As it relates to the Processing activities associated with the VodaPay application itself (in other words, the processing activities associated with the VodaPay digital wallet, the digital merchant marketplace and / or the offerings within the VodaPay itself), VPS is the Responsible Party in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”).

For the avoidance of doubt, each mini-application within VodaPay (excluding the My Vodacom mini-application) is managed and / or operated by the respective merchant and / or mini-application provider listed therein. While VPS and the respective merchant and / or mini-application provider have engaged to offer exclusive offerings within the VodaPay marketplace, each respective merchant and / or mini-application provider is an Independent Responsible Party in their own right, who will manage their own mini-application in VodaPay in accordance with their respective privacy policies and / or terms and conditions. 

Your opinion matters to us – if you have any questions about this privacy supplement, you can email us at: [email protected] or you can write to our privacy team at:

The Information Officer – Mr Ricardo Platt
Vodacom Payment Services (Pty) Ltd
Vodacom Corporate Park
082 Vodacom Boulevard
Midrand
1685

Information we collect about you

• VPS will collect personal information when you register on the VPS Platforms. The personal information collected will include; cell phone number, e-mail and PIN. This will enable VPS to recognise you during subsequent visits.
• You can load your bank card on the VPS Platforms. Bank card details such as card holder’s name, card number, expiry date and CVV will be collected should you elect the option of making payment with your bank card.
• VPS will collect additional personal information when you register for a Wallet on the VPS Platforms. The personal information collected may include; identification number, business registration number, nature of business, occupation address and source of funds.
• VPS Platforms facilitate transactions between you and the third party that is selling goods or services on the VPS Platforms (“Third Party Merchants”). When you purchase goods and services from a Third Party Merchant additional personal information may be requested to fulfil the service.
• VPS Platforms will also collect personal information from third-party information sources to fulfil its obligations to comply with the Financial Intelligence Centre Act No 38 of 2001 as amended (“FICA”) should you register for a Wallet, this will be for customer identification and verification purposes required under FICA. VPS may, from time to time, also collect and / or process additional personal information as may be required under law and / or for purposes of Anti-Money Laundering or Terrorist Financing (“AML or TF”) monitoring / prevention activities.
• We collect personal information when you first download the VodaPay app and set up your profile.
• We also collect anonymous analytics information on how customers use the VodaPay app in order to improve the VodaPay app and troubleshoot. We use a variety of analytics methods including what is commonly referred to as “Big data analytics”. Big data analytics are mathematically driven analysis techniques on large and varied data sets (that is why it is “big” data) to uncover hidden patterns and hitherto unrevealed trends. At VPS we take governance of big data analytics seriously. Our data scientists are required to adhere to a Code of Ethics. We have a strict use case process that requires that privacy and data protection law checks are carried out before any use case commences. We also have strict rules ensuring that personal information is protected at the appropriate stage in the process.
• We use our analytics to, for example:
• Conduct market research and to carry out research and statistical analysis, including to monitor how customers use our networks, products and services; and
• Frame our marketing campaigns and determine how we might personalise those.

VPS processes and discloses your personal information for specific and limited purposes. These include:

• Processing bank card details to facilitate payments of goods and services purchased on the VPS Platforms.
• Processing of Wallet details to facilitate purchases of goods and services on the VPS Platforms, deposit and withdrawals into and out the Wallet and domestic remittances from the Wallet.
• Processing of personal information to assess and handle any customer queries, to develop and improve our products, services, communication methods and the functionality of VPS Platforms.
• Processing of personal information to ensure FICA, AML / TF obligations are met by VPS or its partners / third parties.
• As our customer, we will contact you to keep you informed about new and existing products and services, competitions, prize draws and other promotions and we may use your personal information to run those competitions, prize draw, events and promotions, only to the extent that you have not, at any stage, objected to receiving such marketing communications. Please note that you will be provided with an opportunity to Opt-In / Out of marketing communications from VPS upon registering for the VodaPay app. Furthermore, you may, at any stage, alter or update your marketing preferences (including Opting In or Out of any marketing communications) within the ‘profile’ section of the VodaPay app under the ‘notification settings’ tab.
• We may send you marketing of all products or services provided within the VodaPay app unless you have opted out during the registration phase and / or at anytime subsequent thereto.
• If you have given your permission, we will also contact you to let you know about products and services of Vodacom Group companies including Vodacom, Vodacom Insurance Company Limited and Vodacom Life Assurance Company Limited products and services and those of other companies which we think may interest you.
• You can control your marketing permissions at any time within the VodaPay app or via the applicable channel where you receive same.
• Processing of personal information to create unique personalised in-app offers based on your VodaPay app activity.
• Disclosure of personal information to Bidvest Bank for the purposes of registering a Wallet and facilitating transactions in and out of the Wallet.
• Disclosure of your VodaPay profile personal information to Third Party Merchants to facilitate the purchase of goods and service on the VPS Platforms.
• Disclosure of personal information to Vodacom (Pty) Ltd (“Vodacom”), Vodacom Insurance Company Limited and Vodacom Life Assurance Company Limited to facilitate the purchase of Vodacom, Vodacom Insurance Company Limited and Vodacom Life Assurance Company Limited goods and services on the VPS Platforms.
• Disclosure of personal information to Vodacom for purposes of offering you coupons, VodaBucks or personalized discounts at no cost to you for your activity on VPS Platforms.
• VPS may, where permissible, share your personal information within the Vodacom Group, which includes, Vodacom (Pty) Ltd, Vodacom Life Assurance Company Ltd and Vodacom Insurance Company Ltd for the purposes of providing you with customized products, and unique experiences.

VPS may also transfer and disclose your personal information to third parties who may process information on our behalf:

• To comply with a legal obligation;
• When we believe in good faith that applicable law requires it;
• At the request of governmental authorities conducting an investigation;
• To verify or enforce our “Terms of Use” or other applicable policies;
• To detect and protect against fraud, or any technical or security vulnerabilities;
• To respond to an emergency; or otherwise; and
• To protect the rights, property, safety, or security of third parties and VPS.

Cross Border Transfers of Personal Information:

VPS does, in certain limited instances, transfer personal information across the borders of South Africa, including but not limited to third parties in countries in the European Union, Singapore, United Kingdom, India, and / or other countries as may be required from time to time, including countries where Vodafone and Vodacom group companies are registered. At each instance where a cross border transfer is contemplated, the processing activities thereunder will be verified for a specific and defined purpose The defined purposes include the i) achievement of its business functions, ii) provision of products and services that the customer has requested, iii) hosting or storage of some of its systems and infrastructure, iv) data warehousing activities and for the v) provision of centralised business activities within the Vodafone and Vodacom group of companies such as where we share technology and resources or AML / TF reporting / assurance obligations.

Vodacom will only engage in the cross-border transfer of information if one of the following conditions are met and the transfer has been assessed and approved by the Information Officer:

• The recipient is subject to existing legislation in his /her/it’s country, a binding corporate or binding agreement that provides an adequate level of protection for the Personal Information that is substantially similar to the data protection laws applicable to South Africa:
• The data subject has consented to such cross-border transfer;
• The transfer is necessary for the conclusion and/or performance of a contract between VPS and the data subject;
• The transfer is necessary for the conclusion or performance of a contract entered into, in the interest of the data subject, between VPS and the relevant Vodacom Group company or the authorised third party;
• The transfer is to the benefit of the data subject and must take place in circumstances under which it is not reasonably possible to obtain the data subject’s consent and if it were reasonably possible to obtain such consent, the data subject would be likely to give it.

The processing of personal information in a foreign jurisdiction may be subject to the laws of the country in which it is held, and may be subject to disclosure to the Governments, Courts of law, Enforcement or Regulatory Agencies of such other country, pursuant to the laws of such country. As a measure, VPS conducts Transfer Impact Assessments to assess the legislative framework that governs disclosures of information in jurisdictions where information is transferred and implements security and contractual measures to limit the risk exposure. However, where such disclosures are required, VPS will ensure the adequate protection of your personal information.

• VPS takes the security of your personal information very seriously. VPS takes every effort to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure.
• Our measures include implementing technology, policies and processes aimed at protecting the confidentiality, integrity and availability of your personal information. We will update and refine these measures on an ongoing basis.
• Where relevant, VPS will ensure that its third parties maintain Payment Card Industry (“PCI”) compliance. As such VPS is responsible for securely storing, processing and transmitting bank card data to the PCI compliance standards. VPS will at no point share or transmit your card details in clear text between systems. The card data will always be encrypted.
• You agree not to give or make available your means to access VPS to any unauthorised individuals. You are responsible for all transactions you authorise using the Wallet. If you permit other persons to use the Wallet you are responsible for any transactions they authorise. VPS will not be liable for any claims where payments were made by unauthorised persons using your cellphone or credentials online. 
• Access to your personal information is only permitted among our employees and agents on a need-to-know basis and subject to strict contractual confidentiality obligations when processed by third parties.

We may not retain your personal information any longer than is necessary for achieving the purpose for which your personal information was collected or subsequently processed. For example, where you make a purchase on the VodaPay app with us we will keep the data related to your purchase, so we can perform the specific contract you have entered and after that, we will keep the personal information for a period which enables us to handle or respond to any complaints, queries or concerns relating to the purchase, unless:

• The retention of your personal information is required or authorised by law.
• We reasonably require your personal information for lawful purpose related to our function or activities.
• The retention of your personal information is required by a contract that we enter into with you.
• You or competent person consent to the retention of personal information relating to a child.

VPS will retain your payment records for a period of 5 years as required by law. After the 5 year period, your transaction data will be deleted from the live system.

VPS may also retain your personal information for the following reasons:

• Your personal information may also be retained so that we can continue to improve your experience with us and to ensure that you receive any loyalty rewards which are due to you.
• We retain the personal information we collect directly for targeting purposes for as little time as possible, after which we employ measures to permanently delete it.
• We will actively review the personal information we hold and delete it securely, or in some cases anonymise it when there is no longer a legal, business or consumer need for it to be retained.

We have specialised security teams who constantly review, improve, and ensure the implementation of appropriate, reasonable technical and organisational measures to protect your personal information from unauthorised access, accidental loss, disclosure, or destruction.  We are required in terms of POPIA to notify you and the Information Regulator, if any of your personal information has been compromised.

Communications over the internet (such as emails) aren’t secure unless they’ve been encrypted. Your communications may go through a number of countries before being delivered, as this is the nature of the internet.

We cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.

We’ll never ask for your secure personal or account information by an unsolicited means of communication. You’re responsible for keeping your personal and account information secure and not sharing it with others.

Our website may provide links to third-party websites. We cannot be responsible for the security and content of such third-party websites. You are therefore required to make sure you read that company’s privacy and cookies policies before using or putting your personal information on their site.

The same applies to any third-party websites or content you connect to using our products and services.

You may choose to disclose your information in certain ways such as social plug-ins (including those offered by Google, Facebook, Twitter and Pinterest) or using third-party services that allow you to post reviews or other information publicly, and a third party could use that information.

Social plug-ins and social applications are operated by the social network themselves and are subject to their own terms of use and privacy and cookies policies. You should make sure you’re familiar with these.

At VPS, we are committed to processing personal information honestly, ethically, with integrity, and always consistent with applicable laws and our values. Below we set out details on how you can exercise your rights. Please note, under certain circumstances these rights may be limited if we still have lawful grounds to process your personal information. If you have a question or cannot find the answer, please access the in-app Chat Bot from the VodaPay app homepage.

Rights related to automated decision-making

VPS may process your personal information using automated means. An automated decision is a decision that is made solely by automatic means, where no humans are involved in the decision-making process related to your personal information. Automated processing in the VodaPay app is conducted to comply with FICA, conduct fraud and risk control checks.

Rights related to direct marketing

VPS strives to ensure that your direct marketing preferences / permissions are accurately captured and actioned when needed. As such, VPS will ensure that you are provided with an opportunity to Opt-In / Out of marketing communications from VPS upon registering for the VodaPay app. Furthermore, you may, at any stage, also alter or update your marketing preferences (including Opting In or Out of any marketing communications) within the ‘profile’ section of the VodaPay app under the ‘notification settings’ tab.  We will remind you of this process at each instance of sending a marketing communication as it relates to VodaPay. Where technical or security measures permit, we will further strive to ensure that you are capable of opting out of future direct marketing communications via the channel in which you have received same. We do, however, encourage you to manage your preferences via the app at any stage you see fit.

If you become aware that any of the information we keep about you is incorrect or outdated, you can log into the VodaPay app to edit your personal details.

VPS will allow you access to update your stored personal information in the VodaPay app. You may add, delete and/or edit stored card data. You may also be able to change your email address and PIN. You may amend personal information such as address, occupation and source of funds if you have elected to register for a Wallet. 

You have the right to request a record or description of personal information that we hold about you. This includes the right to request VPS to confirm, free of charge, whether or not it holds any personal information about you; as well as information about the categories of third parties who have, or have had, access to your personal information. To make this request please contact our Customer Services team at 082 135 or [email protected].

You have the right, in certain circumstances, to object to VPS processing your personal information. In order for VPS to provide you with products and services, VPS is required to process your personal information which is necessary for the conclusion or performance of a contract and to give effect to you signing up to the VodaPay app and as such the provision of your personal information is mandatory and you may not object to same in order to continue using the VodaPay app.

Under certain circumstances, you have the right to object to certain types of processing, including processing for direct marketing (i.e., receiving emails or SMS from us notifying you or being contacted with varying potential opportunities). If you no longer want to receive marketing messages from us, you can choose to opt out at any time within the VodaPay app.

If you want to contact us about any of your rights or should you believe that VPS has used your personal information contrary to applicable law, you undertake to first attempt to resolve any concerns with our Customer Services team at 082 135 or [email protected]. Kindly lodge your complaint by accessing the in-app Chat Bot from the VodaPay app homepage. We will do our best to help but if you are still unhappy, you can contact the Privacy Office at [email protected].  If you are not satisfied with such process, you have the right to lodge a complaint with the Information Regulator at:

The Information Regulator (South Africa)
JD House
27 Stiemens Street
Braamfontein
Johannesburg
2001

Email: [email protected]

If you feel that the personal information we hold on you is inaccurate, please update your personal information in the VodaPay app, or you believe we shouldn’t be processing your personal information, please contact our Customer Services team at 082 135 or [email protected]. In certain circumstances, for example where you contest the accuracy of your information, or where VPS no longer requires your information for achieving its purpose but must maintain it for purposes of proof, you have the right to ask us to restrict processing.

VPS strives to only process and retain your personal information for as long as we need to. In certain circumstances, for example, where you indicate that your personal information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully, you have the right to request that we erase your personal information that we hold. If you feel that we are retaining your personal information longer than we need, it is worth first checking that your contract with us has been terminated, which you can do with Customer Services. If your contract with us has been terminated, we may still have lawful grounds to process your personal information.

• VPS will update this privacy supplement when necessary to reflect customer feedback and changes in our products and services.
• VPS will update this privacy supplement when necessary to reflect customer feedback and changes in our products and services. If the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of privacy supplement changes).
• VPS will not reduce your rights under this privacy supplement.