Appiawave – Privacy Policy

Effective Date: June 1, 2025

1. Introduction and Our Commitment to Privacy

Welcome to Appiawave! Finance 7 Seven (Pty) Ltd (Registration Number: 2022/478452/07), trading as Appiawave (“Appiawave,” “we,” “us,” “our”), is committed to protecting your Personal Information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Appiawave digital wallet, any associated bank account provided through our banking partner (Access Bank South Africa Ltd.), virtual and/or physical cards, our Buy Now, Pay Later (“BNPL”) offering, our website www.appiawave.com, any mobile applications, and related services (collectively, the “Services”). Our registered address is 276 Johannes Ramokhoase Street, Pretoria, 0002, South Africa.

This Policy is drafted in accordance with the Protection of Personal Information Act, No. 4 of 2013 (“POPIA”) of South Africa and other applicable data protection laws.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with the terms, please do not access or use our Services.

Our Information Officer can be contacted at:

Email: customercare@appiawave.co.za

Address: 276 Johannes Ramokhoase Street, Pretoria, 0002, South Africa.

2. What is Personal Information?

“Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, as defined in POPIA. This includes, but is not limited to, your name, identity number, contact details, financial information, transaction history, online identifiers, and biometric information.

“Special Personal Information” includes information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour.

3. Information We Collect

We collect Personal Information about you from various sources to provide and improve our Services, comply with legal obligations, and manage our business.

3.1. Information You Provide Directly to Us:

  • Registration and Profile Information: When you create an Appiawave Account, we collect your full name, date of birth, identity number (or passport number for foreign nationals), residential address, email address, mobile phone number, and any other information required for KYC/AML purposes (e.g., proof of identity, proof of address).
  • Financial Information:
  • For your Appiawave Bank Account (provided by Access Bank): Information required by Access Bank for account opening and operation, which we facilitate the collection of.
  • For BNPL Services: Information to assess creditworthiness and affordability, such as income details, employment information, and potentially bank statements (with your explicit consent).
  • Payment Method Details: Details of your linked bank accounts, debit cards, or credit cards used for funding your Wallet or making BNPL repayments (we typically use tokenization for card details, meaning we don’t store full card numbers).
  • Transaction Information: Details of transactions you conduct using your Appiawave Wallet, Card, or BNPL service, including merchant details, amounts, dates, and times.
  • Communications: Information you provide when you contact our customer support (customercare@appiawave.co.za), respond to surveys, or participate in promotions.
  • Biometric Information: If you choose to use biometric authentication (e.g., fingerprint or facial recognition) for accessing your Appiawave Account or authorizing transactions, we will process this Special Personal Information with your explicit consent and for that specific purpose.

3.2. Information We Collect Automatically:

  • Usage Information: Details of your interactions with our Services, including access times, pages viewed, features used, IP address, device type, operating system, browser type, and mobile network information.
  • Location Information: We may collect your device’s location information if you grant us permission, to provide location-based services or for fraud prevention purposes.
  • Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect information about your browsing activities on our website and app. Please see our Cookie Policy [Link to Cookie Policy, if separate] for more details.

3.3. Information We Collect from Third Parties:

  • Banking Partner (Access Bank South Africa Ltd.): We receive information from Access Bank related to your Appiawave Bank Account and Card, such as account status, transaction confirmations, and information necessary for service provision and reconciliation.
  • Credit Bureaus: With your consent where required, we collect credit history information from registered credit bureaus in South Africa to assess your eligibility for BNPL and other credit-related services.
  • Identity Verification Services and Fraud Prevention Agencies: We use third-party services to verify your identity, comply with KYC/AML obligations, and prevent fraud.
  • Merchants: We may receive information from Merchants regarding your purchases if you use Appiawave Services at their checkout.
  • Publicly Available Sources: We may collect information from publicly available sources as permitted by law.

4. How We Use Your Personal Information (Purpose Specification)

We use your Personal Information for the following purposes, based on lawful grounds as required by POPIA:

  • To Provide and Manage Our Services (Performance of a Contract; Legitimate Interest):
  • To create and manage your Appiawave Account, Wallet, associated Appiawave Bank Account, and Appiawave Card.
  • To process your transactions, including payments, fund transfers, bill payments, utility purchases, and BNPL plans.
  • To facilitate communication between you, us, Merchants, and our Banking Partner.
  • To provide customer support (customercare@appiawave.co.za) and respond to your inquiries.
  • For Identity Verification, Risk Assessment, and Fraud Prevention (Legal Obligation; Legitimate Interest):
  • To verify your identity and comply with KYC, AML, and Counter-Terrorist Financing (CTF) laws (e.g., FICA).
  • To assess creditworthiness and affordability for BNPL and other credit-related services.
  • To monitor transactions and account activity for suspicious or fraudulent behavior.
  • To manage and mitigate risks associated with providing financial services.
  • To Improve and Develop Our Services (Legitimate Interest; Consent where required):
  • To analyze usage trends and preferences to improve user experience and service functionality.
  • To conduct research and development for new products and features.
  • To personalize your experience with our Services.
  • For Communication and Marketing (Consent; Legitimate Interest):
  • To send you important service-related communications (e.g., security alerts, updates to terms, transaction confirmations).
  • To send you marketing communications about Appiawave products, services, and promotions, where you have consented to receive such communications or where permitted by law (e.g., for existing customers regarding similar products/services, with an opt-out option). You can opt-out of marketing communications at any time.
  • To Comply with Legal and Regulatory Obligations (Legal Obligation):
  • To comply with applicable laws, regulations, court orders, and requests from regulatory bodies (e.g., SARB, FIC, Information Regulator).
  • To maintain records as required by law.
  • To Enforce Our Terms and Protect Our Rights (Legitimate Interest):
  • To enforce our Terms of Use and other policies.
  • To protect the rights, property, or safety of Appiawave, our users, or others.

5. Lawful Basis for Processing

We process your Personal Information based on one or more of the following lawful bases under POPIA:

  • Consent: Where you have given us your explicit consent to process your Personal Information for a specific purpose (e.g., for direct marketing, processing certain Special Personal Information).
  • Contractual Necessity: Where processing is necessary for the conclusion or performance of a contract to which you are a party (e.g., our Terms of Use, your BNPL Payment Plan agreement, your agreement with Access Bank for the Appiawave Bank Account).
  • Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject (e.g., FICA, tax laws).
  • Legitimate Interests: Where processing is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your rights and interests. We will always balance our legitimate interests against your rights.
  • Protection of a Legitimate Interest of the Data Subject: Where processing protects a legitimate interest of yours.

6. Disclosure and Sharing of Your Personal Information

We do not sell your Personal Information. We may share your Personal Information with the following categories of third parties, under specific circumstances and in compliance with POPIA:

  • Our Banking Partner (Access Bank South Africa Ltd.): We share information with Access Bank as necessary for them to provide and manage your Appiawave Bank Account and Appiawave Card, process transactions, and comply with their regulatory obligations.
  • Merchants: We share transaction information with Merchants when you make a purchase from them using Appiawave Services.
  • Service Providers and Operators: We engage third-party service providers (Operators) to perform functions on our behalf, such as identity verification, fraud prevention, credit scoring, data analytics, IT support, cloud hosting, customer support platforms, and marketing. These providers are contractually bound to protect your Personal Information and only process it based on our instructions.
  • Credit Bureaus: With your consent or as permitted by law, we share information with and obtain information from credit bureaus for creditworthiness assessments related to BNPL services.
  • Regulatory and Law Enforcement Authorities: We may disclose your Personal Information to government authorities, law enforcement officials, or other third parties if required by law, court order, or to comply with legal processes, or if we believe in good faith that disclosure is necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our Terms.
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your Personal Information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your Personal Information.
  • With Your Consent: We may share your Personal Information with other third parties if you have given us your explicit consent to do so.

7. International Transfers of Personal Information (Transborder Information Flows)

Some of our service providers may be located outside of South Africa. If we transfer your Personal Information to a third party in a foreign country, we will ensure that such transfer complies with POPIA by ensuring that:

  • The recipient country offers an adequate level of protection for Personal Information that is substantially similar to that provided under POPIA; or
  • You have consented to the transfer; or
  • The transfer is necessary for the performance of a contract between you and Appiawave, or for the implementation of pre-contractual measures taken in response to your request; or
  • The transfer is necessary for the conclusion or performance of a contract concluded in your interest between Appiawave and a third party; or
  • The transfer is for your benefit, and it is not reasonably practicable to obtain your consent, and if it were, you would likely give it.
    We will implement appropriate safeguards, such as data transfer agreements with standard contractual clauses, where necessary.

8. Your Rights as a Data Subject under POPIA

You have the following rights regarding your Personal Information:

  • Right of Access: To request confirmation of whether we hold Personal Information about you and to request access to a copy of such information.
  • Right to Rectification (Correction): To request the correction of your Personal Information if it is inaccurate, incomplete, misleading, or outdated.
  • Right to Erasure (Deletion/Destruction): To request the deletion or destruction of your Personal Information where there is no longer a lawful basis for us to retain it, or if it is excessive or obtained unlawfully.
  • Right to Object to Processing: To object, on reasonable grounds relating to your particular situation, to the processing of your Personal Information where processing is based on our legitimate interests or for direct marketing purposes.
  • Right to Restrict Processing: To request the restriction of processing of your Personal Information under certain circumstances (e.g., if you contest its accuracy).
  • Right to Withdraw Consent: To withdraw your consent at any time where we are relying on consent to process your Personal Information. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
  • Right to Data Portability (where applicable): To request your Personal Information in a structured, commonly used, and machine-readable format, or to have it transmitted directly to another controller, where technically feasible and processing is based on consent or contract.
  • Right to Complain to the Information Regulator: To lodge a complaint with the Information Regulator of South Africa if you believe your rights under POPIA have been infringed.
  • Contact details: The Information Regulator (South Africa), JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001. P.O. Box 31533, Braamfontein, Johannesburg, 2017. Complaints email: complaints.IR@justice.gov.za.

To exercise any of these rights (except complaining to the Regulator), please contact our Information Officer at the details provided in Section 1. We will respond to your request in accordance with POPIA timelines and requirements. We may require proof of your identity before processing your request.

9. Security of Your Personal Information

We are committed to protecting your Personal Information and have implemented appropriate, reasonable technical and organisational security measures designed to protect it from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

  • Encryption of data in transit and at rest.
  • Firewalls and intrusion detection/prevention systems.
  • Access controls and authentication mechanisms (including multi-factor authentication where appropriate).
  • Regular security assessments and vulnerability management.
  • Employee training on data security and privacy.
  • Data processing agreements with third-party service providers requiring them to implement adequate security measures.

While we strive to protect your Personal Information, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

10. Data Retention

We will retain your Personal Information only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements, or to resolve disputes.

  • For example, FICA requires us (or our Banking Partner) to retain certain KYC information for at least five years after the termination of a business relationship.
  • Transaction data may be retained for periods required for financial auditing and tax purposes.
  • Information related to BNPL plans may be retained for the duration of the plan and for a period thereafter as required for legal and credit reporting purposes.

Once Personal Information is no longer required, we will securely destroy or de-identify it.

11. Children’s Privacy

Our Services are not intended for or directed at individuals under the age of 18 (“Children”). We do not knowingly collect Personal Information from Children. If we become aware that we have inadvertently collected Personal Information from a Child without verifiable parental consent (or consent from a competent person), we will take steps to delete such information from our records promptly. If you believe we might have any information from or about a Child, please contact our Information Officer.

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and mobile app. For more information about the types of cookies we use, why we use them, and how you can manage your cookie preferences, please see our Cookie Policy [Link to Cookie Policy, if separate, otherwise detail key aspects here e.g., types of cookies, purpose, and opt-out information].

13. Direct Marketing

We will only send you direct marketing communications by electronic means (email, SMS) if:

  • You have given your explicit consent; or
  • You are an existing customer, we obtained your contact details in the context of a sale of our products/services, the marketing is for our similar products/services, and you have been given the opportunity to object at the time of collection and in each communication.

You can opt-out of receiving marketing communications from us at any time by following the unsubscribe instructions in the communication or by contacting us at customercare@appiawave.co.za.

14. Notification of a Personal Information Security Breach

In the event of a security compromise where there are reasonable grounds to believe that your Personal Information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and you as soon as reasonably possible, in accordance with POPIA requirements. The notification will include information about the potential consequences, measures taken by us, and recommendations for you to mitigate risks.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. If we make material changes, we will notify you by email, through the Appiawave app, or by posting a prominent notice on our website prior to the change becoming effective. We encourage you to review this Privacy Policy periodically for the latest information on our privacy practices. Your continued use of our Services after any changes to this Privacy Policy will constitute your acceptance of such changes.

16. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy, our data practices, or if you wish to exercise your rights under POPIA, please contact our Information Officer or our Customer Support team:

Information Officer:

Email: customercare@appiawave.co.za

Address: Finance 7 Seven (Pty) Ltd, 276 Johannes Ramokhoase Street, Pretoria, 0002, South Africa.

Customer Support:

Email: customercare@appiawave.co.za

Website: www.appiawave.com