Privacy Policy (South Africa)

Yellow Card (referred to as "Yellow Card," "we," "us," or "our") is committed to protecting the privacy and confidentiality of the personal information of our users, including individuals and businesses. This Privacy Policy outlines how we collect, use, store, share, and protect your information when you access or use the Yellow Card Site (www.yellowcard.io), our mobile applications, any Yellow Card API (directly or through third-party applications), or any Yellow Card product or service (collectively, "Yellow Card Services") within South Africa.

This Privacy Policy forms an integral part of the relevant Yellow Card User Agreement that applies to you. Terms defined in the User Agreement apply equally herein unless otherwise indicated.

1. Information about the Responsible Party

For users of the Yellow Card Services operated in South Africa under the domain www.yellowcard.io (the "Service" or "Website"), the "responsible party" – meaning the entity determining the purpose and means of processing personal information – is Yellow Card Financial South Africa (Pty) Ltd. Their registered office is at 32 Barnett Street, Dunkley House, Gardens, Cape Town, 8001, South Africa.

A "User" is understood to be any natural person using the Service. For B2B clients, while the primary User is a natural person interacting with the Service, we also process personal information related to the legal entity they represent and its authorized individuals.

2. Information Officer

In compliance with the Protection of Personal Information Act (POPIA), we have registered our appointed Information Officer and/or Deputy Information Officer with the South African Information Regulator.

Users may contact the Information Officer regarding the protection of their personal information by e-mail to: [email protected]. This contact serves as the primary point for fulfilling obligations under POPIA.

3. Purposes and Legal Basis for Processing Personal Information

We process Users' personal information for the following purposes, relying on the lawful conditions for processing personal information as stipulated under the POPIA, Act 4 of 2013:

• Account Setup and Maintenance: To allow you to set up and for us to maintain a Customer Account ("Account") in the Service.
  - Legal Basis: Processing is necessary for the proper performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (POPIA, Section 11(1)(b)). This aligns with the necessity for the conclusion and performance of the agreement for maintaining the Account.
• Provision of Core Services: To enable us to provide you with services via the Service, including Virtual Currency Exchange and Cryptocurrency Wallet services.
  - Legal Basis: Processing is necessary for the proper performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (POPIA, Section 11(1)(b)). This aligns with the necessity of processing to provide the aforementioned services to the User.
• Customer Identification and AML/CFT Compliance: For the purpose of customer identification in performance of our obligation under the Financial Intelligence Centre Act (FICA), 2001, and other relevant South African Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) laws and regulations. This also extends to B2B clients, where identification of the business entity and its beneficial owners/authorized persons is required.
  - Legal Basis: Processing is necessary for compliance with an obligation imposed by law on the responsible party (POPIA, Section 11(1)(c)). This aligns with the necessity of processing for the fulfillment of a legal obligation incumbent on the Responsible Party.
• Service Analytics and IT Security: For keeping statistics on the use of individual functionalities, facilitating Service use, and ensuring IT security. Personal information processed for this purpose includes User activity in the Service, time spent on subpages, search history, location, IP address, device ID, Internet browser data, and operating system.
  - Legal Basis: Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied (POPIA, Section 11(1)(f)). This aligns with our legitimate interest in improving our services and ensuring their security.
• Marketing of Services: For marketing purposes, processing personal information provided during Account creation/update, and data on User activity recorded via cookies.
  - Legal Basis: For direct marketing by electronic communication, we will only process your personal information if you have given your consent, or if you are a customer and we are marketing similar products or services, and you have not objected to such use (POPIA, Section 69). This aligns with your consent or our legitimate interest in direct marketing.
• Claims Management: To determine, assert, and enforce possible claims of the Responsible Party and to defend against possible claims of the User in court and out-of-court proceedings. This may involve personal information provided during Account creation and other data necessary for proving the claim or required by law.
  - Legal Basis: Processing is necessary for pursuing the legitimate interests of the responsible party (POPIA, Section 11(1)(f)). This aligns with our legitimate interest in protecting our legal rights.
• AI Processing, Model Training, and CRM: To improve and develop our services, enhance security measures (e.g., fraud detection), and enhance our Customer Relationship Management (CRM) by using artificial intelligence (AI) and machine learning technologies. 
  - Legal Basis: Processing is necessary for pursuing the legitimate interests of the responsible party (POPIA, Section 11(1)(d)). Where specific processing involves sensitive personal information or poses a higher risk, we will seek your consent (POPIA, Section 11(1)(a)).

Withdrawal of Consent: If processing is based on your consent (POPIA, Section 11(1)(a)), you have the right to withdraw your consent at any time. This withdrawal does not affect the lawfulness of processing carried out based on consent before its withdrawal. You can withdraw consent by sending a declaration (e.g., via email) to the Information Officer.

4. Recipients of Personal Information

Personal information may be disclosed or entrusted by the Responsible Party to the following categories of recipients:

• Regulatory Authorities: We may disclose personal information to the Financial Intelligence Centre (FIC) and other relevant regulatory bodies as required by South African AML/CFT laws and regulations.
• Third-Party Service Providers: Entities providing ongoing services to us, such as legal, accounting, IT services, cloud storage, payment processing, marketing, and identity verification services. We ensure that such third-party operators comply with POPIA's conditions for lawful processing and enter into appropriate written agreements.
• AI Processing and CRM Service Providers: We may share personal information with third-party service providers who assist us with AI processing, model training, and CRM functionalities to support the purposes outlined in Section 3. These providers are carefully selected and contractually bound to process data only according to our instructions and to implement appropriate security measures.
• Authorized Public Authorities: In situations where such an obligation clearly results from a demand of an authorized public authority or from applicable provisions of generally applicable law.
• Yellow Card Group Companies: Personal information may be transferred to the extent necessary to other companies within the Yellow Card group.
• Other Lawful Disclosures: We may share your information with third-party fraud prevention and identity verification service providers to prevent fraud and confirm validity against public records. These providers may retain and use your information solely for identity verification and fraud prevention services for Yellow Card and to improve their own services. We also engage service providers for marketing purposes (with your consent) and third-party advertising agencies. In the event of a merger, acquisition, or purchase of assets, the acquiring company will have access to your information and will be required to follow this Privacy Policy.

The Responsible Party ensures that entities to whom Users' personal information is entrusted guarantee a high level of data protection and that appropriate contracts are signed where required, in line with POPIA's requirements for operators.

5. Trans-border Flow of Personal Information

We may transfer your personal information to countries outside of South Africa. We will only transfer your personal information to a third party who is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that effectively upholds the principles for sound processing of the information as referred to in POPIA, or if the transfer is necessary for:

• The performance of a contract between you and Yellow Card.
• The implementation of pre-contractual measures taken in response to your request.
• The conclusion or performance of a contract concluded in your interest between Yellow Card and a third party.
• Your benefit, where Yellow Card receives your consent to that transfer.
• The exercise or defence of a right or obligation in terms of law.

This ensures compliance with POPIA Section 72 on trans-border information flow.

6. Retention of Personal Information

We retain your personal information for specific periods based on legal obligations and business needs:

• Account-related Data: Personal information processed for setting up and maintaining your Account is stored for the period of Account maintenance, i.e., until it is deleted by you.
• Service Provision Data: Personal information processed to provide the services mentioned in Section 3, item 2 of this Privacy Policy, shall be stored for a period of 5 years, counting from the date of termination of the business relationship or from the date of execution of an occasional transaction, in accordance with applicable South African AML/CFT regulations (e.g., FICA) and POPIA's principles of data retention (POPIA, Section 14).
• Cookie Data: Personal information from cookies stored on your terminal device will be stored for a period corresponding to the life cycle of the cookies or until they are deleted from the device by you.
• Marketing Data: Personal information processed for sending marketing content (including newsletters) will be stored until you withdraw your consent to receive it or object to such processing.
• Claims-related Data: If the storage of personal information proves necessary to assert or defend a claim to which we are entitled or against us, your personal information may be stored until the relevant court proceeding is finally ended and the decision is enforced.

Yellow Card will not retain your personal information for a period longer than is necessary to achieve the purpose for which it was collected or subsequently processed, unless required or permitted by law.

7. Your Rights as a Data Subject (Individual)

As a User, you have the following rights regarding the processing of your personal information, as provided under the Protection of Personal Information Act (POPIA):

• A. Right to Be Notified:
  - That personal information about you is being collected (POPIA, Section 18).
  - Of any security compromise affecting your personal information (POPIA, Section 22).
• B. Right of Access to Personal Information: You have the right to request from us, free of charge, confirmation as to whether or not we hold personal information about you and, if we do, to request a copy of that information (POPIA, Section 23).
• C. Right to Request Correction, Destruction, or Deletion of Personal Information: You may request us to:
  - Correct or delete personal information about you that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully (POPIA, Section 24(1)).
  - Destroy or delete personal information about you that we are no longer authorised to retain (POPIA, Section 24(1)).
• D. Right to Object to Processing of Personal Information: You have the right to object, on reasonable grounds, to the processing of your personal information, unless legislation provides for such processing (POPIA, Section 11(3)). 
• E. Right to Object to Processing for Direct Marketing: You have the right to object to the processing of your personal information for purposes of direct marketing by means of unsolicited electronic communications (POPIA, Section 69(3)).
• F. Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to a decision which is based solely on automated processing of your personal information intended to provide a profile of you, and which produces legal effects concerning you or significantly affects you (POPIA, Section 71).
• G. Right to Lodge a Complaint with the Information Regulator: If you believe that your personal information has been unlawfully processed, you have the right to lodge a complaint with the Information Regulator of South Africa.
  - Contact Details for the Information Regulator:
  - Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
  - Postal Address: P.O Box 31533, Braamfontein, Johannesburg, 2017
  - Website: https://inforegulator.org.za/ 
  - Email: [email protected].

8. Promotion of Access to Information Act (PAIA) Manual

In compliance with the Promotion of Access to Information Act (PAIA), we have published a PAIA Manual on our website. This manual is a guide to assist you in exercising your right to access information held by our company. The manual outlines the types of information we hold, explains the procedure for making a request, and provides the necessary forms.

Exercising Your PAIA Right of Access: To request access to personal information we hold about you under PAIA, please use our dedicated Data Subject Access Request (DSAR) form. This form is available on the Yellow Card website. By submitting this form, you can formally exercise your right to access information in a structured and efficient manner.

9. Voluntariness of Providing Personal Information

Providing personal information by you is always voluntary. However, it is necessary to contact us through the contact form, and to conclude and perform the contract between you and us, and to serve you as our customer. If you do not provide the necessary personal information, it will not be possible to contact us for contractual purposes or to receive services.

10. Automated Decision-Making and Profiling

Your personal information concerning preferences, behavior, and choice of marketing content may be used as the basis for making automated decisions in order to determine the sales opportunities of the Service. As per POPIA Section 71, if such automated decision-making produces legal effects concerning you or significantly affects you, you have the right to request human intervention, express your point of view, and contest the decision. You also have the right to object to such processing as outlined in Section 7(F).

11. Information Collected Automatically Upon Entering the Website (Cookie Files)

We inform you that while using the Website, short text information called "cookies" are stored in your end device. Cookie files contain IT data such as: your IP address, name of the website they come from, time of their storage on your end device, recording of parameters and statistics, and a unique number. Cookies are sent to the Service server through a web browser installed in your end device.

Cookies are used on the Website to:

• Maintain technical correctness and continuity of the session between the Service server and your device.
• Optimize use of the Website by you and adjust its display on your end device.
• Ensure safety of use of the Service.
• Gather statistics on visits to websites of the Service, supporting improvement of their structure and content.
• Display on your terminal equipment advertising content optimally adapted to your preferences.

The Service uses two types of "cookies": "session" and "permanent".

• "Session" cookies are files subject to automatic removal from your device after logging out, leaving the websites, or switching off the web browser.
• "Permanent" cookies are stored in your terminal equipment for the time specified in the parameters of files "cookies" or until their removal by you. "Permanent" "cookies" are installed in your terminal equipment only with your consent.

Cookie Management:

• Internet browsers by default accept the installation of "cookies".
• You may at any time change the settings concerning "cookies" in your Internet browser so that the browser automatically blocks the use of "cookies" or informs you of their placement in your terminal equipment each time.
• Detailed information on the possibility and methods of using cookies is available in the settings of your Internet browser.
• Restricting the use of cookies by you may adversely affect the correctness and continuity of the provision of Services on the Website.
• Cookies installed in your end device may be used by advertisers or business partners cooperating with the Responsible Party.
• Cookies may be considered personal information only in connection with other identifying data provided to the Responsible Party by the User while using the Service.
• Only the Responsible Party has access to cookies processed by the Website's server.
• If you do not agree to save and receive information in cookies, you can change the rules regarding cookies by means of the settings of your Internet browser.

12. Security of Personal Information

We are committed to protecting the integrity and confidentiality of your personal information by taking appropriate, reasonable technical and organizational measures to prevent loss of, damage to or unauthorized destruction of personal information; and unlawful access to or processing of personal information (POPIA, Section 19). These measures include limiting access to your information to employees with only information they need to know to reduce the risks of alteration, disclosure, loss, misuse, and unauthorized access. All our procedural safeguards are designed to comply with generally accepted standards and POPIA.

13. Changes to the Privacy Policy

If it is necessary to update the information contained in this Privacy Policy or if it is necessary to ensure its compliance with the applicable laws or technological conditions of the functioning of the Website, this Privacy Policy may be amended. Users will be informed of any changes to the Privacy Policy through a notice displayed on the Website.

14. Contact Us

Contact with the Responsible Party is possible via e-mail at the address: [email protected] or through our Support Page with any questions or concerns regarding this Privacy Policy.