Bank Zero

Customer Privacy Policy

1.1 Introduction

This POPIA Customer Privacy Policy explains how Bank Zero will process your personal information.

Where we refer to “process”, it means how we collect, use, store, make available, destroy, update, disclose, or otherwise deal with your personal information. Generally, we will only process your personal information if this is required to deliver or offer a service, provide a product or carry out a transaction with you. We respect your privacy and will treat your personal information confidentially.

We may combine your personal information and use the combined personal information for any of the purposes stated in this Privacy Policy. In this document any reference to “we” or “us” or “our” includes any one or more of the following Bank Zero entities:

Bank Zero.
Each business unit, branch and/or representative office of any business of Bank Zero.
Any other subsidiaries of Bank Zero or companies connected to Bank Zero.
Any of Bank Zero’s associates, cessionaries, delegates or successors in title or appointed third parties such as its authorised agents, advisors, partners and contractors.

Important to note:

If you use our services, goods, products and service channels you agree that we may process your personal information as explained under this Privacy Policy. Sometimes you may provide us with specific consent to process your personal information. Read it carefully because it may limit your rights.

(If Bank Zero processes personal information for another party under a contract or a mandate, the other party’s privacy policy will apply to the processing. Bank Zero reserves the right to change this Privacy Policy from time to time if the law or its business practices requires it. The version of the Privacy Policy displayed on our website will apply to your interactions with us. To read the latest version of this Privacy Policy visit the following website: www.bankzero.co.za)

1.2 Explaining why and how we collect specific sensitive personal information

1.2.1 Location Permission and Data

We need your permission to collect your location data.

What exactly do we collect

We record the GPS location of your phone.

Why do we need your location data

This is to protect you. Location data is fully focussed on helping to keep your bank accounts secure and to prevent fraud on your bank account.

What will we NOT do with your location data

We do not use your location data for advertising.
We do not use your location data for analytics.
We do not use your location data for purposes of improving the App.
We do not sell your location data.
We do not share your location data with any 3rd parties unless by your prior consent (with them adhering to at least the same data protection policies as at Bank Zero).
Should we be required to disclose this to a regulatory body by law (and as also explained in section 1.3.9), we will comply.

When do we collect your location data

When you register with Bank Zero and/or order a card and/or provide an address.
When you re-pair your existing banking profile to another phone.
When you log into your banking profile.
When making payments from the App.
We only collect location data required for security purposes as outlined above. Absolutely no unnecessary data is collected.
We only do ‘foreground use’ and only while performing the above activities. I.e. we only collect your location data while you are using the App for these specific activities, no other times, even while the App is open. And all location data collection is stopped immediately when you stop using the App and you close it.

Important to note:

How do we tell you about it

We make it clear to you where your location data is used, by displaying it to you against your relevant transactions and activities. (For example your welcome letter, when you re-pair, any payments you make, etc.)

How do we store your location data

Your location data is stored to the exact same high security levels as your financial transactions (see section 1.3.12) and is retained as per section 1.3.13.

How do we ask your permission

We don’t collect your location data unless you explicitly give us permission during your registration process. As you can see, location data is critical to the security of your banking profile. The Bank Zero App unfortunately cannot operate without this, because security is core to how we operate as a digital bank. Should you want to withdraw the use of your location data, the App cannot function. We respect your decision, as we hope you respect our commitment to keeping your money safe. See section 1.3.11 for more information.

1.2.2 Facial & Voice Biometrics (hereafter referred to as Biometrics)

We need your permission to collect your biometrics.

What exactly do we collect

We record specific facial features and your voice.

Why do we need your biometrics

This is to protect you, and is fully focussed on helping to keep your bank accounts secure and to prevent fraud on your bank account. We compare previously collected biometrics to subsequently collected biometrics during any high-risk situation.

What will we NOT do with your biometrics

We do not use your biometrics for advertising.
We do not use your biometrics for analytics.
We do not use your biometrics for purposes of improving the App.
We do not sell your biometrics.
We do not share your biometrics with any 3rd parties unless by your prior consent (with them adhering to at least the same data protection policies as at Bank Zero).
Should we be required to disclose this to a regulatory body by law (and as also explained in section 1.3.9), we will comply.

When do we collect your biometrics

When you register with Bank Zero.
When you re-pair your existing banking profile to another phone.
For any high-risk activities on your App where we need to protect your security.
Note: We only collect biometrics required for security purposes as outlined above and when we explicitly inform you that it is about to be collected.

How do we tell you about it

We make it clear to you whenever biometrics are about to be recorded, by requesting you to provide facial biometrics in a specific way, and providing voice biometrics by way of reading a given sentence.

How do we store your biometrics

Your biometrics are stored to the exact same high security levels as your financial transactions (see section 1.3.12) and is retained as per section 1.2.13.

How do we ask your permission

No biometrics are collected unless you explicitly allow access to your camera and microphone, and unless we warn you in each instance before we start recording (as per above). As you can see, your biometrics are critical to the security of your banking profile. The Bank Zero App unfortunately cannot operate without this, because security is core to how we operate as a digital bank. Should you want to withdraw the use of your biometrics, the App cannot function. We respect your decision, as we hope you respect our commitment to keeping your money safe. See section 1.3.11 for more information.

1.2.3 Minors (Persons under 16, hereafter referred to as Children)

It is important to us that children are handled with utmost privacy and as per law. A child is defined as by a country’s legislation and who has not been recognised as an adult by the courts of that country.

When and how will we process their personal information?

We process their personal information only if the law allows, and only if an adult who can legally agree, has approved the child’s registration. This adult must be a parent or a legal guardian. This adult must first register with Bank Zero in their own capacity and must then use the ‘Add Child’ feature to add the child. Only then can the relevant child proceed with their registration and subsequent use of the App.

When can we also process their personal information?

We can also process a child’s personal information if any one or more of the following applies, and only if the law allows:

The processing is needed to create, use or protect a right or obligation in law, like where the child is an heir in a will (to give effect to the will), a beneficiary of a trust (to give effect to the trust deed), or a beneficiary of an insurance policy.
The child’s personal information was made public by this child, with the consent of a person who can legally agree.
The processing is for statistical or research purposes and all legal conditions are met.

When do we collect your biometrics

When you register with Bank Zero.
When you re-pair your existing banking profile to another phone.
For any high-risk activities on your App where we need to protect your security.
Note: We only collect biometrics required for security purposes as outlined above and when we explicitly inform you that it is about to be collected.

Note that where the child is legally old enough to open a bank account without assistance from their parent or guardian, or sign a document as a witness without assistance from their parent or guardian, then they will be handled accordingly.

1.3 Explanations to questions you may have

This section provides insight into some of the questions, as it relates to your data privacy, that you may have

1.3.1 What is personal information?

Personal information refers to any information that identifies you or specifically relates to you. It might include, but is not limited to, the following information about you:

your marital status (like married, single, divorced).
your national origin.
your age.
your language; birth; education.
your financial history (like your income or your buying, investing and banking behaviour based on, amongst others, account transactions).
your identifying number (like an account number, identity number or passport number).
your e-mail address; physical address (like residential address, work address or your physical location); telephone number.
your online identifiers; social media profiles.
your biometric information (like fingerprints, photographs enabling facial recognition, your signature or voice).
your race; gender; sex; pregnancy; ethnic origin; social origin; colour; sexual orientation.
your physical health; mental health; well-being; disability; religion; belief; conscience; culture.
your medical history (like your HIV / AIDS status); criminal history; employment history;
your personal views, preferences and opinions.
your confidential correspondence.
another’s views or opinions about you and your name also constitute your personal information.

1.3.2 When will we process your personal information?

We will only process your personal information for lawful purposes relating to our business if the following applies:

if you have consented thereto.
if a person legally authorised by you, the law or a court, has consented thereto.
if it is necessary to conclude or perform under a contract, we have with you.
if the law requires or permits it.
if it is required to protect or pursue your, our or a third party’s legitimate interest.
if you are a child, a competent person (like a parent or guardian) has consented thereto.

1.3.3 What is special (sensitive) personal information?

Special (sensitive) personal information is personal information about the following:

your religious beliefs.
your philosophical beliefs (for example where you enter a competition, and you are requested to express your philosophical view).
your race (like where you apply for a product or service where the statistical information must be recorded).
your ethnic origin.
your trade union membership.
your political beliefs.
your health (like where you apply for an insurance policy).
your sex life (like where you apply for an insurance policy).
your biometric information (like to verify your identity).
your criminal behaviour and alleged commission of an offence (like to prevent fraud as required by law or when you apply for employment or enter into a relationship with us).

1.3.4 When will we process your special (sensitive) personal information?

We may process your special (sensitive) personal information in the following circumstances:

if you have consented to the processing.
if the processing is needed to create, use or protect a right or obligation in law.
if the processing is for statistical or research purposes and all legal conditions are met.
if the special personal information was made public by you.
if the processing is required by law.
if racial information is processed, and the processing is required to identify you.
if health information is processed, and the processing is to determine your insurance risk, or to comply with an insurance policy or to enforce an insurance right or obligation.

1.3.5 When and from where will we obtain personal information about you?

We only collect personal information from you directly.

We collect information about you based on your use of our products, services or service channels (like our websites).
We collect information about you based on how you engage or interact with us such as on social media, emails, letters, telephone calls, surveys.
We collect information about you from public sources and from third parties we interact with for the purposes of conducting our business.

If the law requires us to do so, we will ask for your consent before collecting personal information about you from third parties. The third parties from whom we may collect your personal information include, but are not limited to, the following:

Bank Zero associates, cessionaries, delegates, assigns, affiliates or successors in title and / or appointed third parties (like its authorised agents, partners, contractors and suppliers) for any of the purposes identified in this Privacy Policy.
your spouse, dependents, partners, employer, joint applicant or account holder and other similar sources.
people you have authorised to share your personal information, like a medical practitioner for insurance purposes.
attorneys, tracing agents, debt collectors and other persons that assist with the enforcement of agreements.
payment processing services providers, merchants, banks and other persons that assist with the processing of your payment instructions, like card scheme providers (like VISA or MasterCard).
insurers, brokers, other financial institutions or other organisations that assist with insurance and assurance underwriting, the providing of insurance and assurance policies and products, the assessment of insurance and assurance claims and other related purposes.
law enforcement and fraud prevention agencies and other persons tasked with the prevention and prosecution of crime.
regulatory authorities, industry ombudsman, governmental departments, local and international tax authorities.
credit bureaux;
trustees, Executors or Curators appointed by a court of law;
our service providers, agents and sub-contractors like couriers and other persons we use to offer and provide products and services to you;
courts of law or tribunals;
our joint venture partners;
marketing list providers.

1.3.6 What reasons must we have to process your personal information?

We will process your personal information for the following reasons:

to provide you with products, goods and services;
to market our products, goods and services to you;
to respond to your enquiries and complaints;
to comply with legislative, regulatory, risk and compliance requirements (including directives, sanctions and rules), voluntary and involuntary codes of conduct and industry agreements or to fulfil reporting requirements and information requests;
to detect, prevent and report theft, fraud, money laundering and other crimes. This may include the processing of special personal information, like alleged criminal behaviour or like the supply of false, misleading or dishonest information when registering an application with us or avoiding liability by way of deception;
to enforce and collect on any agreement when you are in default or breach of the agreement terms and conditions, like tracing you or to institute legal proceedings against you;
to conduct market and behavioural research, including scoring and analysis to determine if you qualify for products and services;
to develop, test and improve products and services for you;
for historical, statistical and research purposes, like market segmentation;
to process payment instruments and payment instructions;
to conduct affordability assessments, credit assessments and credit scoring;
to disclose and obtain personal information from credit bureaux regarding your credit history;
to enable us to deliver goods, documents or notices to you;
for security, identity verification and to check the accuracy of your personal information;
to communicate with you and carry out your instructions and requests;
for customer satisfaction surveys, promotional and other competitions;
to enable you to take part in and make use of value-added products and services;
to assess our lending and insurance risks;
for any other related purposes.

1.3.7 How will we use your personal information for marketing?

By being a customer of Bank Zero, you give permission that we may send you operational notices as they relate to account or card activity (or inactivity), system problems and/or other operational banking matters. This is crucial to your experience of the bank and cannot be opted out of.

We will use your personal information to market Bank Zero related products and services to you. We could do this in person, by post, telephone, or electronic channels such as SMS and email. If you are not our customer, or in any other instances where the law requires, we will only market to you by electronic communications with your consent. In all cases you can request us to stop sending marketing communications to you at any time.

1.3.8 When will we use your personal information for automated decisioning?

An automated decision is made when your personal information is analysed to decide without human intervention in that decision-making process. We may use your personal information to make an automated decision as allowed by the law. An example of automated decision making is the approval or decline of an application. You have a right to query any such decisions made and we will provide reasons for the decisions as far as reasonably possible.

1.3.9 When, how and with whom will we share your personal information?

In general, we will only share your personal information if any one or more of the following apply:

if you have consented to this;
if it is necessary to conclude or perform under a contract, we have with you;
if the law requires it;
if it is necessary to protect or pursue your, our or a third party’s legitimate interest.

Where required, Bank Zero may share your personal information with the following persons. These persons have an obligation to keep your personal information secure and confidential:

other members of Bank Zero, its associates, cessionaries, delegates, assigns, affiliates or successors in title and / or appointed third parties (like its authorised agents, partners, contractors and suppliers) for any of the purposes identified in this Privacy Policy;
our employees as required by their employment conditions;
attorneys, tracing agents, debt collectors and other persons that assist with the enforcement of agreements;
payment processing services providers, merchants, banks and other persons that assist with the processing of payment instructions;
law enforcement and fraud prevention agencies and other persons tasked with the prevention and prosecution of crime;
regulatory authorities, industry ombuds, governmental departments, local and international tax authorities and other persons the law requires us to share your personal information with;
our service providers, agents and sub-contractors like couriers and other persons we use to offer and provide products and services to you;
persons to whom we have ceded our rights or delegated its obligations to under agreements, like where a business is sold;
courts of law or tribunals that require the personal information to adjudicate referrals, actions or applications;
the general public where you submit content to our social media sites like our Facebook page;
trustees, Executors or Curators appointed by a court of law;
our joint venture and other partners with whom we have concluded business agreements.

1.3.10 When will we transfer your personal information to other countries?

We will only transfer your personal information to third parties in another country in any one or more of the following circumstances:

where your personal information will be adequately protected under the other country’s laws;
where the transfer is necessary to enter into or perform under a contract with you, or a contract with a third party that is in your interest;
where you have consented to the transfer;
where it is not reasonably practical to obtain your consent, the transfer is in your interest.

This transfer will happen within the requirements and safeguards of the law. Where possible, the party processing your personal information in the other country will agree to apply the same level of protection as available by law in your country or if the other country’s laws provide better protection the other country’s laws would be agreed to and applied.

1.3.11 What are your duties and rights regarding your personal information we hold?

You must provide proof of identity when enforcing the rights below. You must inform us when your personal information changes. You have the right to request access to the personal information we have about you by contacting us. This includes requesting:

confirmation that we hold your personal information;
a copy or description of the record containing your personal information;
the identity or categories of third parties who have had access to your personal information.

We will attend to requests for access to personal information within a reasonable time. You may be required to pay a reasonable fee to receive copies or descriptions of records, or information about third parties. We will inform you of the fee before attending to your request. Please note that the law may limit your right to access information.

You have the right to request us to correct or delete the personal information we have about you if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully or we are no longer authorised to keep it. You must inform us of your request in writing. We may request documents from you to verify the change in personal information.

A specific agreement that you have entered into with us may determine how you must change your personal information provided at the time when you entered into the specific agreement. Please adhere to these requirements. If the law requires us to keep the personal information, it will not be deleted upon your request. The deletion of certain personal information may lead to the termination of your business relationship with us. You may object on reasonable grounds to the processing of your personal information.

We will not be able to give effect to your objection if the processing of your personal information was and is permitted by law; you have provided consent to the processing and our processing done according to your consent or the processing is necessary to conclude or perform under a contract with you.

Where you have provided your consent for the processing of your personal information, you may withdraw your consent. If you withdraw your consent, we will explain the consequences to you. We may proceed to process your personal information even if you have withdrawn your consent if the law permits or requires it. It may take up to 15 business days for the change to reflect on our systems, during this time we may still process your personal information.

You have a right to file a complaint with us or any Regulator with jurisdiction about an alleged contravention of the protection of your personal information by us. We will address your complaint as far as possible.

1.3.12 How will we secure your personal information?

We will take appropriate and reasonable technical and organisational steps to protect your personal information according to industry best practices. Our security measures (including physical, technological and procedural safeguards) will be appropriate and reasonable. This includes the following:

keeping our systems secure (like monitoring access and usage);
storing our records securely;
controlling the access to our buildings, systems and/or records;
safely destroying or deleting records.

1.3.13 How long will we keep your personal information?

We will keep your personal information for as long as:

the law requires us to keep it;
a contract between you and us requires us to keep it;
you have consented for us keeping it;
we are required to keep it to achieve the purposes listed in this Privacy Policy;
we require it for statistical or research purposes;
a code of conduct requires us to keep it;
we require it for our lawful business purposes.

Take note: We may keep your personal information even if you no longer have a relationship with us if the law permits.

1.3.14 What is our cookie policy?

A cookie is a small piece of data sent from our websites or applications to your computer or device hard drive or Internet browser where it is saved. The cookie contains information to personalise your experience on our websites or applications and may improve your experience on the websites or applications. The cookie will also identify your device, like the computer or smart phone.

By using our websites or applications you agree that cookies may be forwarded from the relevant website or application to your computer or device. The cookie will enable us to know that you have visited the website or application before and will identify you. We may also use the cookie to prevent fraud.

1.3.15 How do we process information about related persons?

If you provide the personal information of a related person to us, you warrant that the related person is aware that you are sharing their personal information with us and that the related person has consented thereto. We will process the personal information of related persons as stated in this Privacy Policy, thus references to “you” or “your” in this Privacy Policy will include related persons with the necessary amendments.