Privacy Policy South Africa

1. Introduction and Scope
Zazu SA (Pty) Ltd ("Zazu", "we", "us", or "our") is an approved co-brand partner of Sava Technologies (Pty) Ltd (FSP 53169) and an authorised distribution partner of Access Bank South Africa Limited (FSP 5865). We are committed to protecting your personal information and respecting your privacy rights under South African law.

This Notice applies to all personal information collected through the Zazu website, mobile application, and any related financial services we provide.

Zazu SA (Pty) Ltd (2024/396003/07), is an approved co-brand partner of Sava Technologies (Pty) Ltd (Reg. No.: 2022/301994/07, FSP 53169), an authorised distribution partner of Access Bank South Africa Limited (Reg. No.: 1947/025414/06, FSP 5865).

2. Policy Statement
We are committed to processing your personal information lawfully, fairly, and transparently in accordance with POPIA. We collect only the minimum information necessary for our services, protect it with appropriate security measures, and respect your right to access, correct, or delete your information.

3. What Personal Information We Collect
3.1 Identity Information

• Full name and surname

• South African Identity Document (green ID book or front and back of smart ID card)

• Date of birth, nationality, and marital status

• Photographs and biometric data (for identity verification purposes)

3.2 Contact Information

• Email address, mobile number, and physical address

• Proof of address (not older than 3 months from date of application)

• Preferred communication method and language

3.3 Financial Information

• Banking details, account numbers, and transaction history

• Income, expenses, assets, and financial obligations

• Credit and risk profile information

3.4 Business Information (for South African SMEs)

• Company name, CIPC Certificate of Incorporation, and UBO Register

• Source of Funds Declaration

• Tax Certificate or Letter of Good Standing

• Directors' KYC documents (as set out under Identity Information above)

3.5 Technical and Usage Information

• IP address, device type, browser, and operating system

• App usage data, log files, and interaction history

Important: Cards can only be created for South African residents in compliance with South African regulations. All KYC/KYB checks must be completed and cleared before any card is issued.

4. Why We Collect Your Information
We collect your personal information to:

• Assess and process your application to use Zazu's services.

• Verify your identity and conduct KYC/KYB and AML checks as required by law.

• Open, manage, and maintain your account.

• Process transactions and provide financial services.

• Communicate with you about your account, transactions, and service changes.

• Respond to queries and complaints.

• Comply with legal and regulatory obligations (FICA, FAIS, POPIA, etc.).

• Detect and prevent fraud, money laundering, terrorist financing, and other financial crime.

• Conduct sanctions screening against global watchlists, FATF lists, UNSC Sanctions Lists, PEP registers, and adverse media.

5. Legal Basis for Processing
We process your personal information on the following lawful bases:

• Contractual necessity: to provide our services and fulfil our agreement with you.

• Legal obligation: to comply with FICA, FAIS, POPIA, and other applicable laws.

• Legitimate interest: for fraud prevention, security, sanctions screening, and business improvement.

• Consent: where you have expressly consented to specific processing activities (which you may withdraw at any time).

6. How We Share Your Information
We may share your personal information with:

• Sava Technologies (Pty) Ltd — as our licensed BaaS provider. SAVA handles all customer verification, risk assessment, transaction monitoring, and regulatory reporting (including STRs, CTRs, TPRs, and IFTRs to the Financial Intelligence Centre).

• Access Bank South Africa Limited — as the licenced bank providing the underlying banking infrastructure and holding your deposits.

• Birdseye — the transaction monitoring platform engaged to ensure accounts and cards are not used for fraud, money laundering, terrorist financing, or other suspicious activity.

• Third-party service providers engaged to assist with KYC, technology, customer support, or compliance (bound by data processing agreements).

• The FIC, FSCA, and other regulatory and law enforcement authorities where required by law.

We do not sell your personal information to any third party.

7. How Long We Keep Your Information
Key retention periods include:

• KYC and customer records: 5 years after the end of the business relationship (FICA).

• Transaction records: 5 years (FICA).

• Complaints records: 5 years (FSCA requirements).

• Telephonic sales call recordings: 45 days minimum (FAIS General Code of Conduct).

After the applicable retention period, personal information is securely destroyed or anonymised.

8. How We Protect Your Information
Our security measures include:

• Two-factor authentication and access controls.

• Encryption of data in transit and at rest.

• Regular security monitoring and vulnerability assessments.

• Annual staff training on data protection and information security.

9. Your Rights
As a data subject under POPIA, you have the right to:

• Access your personal information held by us.

• Request correction of inaccurate or incomplete information.

• Request deletion of your personal information (subject to legal retention obligations).

• Object to processing where it is in our legitimate interest.

• Withdraw consent where processing is based on consent.

• Lodge a complaint with the Information Regulator (South Africa) regarding any alleged infringement.

To exercise any of these rights, please contact our Information Officer at patrick.postrehovsky@get-zazu.com

10. Information Regulator Contact Details
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Telephone: +27 (0)10 023 5200
Email: enquiries@inforegulator.org.za
Website: https://inforegulator.org.za/

11. Updates to This Notice
We review this Privacy Notice regularly. All proposed updates must be submitted to SAVA Compliance for review and approval before publication. This Notice was last updated on the date set out at the top of this document.

12. Document Scope
This Privacy Notice applies to all users of the Zazu website, mobile application, and financial services. It must be prominently displayed on the Zazu website and reviewed annually or whenever there is a material change to data processing activities, applicable law, or the SAVA compliance framework. It must be submitted to SAVA Compliance for approval prior to publication.

Zazu SA (Pty) Ltd (Reg. 2024/396003/07) is an approved co-brand partner of Sava Technologies (Pty) Ltd (Reg. 2022/301994/07), an authorised financial services provider under FSP no. 53169, and an authorised distribution partner of Access Bank South Africa Limited (Reg. 1947/025414/06), a licenced bank and authorised financial services provider under FSP 5865.