Promotion of Access to Information Act (PAIA) Manual

for

Finance 7 Seven (Pty) Ltd (Registration Number: 2022/478452/07) Trading as Appiawave

(Hereinafter referred to as “Appiawave” or “the Company”)

Prepared in accordance with Section 51 of the Promotion of Access to Information Act, No. 2 of 2000 (“PAIA”) and in consideration of the Protection of Personal Information Act, No. 4 of 2013 (“POPIA”)

Date of Compilation: June 1, 2025 Date of Next Revision: June 1, 2026

Table of Contents

  1. Introduction
  2. Contact Details of Appiawave (Section 51(1)(a) of PAIA)
  3. The Information Regulator’s Guide (Section 51(1)(b) of PAIA)
  4. Records Available in Terms of Other Legislation (Section 51(1)(d) of PAIA)
  5. Categories of Records Held by Appiawave (Section 51(1)(e) of PAIA) 5.1. Records Automatically Available 5.2. Records Available on Request
  6. Services Provided by Appiawave
  7. Processing of Personal Information (in terms of POPIA) 7.1. Purpose of Processing Personal Information 7.2. Categories of Data Subjects and Personal Information Processed 7.3. Recipients or Categories of Recipients of Personal Information 7.4. Transborder Flows of Personal Information 7.5. General Description of Information Security Measures
  8. Procedure for Requesting Access to Records (Section 51(1)(e) of PAIA) 8.1. Completion of Prescribed Form 8.2. Fees Payable 8.3. Notification of Decision
  9. Grounds for Refusal of Access to Records
  10. Remedies Available if a Request for Information is Refused
  11. Availability of this Manual (Section 51(3) of PAIA)
  12. Updates to this Manual

1. Introduction

The Promotion of Access to Information Act, No. 2 of 2000 (“PAIA”) gives effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights.

The Protection of Personal Information Act, No. 4 of 2013 (“POPIA”) promotes the protection of personal information processed by public and private bodies. Section 17 of POPIA provides that a Responsible Party must maintain a record of all processing operations under its responsibility in a PAIA manual.

This Manual is intended to:

  • Assist potential requesters in understanding the types of information held by Appiawave.
  • Outline the procedure to be followed to request access to information held by Appiawave.
  • Provide information as required under both PAIA and POPIA.

Appiawave is a private body providing digital wallet, payment processing, Buy Now, Pay Later (BNPL), and related financial technology services in partnership with licensed financial institutions such as Access Bank South Africa Ltd.

2. Contact Details of Appiawave (Section 51(1)(a) of PAIA)

Registered Name:Finance 7 Seven (Pty) Ltd
Trading Name:Appiawave
Registration Number:2022/478452/07
Postal Address:276 Johannes Ramokhoase Street, Pretoria, 0002, South Africa
Physical Address:276 Johannes Ramokhoase Street, Pretoria, 0002, South Africa
Telephone Number:012 335 9020
Website:www.appiawave.com
Head of the Private Body (CEO/Managing Director):
Name:Toyese Oyewo
Email:customercare@appiawave.co.za
Designated Information Officer:
Name:Uyavhuya Matibe
Email:customercare@appiawave.co.za
Telephone Number:012 335 9020

3. The Information Regulator’s Guide (Section 51(1)(b) of PAIA)

The Information Regulator has compiled a guide in terms of Section 10 of PAIA, containing information to assist persons wishing to exercise their rights under PAIA. This guide is available from the Information Regulator.

Contact details of the Information Regulator: The Information Regulator (South Africa) JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 P.O. Box 31533, Braamfontein, Johannesburg, 2017 General enquiries email: inforeg@justice.gov.za Complaints email (PAIA): PAIAComplaints@inforegulator.org.za Website: www.inforegulator.org.za

4. Records Available in Terms of Other Legislation (Section 51(1)(d) of PAIA)

Certain records held by Appiawave are available in terms of legislation other than PAIA. These include, but are not limited to:

  • Banks Act, No. 94 of 1990 (as applicable through our banking partnerships)
  • Basic Conditions of Employment Act, No. 75 of 1997
  • Companies Act, No. 71 of 2008
  • Compensation for Occupational Injuries and Diseases Act, No. 130 of 1993
  • Consumer Protection Act, No. 68 of 2008
  • Electronic Communications and Transactions Act, No. 25 of 2002
  • Employment Equity Act, No. 55 of 1998
  • Financial Advisory and Intermediary Services Act, No. 37 of 2002 (if applicable)
  • Financial Intelligence Centre Act, No. 38 of 2001 (“FICA”)
  • Income Tax Act, No. 58 of 1962
  • Labour Relations Act, No. 66 of 1995
  • National Credit Act, No. 34 of 2005 (as applicable to BNPL services)
  • Occupational Health and Safety Act, No. 85 of 1993
  • Pension Funds Act, No. 24 of 1956
  • Protection of Personal Information Act, No. 4 of 2013 (“POPIA”)
  • Skills Development Act, No. 97 of 1998
  • Skills Development Levies Act, No. 9 of 1999
  • Unemployment Insurance Act, No. 63 of 2001
  • Unemployment Insurance Contributions Act, No. 4 of 2002
  • Value Added Tax Act, No. 89 of 1991

The availability of these records is subject to the provisions of the specific legislation.

5. Categories of Records Held by Appiawave (Section 51(1)(e) of PAIA)

5.1. Records Automatically Available

The following records are automatically available without a formal PAIA request and can typically be found on the Appiawave website www.appiawave.com:

  • Marketing and promotional materials.
  • Publicly available product and service information.
  • Appiawave Consumer Terms of Use.
  • Appiawave Privacy Policy.
  • This PAIA Manual.

5.2. Records Available on Request

The following categories of records are held by Appiawave. Access to these records must be requested in accordance with the procedure outlined in Section 8 of this Manual.

  • Corporate Records:
    • Memorandum of Incorporation and other statutory company records.
    • Minutes of Board of Directors and Committee meetings.
    • Shareholder records.
    • Annual Financial Statements.
    • Policies and procedures.
    • Licenses and permits.
  • Financial Records:
    • Accounting records, invoices, receipts.
    • Banking records (related to Appiawave’s corporate accounts).
    • Tax records (Income Tax, VAT, PAYE, etc.).
    • Audit reports.
    • Asset registers.
  • Operational Records:
    • Merchant agreements and related documentation.
    • User account information (subject to POPIA and privacy considerations).
    • Transaction records (subject to POPIA and privacy considerations).
    • BNPL plan agreements and repayment histories (subject to POPIA).
    • Customer support records and correspondence.
    • IT system documentation, logs, and security records.
    • Service level agreements with suppliers and partners (e.g., Access Bank).
    • Risk management and compliance records.
    • Fraud prevention records.
  • Human Resources Records:
    • Employee files (Personal Information, employment contracts, leave records, performance appraisals, disciplinary records, payroll information, medical information where relevant and lawful).
    • Recruitment records (applications, CVs, interview notes).
    • Training records.
    • Employment equity plans and reports.
    • Pension fund and medical aid records.
    • Policies and procedures relating to human resources.
  • Marketing and Sales Records:
    • Marketing strategies and plans.
    • Advertising materials (beyond those automatically available).
    • Market research data.
    • Customer databases (subject to POPIA).
  • Legal and Compliance Records:
    • Contracts and agreements with third parties.
    • Legal correspondence and opinions.
    • Regulatory filings and correspondence.
    • POPIA compliance records (e.g., data processing records, consent records, breach notifications).
    • FICA compliance records.

6. Services Provided by Appiawave

Appiawave provides the following services:

  • Digital wallet services allowing users to store value and make transactions.
  • Allocation of a bank account number through our Banking Partner, Access Bank South Africa Ltd.
  • Issuance of virtual and/or physical cards linked to the Appiawave Bank Account.
  • Facilities for users to receive payments into their Appiawave Bank Account.
  • Facilities for users to make payments from their Appiawave Bank Account to third parties.
  • Bill payment services.
  • Purchase of utilities (e.g., airtime, data, electricity).
  • Buy Now, Pay Later (BNPL) services for eligible purchases.
  • Payment gateway services for merchants (Appiawave).

7. Processing of Personal Information (in terms of POPIA)

7.1. Purpose of Processing Personal Information

Appiawave processes Personal Information for the purposes outlined in our Appiawave Privacy Policy, including but not limited to:

  • Providing and managing our Services (wallet, bank account, card, BNPL, payments).
  • Identity verification (KYC) and compliance with FICA and other AML/CTF laws.
  • Creditworthiness and affordability assessments for BNPL and other credit-related services.
  • Fraud prevention and risk management.
  • Customer support and communication.
  • Improving and developing our Services.
  • Marketing (with consent or as permitted by law).
  • Complying with legal and regulatory obligations.
  • Managing employment relationships.

7.2. Categories of Data Subjects and Personal Information Processed

Appiawave processes Personal Information of the following categories of Data Subjects:

  • Users/Consumers: Individuals who register for and use Appiawave wallet, bank account, card, and BNPL services.
  • Merchants: Businesses that use Appiawave (Appiawave) gateway services.
  • Employees and Job Applicants: Current, past, and prospective employees.
  • Directors and Shareholders: Of Appiawave.
  • Suppliers and Service Providers: Representatives of entities providing goods or services to Appiawave.
  • Website Visitors: Individuals browsing our website.

The types of Personal Information processed for each category are detailed in our Appiawave Privacy Policy. This includes identification information, contact details, financial information, transaction data, employment history, and usage data. Special Personal Information (e.g., biometrics for security, race for employment equity) is processed only where lawful and with appropriate safeguards.

7.3. Recipients or Categories of Recipients of Personal Information

Personal Information may be shared with:

  • Our Banking Partner (Access Bank South Africa Ltd.) for the provision of bank accounts and card services.
  • Other financial institutions and payment processors involved in transactions.
  • Credit bureaus (for credit checks related to BNPL).
  • Identity verification and fraud prevention service providers.
  • Regulatory and law enforcement authorities as required by law.
  • Service providers (Operators) acting on our behalf (e.g., IT support, cloud hosting, customer service platforms).
  • Merchants (for transaction processing).
  • Legal and professional advisors. Further details are available in our Appiawave Privacy Policy.

7.4. Transborder Flows of Personal Information

Appiawave may transfer Personal Information outside of South Africa, for example, if using cloud service providers hosted in other countries. Such transfers will only occur in compliance with Chapter 9 of POPIA, ensuring adequate protection for the Personal Information. Details are provided in our Appiawave Privacy Policy.

7.5. General Description of Information Security Measures

Appiawave has implemented appropriate, reasonable technical and organisational measures to protect Personal Information against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

  • Access controls and authentication.
  • Encryption of data.
  • Firewalls and network security.
  • Regular security assessments and monitoring.
  • Data protection policies and employee training.
  • Incident response plans. Further details are available in our Appiawave Privacy Policy.

8. Procedure for Requesting Access to Records (Section 51(1)(e) of PAIA)

8.1. Completion of Prescribed Form

  • To request access to a record held by Appiawave, the requester must complete the prescribed Form 2 (Request for Access to Record of Private Body), which is available from the Information Regulator’s website (www.inforegulator.org.za) or can be requested from our Information Officer.
  • The completed form must be submitted to Appiawave’s Information Officer at the contact details provided in Section 2 of this Manual.
  • The form must provide sufficient particulars to enable Appiawave to identify:
    • The record(s) requested.
    • The requester (and if acting on behalf of another person, proof of capacity).
    • The form of access required.
    • The requester’s contact details in the Republic of South Africa.
    • The right the requester is seeking to exercise or protect and an explanation of why the requested record is required for the exercise or protection of that right.

8.2. Fees Payable

  • Request Fee: A requester seeking access to a record containing personal information about themselves is not required to pay a request fee. Other requesters (non-personal requests) must pay the prescribed request fee before the request will be processed.
  • Access Fee: If the request is granted, the requester may be required to pay an access fee for the reproduction of the record and for the time reasonably required to search for and prepare the record.
  • The applicable fees are prescribed by the PAIA regulations and are available on the Information Regulator’s website or can be provided by our Information Officer.
  • Appiawave may withhold a record until the prescribed access fees have been paid.
  • A requester who is exempt from paying access fees (e.g., due to indigence) must provide proof of such exemption.

8.3. Notification of Decision

Appiawave will, within 30 days of receiving a valid request, notify the requester in writing whether the request has been granted or refused. This period may be extended once for a further period of not more than 30 days if the request is for a large number of records, requires a search through a large number of records, or if consultation with other divisions or third parties is necessary. The requester will be notified in writing of any such extension.

9. Grounds for Refusal of Access to Records

Appiawave may refuse a request for access to records in accordance with the grounds for refusal set out in Chapter 4 of Part 3 of PAIA. These grounds include, but are not limited to:

  • Mandatory protection of the privacy of a third party who is a natural person.
  • Mandatory protection of commercial information of a third party.
  • Mandatory protection of certain confidential information of a third party.
  • Mandatory protection of the safety of individuals and protection of property.
  • Mandatory protection of records privileged from production in legal proceedings.
  • Commercial information of Appiawave itself (e.g., trade secrets, financial information that could cause harm if disclosed).
  • Requests that are manifestly frivolous or vexatious, or involve an unreasonable diversion of resources.

If a request for access is refused, Appiawave will provide the requester with written reasons for the refusal.

10. Remedies Available if a Request for Information is Refused

If a requester is dissatisfied with Appiawave’s decision to refuse access to a record or with any other decision relating to the request (e.g., fees charged, extension of time), the requester may:

  • Lodge an internal appeal (if applicable, though typically for public bodies).
  • Lodge a complaint with the Information Regulator.
  • Apply to a court for appropriate relief.

The Information Regulator’s contact details are provided in Section 3.

11. Availability of this Manual (Section 51(3) of PAIA)

This PAIA Manual is available for inspection, free of charge, at the offices of Appiawave (see address in Section 2) during normal business hours. It is also available on the Appiawave website at [Link to PAIA Manual on your website] and can be requested from the Information Regulator.

12. Updates to this Manual

This PAIA Manual will be updated on a regular basis, at least annually, or as and when necessary to ensure it remains accurate and compliant with PAIA and POPIA. Any updates will be made available as per Section 11.