have or had access to the Personal Information. Such record or description is to be provided: (a) within a reasonable time; and (b) in a reasonable manner and format and in a form that is generally understandable.

      2. a right to request correction or deletion: a Data Subject may also request Ezeepay to:

        1. correct or delete Personal Information about the Data Subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

        2. destroy or delete a record of Personal Information about the Data Subject that Ezeepay is no longer authorised to retain records in terms of Data Privacy Laws' retention and restriction of records provisions.

On receipt of such a request, Ezeepay is required to, as soon as is reasonably practicable; (a) correct the information; (b) delete or destroy the information; (c) provide the Data Subject with evidence in support of the information; or (d) where the Data Subject and Responsible Party cannot reach agreement on the request and if the Data Subject requests this, Ezeepay will take reasonable steps to attach to the information an indication that correction has been requested but has not been made;

  1. a Data Subject that has previously consented to the Processing of his/her/its Personal Information has the right to withdraw such consent and may do so by providing Ezeepay with notice to such effect. Further, a Data Subject may object, on reasonable grounds, to the Processing of Personal Information relating to him/her/it.

  2. Accordingly, Ezeepay may request the Data Subject to provide sufficient identification to permit access to, or provide information regarding the existence, use or disclosure of the Data Subject's Personal Information. Any such identifying information shall only be used for the purpose of facilitating access to or information regarding the Personal Information.

  3. The Data Subject can request in writing to review any Personal Information about the Data Subject that Ezeepay holds including Personal Information that Ezeepay has collected, utilised or disclosed.

  4. Ezeepay shall respond to these requests in accordance with Data Privacy Laws and PAIA and provide the Data Subject with any such Personal Information to the extent required by law and any of Ezeepay's policies and procedures which apply in terms of the PAIA.

  5. The Data Subject can challenge the accuracy or completeness of his/her/its Personal Information in Ezeepay's records at any time in accordance with the process set out in the PAIA Manual for accessing information.

  6. If a Data Subject successfully demonstrates that their Personal Information in Ezeepay's records is inaccurate or incomplete, Ezeepay will ensure that such Personal Information is amended or deleted as required (including by any third parties).

  1. Responses

Ezeepay will respond to each written request of a Data Subject not later than 30 (thirty) days after receipt of such requests. Under certain circumstances, Ezeepay may, however, extend the original period of 30 days once for a further period of not more than 30 (thirty) days.

  1. Ezeepay Privacy Information Officer

    1. Ezeepay has appointed a dedicated Privacy Information Officer who is responsible for the Processing and protection of Personal Information.

Ezeepay’s Privacy Information Officer

Name

Daniel Katz

Phone Number

+27 72 366 0010

Email Address

daniel@ezeepay.io

bottom of page