PRIVACY POLICY

Effective from 24 November 2025

1. Definitions

The following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings:

1.1. “Applicable Laws” means all applicable laws, rules, regulations, codes, directives, and formal regulatory guidelines and standards made by a Regulator or public authority with binding effect, including the Protection of Personal Information Act, 2013 (“POPIA”).

1.2. “Controller” and “Processor” are read to refer to the equivalent POPIA terms “Responsible Party” and “Operator”.

1.3. “Direct Pay,” “we,” “our,” “us” means Direct Pay (Pty) Ltd, a company incorporated in South Africa (registration number 2024/654770/07).

1.4. “Data Breach” means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information.

1.5. “Data Protection Laws” means POPIA and any other Applicable Laws regulating the Processing of Personal Information.

1.6. “Data Subject” means any identified or identifiable natural or legal person to whom Personal Information relates, including employees, merchant representatives, partners, and end users whose transactional metadata is Processed.

1.7. “Personal Information” means information relating to an identifiable person as defined under POPIA, including:

  • (i) identity information;
  • (ii) employment or financial information;
  • (iii) contact details;
  • (iv) transactional metadata;
  • (v) identifying numbers or account identifiers;
  • (vi) correspondence of a private nature;
  • (vii) opinions about a person;
  • (viii) a person’s name if linked to other personal data;
  • (ix) any other information defined as personal information under POPIA.

1.8. “Policy” means this Privacy Policy.

1.9. “Process” means any operation relating to Personal Information as defined under POPIA, including collection, use, storage, modification, dissemination, deletion or destruction.

1.10. “Regulator” means the Information Regulator established under POPIA or any successor regulatory body.

1.11. “Responsible Party” and “Operator” have the meanings assigned under POPIA.

1.12. “Special Personal Information” means sensitive categories of information as defined under POPIA, including children’s information.

2. Purpose

2.1. The purpose of this Policy is to inform you how Direct Pay Processes your Personal Information in connection with its services.

2.2. Direct Pay, acting as a Responsible Party and/or Operator where applicable, strives to comply with POPIA and accepted information protection principles when Processing Personal Information.

2.3. This Policy applies to Personal Information collected directly from you or indirectly via third-party service providers, including Transaction Junction and other processing partners.

2.4. This Policy does not apply to third-party websites, platforms or systems that Direct Pay does not control. Such third parties may maintain their own privacy practices.

3. Process of Collecting Personal Information

3.1. We collect Personal Information directly from you unless an exception applies, such as where information is publicly available or obtained through authorised third parties.

3.2. Personal Information is collected in a lawful, fair and reasonable manner and only where necessary for defined purposes.

3.3. Where we obtain Personal Information from third parties, we will do so with your consent or as otherwise permitted under POPIA.

3.4. Such third parties may include:

  • (i) Transaction Junction (PCI DSS Level 1 processor);
  • (ii) Banks, schemes and payment partners (ABSA, Visa, Mastercard, Payinc);
  • (iii) Service providers assisting with technology, hosting or communication.

4. Lawful Processing of Personal Information

4.1. We will Process your Personal Information only where:

  • 4.1.1. you have provided consent;
  • 4.1.2. Processing is necessary to enter into or perform a contract;
  • 4.1.3. Processing is required by law;
  • 4.1.4. Processing protects your legitimate interests; or
  • 4.1.5. Processing is required for our legitimate interests or those of a third party.

4.2. We will Process Personal Information only where a legal basis exists.

4.3. We will make the reason for Processing clear before or at the time Personal Information is collected.

4.4. If Processing is based on consent, you may withdraw your consent at any time.

4.5. Upon withdrawal of consent, we will stop Processing the affected Personal Information unless legally permitted to continue.

5. Special Personal Information

5.1. We do not deliberately Process Special Personal Information unless:

  • (i) you consent;
  • (ii) required for legal claims;
  • (iii) needed for research with safeguards;
  • (iv) made public by you; or
  • (v) authorised by POPIA.

5.2. We do not Process children’s information unless permitted under POPIA.

6. Purpose for Processing Personal Information

6.1. We will notify you when your Personal Information is Processed and for what purpose.

6.2. We will Process Personal Information only for lawful, explicit and specific purposes.

6.3. Processing will relate only to the purposes communicated to you.

6.4. Direct Pay generally Processes Personal Information for:

  • 6.4.1. Providing Dep@Till and Pay-to-Card services;
  • 6.4.2. Merchant onboarding and verification;
  • 6.4.3. Reconciliation, reporting, dispute management and fraud monitoring;
  • 6.4.4. Monitoring and securing our systems;
  • 6.4.5. Compliance with Applicable Laws;
  • 6.4.6. Internal audit and risk management;
  • 6.4.7. HR and payroll administration (employees);
  • 6.4.8. External audits;
  • 6.4.9. Any purpose to which you consent;
  • 6.4.10. Any purpose authorised under POPIA.

7. Keeping Personal Information Accurate

7.1. We take reasonable steps to ensure Personal Information is accurate and up to date.

7.2. You may be asked to update your information where needed.

7.3. You must notify us of changes to your Personal Information.

8. Storage and Processing of Personal Information

8.1. Personal Information may be stored electronically or in hard copy on secure systems.

8.2. Personal Information may also be stored using third-party providers such as AWS (South Africa region only).

8.3. Third parties may access Personal Information only as necessary for authorised purposes.

8.4. Third parties must comply with POPIA and Direct Pay’s contractual safeguards.

8.5. Third parties may not access Personal Information for any purpose other than those specified.

8.6. Personal Information is not transferred outside South Africa.

9. Direct Marketing

9.1. We comply with POPIA when conducting direct marketing.

9.2. We will only market to you where permitted by law.

9.3. Marketing may target merchants, partners and, where compliant, consumers.

9.4. You may opt out of marketing communications at any time.

10. Retention of Personal Information

10.1. We retain Personal Information in hard copy or electronic form.

10.2. We retain Personal Information only as long as necessary unless:

  • (i) required by law;
  • (ii) needed for lawful purposes;
  • (iii) required for contractual obligations;
  • (iv) you consent to longer retention; or
  • (v) retained for research or statistical reasons with safeguards.

10.3. Where retained for extended periods, safeguards will ensure compliance with POPIA.

10.4. Once no longer required, Personal Information will be deleted, destroyed or de-identified.

11. Failure to Provide Personal Information

Failure to provide required Personal Information may prevent Direct Pay from performing contractual or legal obligations.

12. Safe-Keeping of Personal Information

12.1. We take reasonable steps to secure Personal Information.

12.2. We use technical and organisational safeguards including encryption, access controls, and monitoring.

12.3. We regularly review and update security measures.

13. Data Breaches

13.1. Data Breaches will be addressed in accordance with POPIA.

13.2. We will notify the Regulator and affected Data Subjects where required.

13.3. Notification will occur as soon as reasonably possible.

13.4. Where acting as an Operator, we will notify the Responsible Party of any suspected breach.

14. Provision of Personal Information to Third Party Service Providers

14.1. Personal Information may be shared with third parties under written agreements ensuring POPIA compliance.

14.2. Personal Information will be disclosed only with consent or where legally permitted.

14.3. No cross-border Processing occurs.

15. Responses

We will respond to Data Subject requests within 30 days, subject to permitted extensions.

16. Privacy Officer

Direct Pay has appointed a dedicated Information Officer:

Information Officer: Sebastian McIntosh

Email: sebastian@directpayments.co.za