Privacy Policy
18 Mar 2025
Introduction
The Protection of Personal Information Act 4 of 2013 ("the Act") serves the purpose of giving effect to the constitutional right to privacy by ensuring information is processed responsibly to prevent security breaches, theft, and discrimination. At TOSA PAY, we value your trust and endeavour to uphold the provisions of the Act for your protection and peace of mind. The Act sets out requirements for the processing of personal information, which TOSA PAY in this policy echoes. This policy will give you insight into how TOSA PAY processes and protects the personal information you provide us with through your various interactions with us.
Our Commitment
We are committed to taking steps to protect your privacy when you use our website (https://www.tosapay.com) or use our App ( “Tosa Pay App”) and implementing business practices that comply with all relevant legislation, including the Protection of Personal Information Act 4 of 2013 ("POPIA") and the EU General Data Protection Regulation (“GDPR"). In this policy, we explain how we will use and protect your personal information.
What is personal information and what personal information do we collect about you?
According to the Act, 'personal information' means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.
We generally collect, store and use the following information: your first name(s), surname, address, phone numbers, e-mail address, IP address or cookie information, location information, demographic information including your age and gender, health-related information, information from your browser including your hardware model, operating system version, unique device identifiers and any other information which we reasonably need to perform our obligations in terms of the agreement with you when you purchase or use our services. When you use our services, we also record the details of your transactions.
What will we use your personal information for?
We will only process adequate and relevant information to:
Provide services set out in our agreement with you;
Operate and manage your merchant account;
Monitor and analyse our business;
Contact you by email, SMS, or other means to tell you about our products and services (you can always opt out from future marketing);
Form a view of you as an individual and to identify, develop or improve products that may interest you;
Carry out market research, business and statistical analysis;
Carry out audits;
Perform other administrative and operational tasks like testing our processes and systems;
Comply with our regulatory or other obligations; and
To enable our service providers to provide services to us to enable us to provide our services to you.
The information you provide is used for:
The purpose of contracting with you in general;
Enabling you to accept payments securely, in compliance with applicable Regulations;
Using our POS solutions;
Using other products and services we may offer to you;
Responding to your requests for certain information, products or services;
Customising the content you see;
Communicating with you about new offers;
Internal reporting and development; and any other purpose for which you give your permission, or where we are otherwise permitted or required in terms of the law to use such personal information, or for some purpose in the public interest.
Please note that:
We sometimes put all our data (yours and data from other users) together. This type of aggregate data enables us to figure out how often users access our services so that we can make Tosa Pay more appealing and improve our services. We share this type of statistical data so that our partners also understand how often people use their services and ours, so that they, too, may provide you with an optimal experience.
We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason. We may process your personal information without your knowledge or consent in compliance with the Act, where this is required or permitted by law.
Moreover, note that when we consider your application for our services, we will perform criminal and credit checks on you that may leave a trace.
Our service providers on our behalf may also collect data generated by automatic measurements of an individual’s biological characteristics and limited thereto, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual and we may provide this information to service providers and regulators in order to identify who you are or if we are required to by applicable law.
We do not collect any special categories of personal information about you. This information includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political persuasion, trade union membership, information about your health and genetic and biometric data. Nor do we collect any information about criminal convictions and offences.
How do we collect your personal information?
Direct interactions: by way of filling in forms, email or telephone correspondence, purchasing or subscribing to products/services, and via our Website. Automated technologies or interactions: we automatically collect technical data about your equipment, browsing actions and patterns as you use our Website. We collect this personal information by using cookies and other similar technologies, and through third parties or publicly available sources: example, business partners, sub-contractors or credit reference agencies.
Sharing of personal information
We respect your privacy, and we hate spam as much as you do. We will keep your personal information confidential and only share it with others in terms of this policy, or if you consent to it, or if the law requires us to share it. We have trusted relationships with carefully selected third parties who perform services for us. All these service providers have a contract with us in terms whereof they have a legal obligation to secure your personal information and to use it only in a way that we permit.
How secure is your information
We are committed to implementing appropriate technical and other security measures to protect the integrity and confidentiality of your information and do so using bank level security software. We protect and manage information that we hold about you by using electronic and computer safeguards such as firewalls, data encryption, as well as physical and electronic access control to our buildings. We only authorise access to information to those employees who require access to fulfil their designated responsibilities.Marketing
We will provide you with choices regarding certain personal information uses, particularly around marketing and advertising. You will receive marketing communications from us if you have requested information from us or purchased services from us. You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or where you opt out of receiving these marketing messages, this will not apply to personal information provided to us as a result of a product/service purchase, product/service experience or other transactions.
You may set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Website may become inaccessible or not function properly.
Disclosure of personal information
We will not sell personal information and no personal information will be disclosed to anyone except as provided in this policy. We may disclose your personal information if required by a subpoena or court order; or to comply with any law or regulation.
We may share your personal information:
With other related companies in terms of our Agreement with you, as our Client;
With our service providers under contract, as permitted by law;
With credit bureaus to report account information, as permitted by law;
With social media platforms when you use tools or functionality on our Website provided by those platforms (such as "recommend" or "share" buttons); and with marketing partners where you register for events, webinars or other related events;
With public or government authorities to follow applicable law or to respond to legal processes (like a subpoena). We also may share your personal information when there are threats to the physical safety of any person, violations of this policy or other agreements, or to protect the legal rights of third parties, including our employees, users, or the public as required by law;
With the Preferred Service Providers and Goods Suppliers in terms of our Agreement for statistical purposes only;
For business transactions like a merger, or sale of our assets, or as part of the due diligence for such contemplated transactions. If a corporate transaction occurs, we will provide notification of any changes to control of your personal information, as well as choices you may have;
With your consent. For example, when we post user testimonials that may identify you or for a third party application that may be of use to you and;
With your employer or organisation where you create an account or user role with an email address assigned to you as an employee, contractor or member of an organisation, that organisation may find your account and take specific actions that may affect your account;
We may need to disclose personal information to our employees that require the personal information to do their jobs. These include our responsible management, human resources, accounting, audit, compliance, information technology, or other personnel. Any of our employees or personnel that handle your personal information will have signed non-disclosure and confidentiality agreements.
How long will we use your personal information for
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal Information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Acceptance of our policy
By using our product/services, you understand that we will collect and use your personal information as indicated in this policy. You have the right to decline consent and/or if provided, to withdraw consent at any time. This will not affect the lawfulness of processing prior to the withdrawal of your consent. At any time, you can request that we stop using your personal information for direct marketing purposes.
Where we need to collect personal information under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have with you.
What are your legal rights
Under certain circumstances you are entitled to:
Request access to your Personal Information;
Request correction of your Personal Information;
Request erasure of your Personal Information;
Object to processing of your Personal Information;
Request restriction of processing your Personal Information;
Request transfer of your Personal Information
Withdraw consent;
Not be subjected to automated decision-making.
Children’s information and special personal information
We do not intentionally collect or use information of children (persons under the age of 18 years) unless with consent. Our intention is to only process information of children with the consent of a competent person (someone like the parent or guardian or if the law otherwise allows or requires us to process such information).
Promotion of Access to Information Act 2 of 2000 (“PAIA”)
PAIA gives you the right to access information that is required to exercise or protect your rights. In terms of PAIA, before access to the information requested by persons is granted, specific requirements have to be met. PAIA also requires private bodies such as Tosa Pay to compile a manual designed to assist persons who want to exercise their right to access information. You may also request access to your personal information held by Tosa Pay. PAIA regulates and sets out the procedure for such a request and under what circumstances such access may be refused. Please contact us should you require our PAIA manual, the prescribed request form and/or information on applicable fees payable for access to this information.
Your duty to keep your personal information with us updated
The personal information we hold about you must be accurate and current. Please keep us updated if your information changes during your relationship with us.
Queries of complaints
Should you have any queries or complaints about this policy, you may email our information officer, support@tosapay.com.
You are also entitled to refer any concerns to the South African Information Regulator:
Address: JD House, 27 Steinmens St, Braamfontein, Johannesburg, 0001
Email address: PAIACompliance@inforegulator.org.za