1 About this Privacy Statement and Confidentiality Commitment

This Privacy Statement and Confidentiality Commitment is made by EFTsure Africa (Pty) Ltd (Registration Number: 2018/515630/07 (EFTsure), a South African owned and operated business that provides electronic payment verification services to South African businesses.

This Privacy Statement and Confidentiality Commitment:

  • sets out how we collect, use and disclose personal information entrusted to us by our customers or otherwise collected and used by us;
  • states our commitments to each customer that entrusts us with recipient names and account numbers for verification. Our key commitments are:
    1. that EFTsure will maintain business confidentiality and will not disclose that a particular customer deals with particular persons and entities except for the purpose of conducting verification of payee details for that customer or otherwise at the request, or with express consent, of that customer,
    2. that payee names and account details are only to be used or disclosed for the purposes and in the ways described in the EFTsure Privacy Statement and Confidentiality Commitment;
  • sets out how we collect, use and disclose other personal information that we collect or that is entrusted to us.

We comply with this Privacy Statement and Confidentiality Commitment and also, in relation to ‘personal information’ about individuals as regulated by Privacy Laws, comply with Privacy Laws. Privacy Laws are the Privacy Act 1988 (C’th) including the Australian Privacy Principles (APPs) and all other Australian privacy and data protection laws, mandatory codes and other mandatory requirements.

However, most of the information that we collect, and many of the records that we use and disclose, is not personal information about individuals. We know that each customer that entrusts us with recipient names and account numbers for verification expects us not to disclose that the customer deals with particular persons or entities except for the purpose of conducting verification of payee details for that customer or otherwise at the request, or with express consent, of that customer. We accordingly undertake to customers and prospective customers that we will not and do not disclose to other persons or entities the identity of particular persons and entities with whom each of our customers deal, instead retaining, using and disclosing records of the identity of businesses with verified details and of failed verifications only for the purposes and in the ways described in this Privacy Statement and Confidentiality Commitment.

We will not modify key commitments that that EFTsure will maintain business confidentiality and accordingly will not disclose that a particular customer deals with particular persons or particular entities, except for the purpose of conducting verification of payee details for that customer or otherwise at the request, or with express consent, of that customer.

We may modify or amend other provisions of this Privacy Statement and Confidentiality Commitment from time to time. We will display a notice on our website indicating when any such revisions have been made.

This Privacy Statement and Confidentiality Commitment was last updated on 02 May 2018.

The EFTsure service (the Service) means the EFTsure payee validation service as described on our Website (as may be changed or updated from time to time by EFTsure via the Website). If you are a customer or prospective customer for the EFTsure Service you should also read the EFTsure Terms. The EFTsure Terms tell you who EFTsure is and, what we do, and set out other (non-privacy and confidentiality related) terms on which we will provide the EFTsure Service to customers.

2 Why does EFTsure publish this Privacy Statement and Confidentiality Commitment?

In short, our service assists customers to ensure that money that the correct payee receives the funds that are transferred via inter-bank electronic funds transfers.

That is the reason why:

  • we collect proposed payee names, email and other contact and account details and account numbers from our customers for checking,
  • we contact prospective payees to check the match of their name and bank account details or conduct cross-verification using records of previous verifications that we have conducted in relation to the proposed payee or by matching multiple requests made by multiple customers,
  • we retain a record of payee details that are verified, and a record of details that we appear incorrect or unverifiable, for disclosure to our customer and also to any future customer making an enquiry as to the same prospective payee, and
  • we disclose to our customer and any future customer whether the details that they provided to us about a prospective payee have been verified or not.

Some of our customers make payments to the same payees on a regular basis such as the South African Revenue Service.

We seek to avoid multiple contacts of the same prospective payee confirming the same details. Upon receiving a request from a customer for verification of a prospective payee and bank account, we may conduct cross-verification using records of payee details as formerly verified by us or by matching multiple requests made by multiple customers and then disclose to our customer whether the details that they provided to us for verification match a previously verified record or not. If there is a crossverification match in relation to a prospective payee, we may elect not make a further verification enquiry of the prospective payee and we may then verify to our customer that the details that they provided to us appear to be correct. If there is not a cross-verification match, we will undertake the verification process described above.

Our verification process depends upon confirmation by a prospective payee of their bank account details or cross-verification as above described. If a prospective payee does not elect to confirm their bank account provide details, or cross-verification as above described is not possible, we cannot complete our verification process.

We retain, use and disclose records of the identity of businesses with verified account details and of failed verifications only:

  • for the purposes described above.
  • for otherwise reasonably related secondary purposes such as data analytics and other statistical analysis as to verifications, maintaining an audit trail as to verifications undertaken and the outcome of those verification enquiries, maintaining business records as required by laws, assisting our customers or banks or law enforcement agencies with investigation of any suspected fraud or other serious wrongdoing, as required by law or otherwise as required or authorised by law, including the privacy laws in South Africa.

Except as above described we will not otherwise disclose records of the identity of businesses with verified account details and of failed verifications to any third party unless:

  1. that third party is a group company of ours, in which case we will require that group company to only use and disclose such records in accordance with this Privacy Statement and Confidentiality Commitment as if a reference in this Privacy Statement and Confidentiality Commitment to us was a reference to that group company;
  2. that third party is a sub-contractor engaged to provide services to us. This may include disclosure to contractors outside of South Africa and located in countries whose privacy laws do not provide a similar or equivalent level or scope of protection of personal information as South African privacy laws. In this case we will obtain contractual commitments by these subcontractors to only use and disclose such records for the purposes of providing services to us in accordance with this Privacy Statement and Confidentiality Commitment.

We will not use any personal information about an individual for a secondary purpose unless:

  1. for the purposes described above;
  2. an individual would reasonably expect that we would use or disclose the personal information for that secondary purpose and that purpose is related to the primary purposes for which it was given to us;
  3. that individual has consented to the use of that personal information for the secondary purpose; or
  4. the secondary use or purpose is required or permitted under law, such as in connection with the sale of some or all of our business or assets, or the disclosure is authorised by the privacy laws including to lessen or prevent a serious threat to life or health, to protect the personal safety of the public, if authorised or required by law, if we have reason to suspect that unlawful activity has been, is being or may be engaged in, to enforce the law or where necessary to investigate a suspected unlawful activity, or if we have told an individual that personal information about that individual is usually used or disclosed to third parties in this way.

3 What is personal information?

In terms of POPI, personal information is information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including but not limited to-

  1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of person;
  2. information relating to the education or the medical, financial, criminal or employment history of the person;
  3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  4. the biometric information of the person;
  5. the personal opinions, views or preferences of the person;
  6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  7. the views or opinions of another individual about the person; and
  8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Personal information may be either collected directly by us or provided (disclosed) to us by someone else and shall be in line with South Africa’s privacy laws.

There is a type of personal information called ‘special personal information’ that is subject to more stringent obligations. Special personal information includes information about an individual's health (including predictive genetic information), racial or ethnic origin, political opinions, membership of a political association, professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, biometric information that is to be used for certain purposes and biometric templates. We do not knowingly collect, hold or use special personal information.

4 Collection and use of personal information by us

  1. The EFTsure service is provided to assist customers in ensuring that their payments will go to the correct payee and prospective payees that payments due to them will be properly credited to their nominated account. EFTsure considers that this is a use of payee information reasonably within the contemplation of prospective payees. As service provider to our customers, we rely upon each customer that entrusts us with proposed payee names and account numbers and other data, including personal information, to provide any notices and obtain any consents as may be required or desirable to enable the customer to disclose that data, including personal information, to us, so that we may provide the EFTsure service in accordance with this Privacy Statement and Confidentiality Commitment and with Privacy Laws.
  2. The customer hereby warrants that they are authorized to disclose the personal information provided by the customer to EFTsure for the purposes detailed in this Privacy Statement. The customer hereby indemnifies EFTsure against any and all claims, judgements, costs (including the legal costs for defending such claims), liability or any other harm that EFTsure may suffer as a result of or in relation to the disclosure of any personal information (including in relation to third parties) to EFTsure.
  3. If you wish to verify how, when and why any business with whom you interact or otherwise deal collects personal information about you or then uses or discloses that personal information to anyone else, you should first check the privacy statement of that business (usually available at their website and labelled privacy policy, privacy statement or something similar) and any privacy notice or other terms associated with a particular product or service that you may consider acquiring or acquire from that business.

5 Direct marketing

We will comply with POPI, the Consumer Protection Act 68 of 2008 (“CPA”) and ECTA (where applicable), in relation to any direct promotional marketing of our services by us, including:

  1. allowing an individual to opt out of receiving any further direct promotional marketing from us; and
  2. in each written communication from us, setting out our business address, telephone number and, if the communication with that individual is made by fax, telex or other electronic means, a number or address at which we can be directly contacted electronically.

Where we use personal information for the purposes of business to business direct promotional marketing, we rely on the exception in the Privacy Act to do so.

6 Cookies

  1. A cookie is a small file containing information specific to a user, passed through an internet protocol such as a web browser and stored on a device.
  2. We use cookies and other technology to track access to, and use of, our website. The information gathered is not personally identifiable and is used to improve our website.
  3. We may also be provided with cookies data, anonymous identifier data, device information, log information and other information, if provided by ad serving services or advertising networks and relating to use by other persons of third-party websites serviced by those ad serving services or advertising networks. Many browsers and internet access devices are set by default to accept cookies. However, if you do not wish to receive any cookies you may set your browser or configure your internet access device to either prompt you whether you wish to accept cookies on a particular site, or by default reject cookies. Please note that rejecting cookies may mean that some or all of the features and functionality of particular websites or internet services will not be available to you.

7 Quality, access and correction of personal information

  1. Where we collect personal information from an individual directly, we take steps to ensure that the personal information we collect, use and disclose is accurate, up to date and complete. These steps include maintaining and updating any personal information when we are advised by an individual that their information has changed.
  2. Where we collect personal information about an individual from a third party, we rely on that third party to ensure that information it collects is accurate, up to date and complete, subject however to the verification procedures which are at the core of the EFTsure service as above described.
  3. An individual may request access to personal information about that individual that is held by us. Subject to any permitted exception under the Privacy Laws, we shall give that individual access to that personal information.
  4. If an individual notifies us that the information we hold about them is not accurate, we will take reasonable steps to correct that information. To the extent that we have received any personal information indirectly (for example, from a business for which we act as sub-contractor), we may notify that business that it has received a request from an individual to access or correct the personal information it has provided to us.
  5. If you require access to your personal information, please contact www.EFTsure.co.za. Before we provide you with access to your personal information we will require some proof of identity.
  6. For most requests, your information will be provided free of charge, however, we may charge a reasonable fee if your request requires a substantial effort on our part.
  7. If we refuse to provide you with access to the information, we will provide you with reasons for the refusal and inform you of any exceptions relied upon under the privacy laws of South Africa.
  8. We take reasonable steps to ensure that your personal information is accurate, complete, and up-to-date whenever we collect or use it. If the personal information we hold about you is inaccurate, incomplete, irrelevant or out-of-date, please contact us and we will take reasonable steps to either correct this information, or if necessary, discuss alternative action with you.

8 Retention of personal information

We retain personal information after we have used the personal information for the purposes for which we collected or received it.

If we retain such personal information, it will only be used for the following purposes:

  1. as required by or under South African law, or a court / tribunal order;
  2. we require the record for lawful purposes related to our Services;
  3. as required for professional indemnity insurance or as otherwise required by the customer; and
  4. in accordance with our back-up archive policy.

When no longer required, EFTsure uses its reasonable endeavours to ensure that all such information will be destroyed in a secure manner and in a reasonable time frame.

9 How we hold and secure your personal information

The security of your personal information is important to us.

We take appropriate industry recognised steps to prevent the personal information we hold about you from misuse, interference or loss, and from unauthorised access, modification or disclosure. This includes the use of technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of your personal information.

10 International Transfers

We store all personal information on secure servers in South Africa as well as the United Kingdom and the European Union.

The Services are mainly provided from our offices in South Africa.

EFTSure uses third-party service providers (such as managed hosting providers, card processors, CRM systems and technology partners) to provide the necessary software, networking, infrastructure and other services that we use to operate the Services. These third-party providers may process, or store, personal information on servers outside of the EU, including in the US.

By using any of the Services or submitting any personal information to us, you authorise EFTSure and its authorized service partners to use, store and process any personal information in these territories.

11 Links to other websites

Sometimes our website contains links to other websites. When you access a website other than our website, we are not responsible for the privacy practices of that site. We recommend that you review the privacy policies of each website you visit.

12 How to contact us

  1. If an individual:
    1. would like to access or inquire about any personal information we hold about that individual;
    2. has a query in relation to this Privacy Statement; or
    3. would like to make a complaint about out handling of an individual’s personal information,

    please contact us using the details below.

    A:     Rosebank Link, 173 Oxford Rd
             Rosebank, Johannesburg, South Africa, 2196

    E:     support@eftsure.co.za

    T:     +27 (0)87-149-1751

  2. If you wish to make a complaint about an alleged breach of the Privacy Laws, we ask that you send us your complaint in writing to the email address listed above. We endeavour to respond to complaints within a reasonable period (usually 30 days). If you are not satisfied with our response, you may make a complaint to the Information Regulator (South Africa) by phoning +27 (0)12 406 4818 or by email at inforeg@justice.gov.za.