Privacy notice

This Privacy Notice applies to you if you are:

• A visitor to our website or a user of any Capitec Mobile App or Remote Banking Site.
• A prospective client who has applied to use the products and services offered by us.
• An existing client who uses the products and services that we provide.
• A data subject whose personal information we process, e.g., employees, vendors.

Personal information means information, in any format, relating to an identified or identifiable, living natural person or existing juristic person. You are identifiable if you can be identified, directly or indirectly, by reference to an identifier (for example, your ID number, account number, etc.) or accumulated information that together has a reasonable likelihood of resulting in the identification of you as the data subject by a person in possession of such information. For current purposes, personal information refers only to the personal information collected by us and does not include personal information that you may have willingly shared on other platforms (e.g., on social media sites in the public domain).

Personal information excludes:

• Information that has been made anonymous so that it does not identify a specific person.
• Permanently de-identified information that does not relate or cannot be traced back to you specifically.
• Non-personal statistical information collected and compiled by us.

We collect your personal information in the following instances:

• When you visit our website or use any Capitec Mobile App or Remote Banking Site.
• When applying to open a bank account, take out an insurance policy, or when you use any of our products or services.
• To communicate with you and to act on your instructions.
• When you supply us with optional information voluntarily.
• When you perform transactions on your account, we will collect your transaction history and transacting activities.
• Personal preferences or behavioural trends that we can infer from your use of our products and services and other engagements with us, with your consent.
• Information required by us to comply with the law and our regulatory and compliance obligations.

We will only collect your information in line with relevant regulations and laws. The information we collect may include information that you provide to us, for example:

• Personal details, for example, your name and surname, previous names and surnames, gender, date of birth, and occupation.
• Information concerning your identity, for example, an identification number such as your South African ID number or Passport number.
• Contact details, for example, your home/work/postal/email addresses and telephone numbers.
• Biometric information linked to your account, for example, photographic identification and biometric fingerprint information.
• Demographic information, for example, your gender and/or marital status.
• Credit bureau information, data about you held at a registered credit bureau.
• Transactional behaviour data, data about how you interact with our products and services and the transactions you perform on any Capitec account.
• User login data, for example, your login credentials for the Capitec Mobile App or Remote Banking Site.
• Geolocation information, Location information is the approximate geographic location at the time of using the Capitec app or performing a Capitec transaction.
• Other information about you that you give us by filling in forms, surveys, or by communicating with us, whether face-to-face, by telephone, email, online, live chat etc.

Depending on the products and services that you require, we may also collect sensitive personal information about you, for example:

• Financial information such as your bank account details.
• Special personal information such as:
  • Demographic information, for example, your race or ethnicity, or health-related information for insurance purposes.
  • Criminal information, for example, information about your commission or alleged commission of any criminal offence or about any related legal proceedings.

• Personal information of children under the age of 18 (eighteen).

Depending on the products and services that you use, we may also collect or generate the following information about you:

• Information about you or those you represent, and their relationship with us, including the channels you use and your ways of interacting with us, and the Capitec Mobile App or Remote Banking Site, as well information concerning complaints and disputes.
• Information gathered to assess and/or verify claims where relevant, including:
  • Information that confirms if you have passed away to enable us to pay out insurance benefits to your beneficiaries.
  • Employment data for when we assess a retrenchment claim.
  • Medical and other information for when we assess a lump sum disability or temporary disability claim.

• Authentication information such as your biometric information, which includes your voice for voice ID, photographic identification and biometric fingerprint information to verify you as a Capitec client.
• Cookies, and similar technologies we use to recognise you, remember your preferences and tailor the content we provide to you. Our cookie policy available at Cookie Policy | Privacy Centre | Capitec contains more details about how we use cookies.
• Investigations data, for example, due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and metadata related to relevant exchanges of information between and among individuals, and organisations, including emails, voicemails and live chat.
• Records of correspondence and other communications between us, including emails, telephone conversations, live chat, instant messages, and social media communications.
• Information that we require to support our regulatory obligations, for example, information about transaction details, purpose of payment, counterparty/beneficiary information, identification documents, detection of any suspicious and unusual activity, and information about parties connected to you or these activities.
• Information about the devices you use to access the Capitec Mobile App, Remote Banking Site, or Capitec Website, for example, software and Internet Protocol (“IP”) address.
• We collect data and information (through third-party products) on your device called “Log Data” for Merchant Services and Capitec Connect products. This Log Data may include information such as your device's IP address, Device model, Device name, Device ID, operating system version, NFC functionality, the configuration of the app, the time and date of your use of this Service, and other statistical information.
• International Mobile Equipment Identity (“IMEI”) Number to provide Capitec Connect services such as Subscriber Identification Module (“SIM”) Swap, SIM Ownership Charge, Number Churn, and Porting Services Support.
• Credit bureau data when you become a Capitec client in order to provide you with Capitec products and services.
• Our personal information core processing principles are more fully described on our Privacy Centre.

We will only process your personal information where we have a lawful reason for doing so (in this instance no consent is required), or where you have consented for us to do so, either by providing you with insights and the next best actions, marketing, and to perform analysis to improve existing products or creating new products to your benefit.

This means that the personal information collected about you, may be processed through
centralised functions and systems across entities (including joint ventures and companies) in the Capitec Group and may be used for the purposes of fraud and risk monitoring and analysis to improve, develop, price, and market products or services, in the manner, and with the appropriate controls as set out below.

• Entering into or performance of a contract

We need to process your personal information to carry out the obligations of our agreement with you. This includes all the processing and pre-assessment activities that are required to enable us to sign you up for one or more of our Capitec Group products or services (for example, verifying your identity, pricing all contracts, assessing and verifying claims, assessing whether you qualify for a product or service, enrolling you for electronic signatures, obtaining your credit bureau information etc.), and managing the client relationship for the duration of the contract and as required after termination of the client relationship. We pride ourselves in providing simplified banking and financial services that offer you a single view of all your Capitec products where possible. To be able to do this we collect and process your personal and special personal information through centralised
functions and systems across entities (including joint ventures and companies) in the Capitec Group, to provide you with the products and services. Your data may be used for risk monitoring and analysis to improve, develop, price, and market appropriate and safe products or services that benefit you. We only do this with the appropriate controls set out in this Privacy Notice.

For some of our services, we require your location to confirm that you are within the borders of South Africa according to licensing, legal agreements or some Appstore third-party requirements, for example, this is required for us to enable the playing of Lotto on our digital banking channels and to accept payments via our Merchant Device. Location Services is also used for fraud and risk monitoring purposes. You may be required to allow the Capitec App to access your location services on your smart device while using the app. We will never collect your location in the background.

• Compliance with law and regulatory compliance obligations

We may need to process your personal information to comply with specific legal obligations. We operate in a highly regulated environment of banking, insurance, financial services, credit and other goods and services, which means that there are several laws, regulations and directives that require us to perform certain processing activities.

This may include using your personal information to help detect or prevent crime (including terrorism financing, money laundering and other financial crimes). We will only do this on the basis that it’s needed to comply with a legal obligation or it’s in our legitimate interests and that of others.

We will mostly collect information directly from you but there may be instances where we may need to obtain your information from the Department of Home Affairs, the Credit Bureaus and other public sources, to:

• Ensure that there are no deficiencies in your information.
• Ensure that your information is kept up-to-date and correct.
• Determine and manage financial crime risks.
• Identify yourself and verify your source of funds or income.

We will use the most reliable source of information to update your personal information where required.

• Legitimate interest

We process your personal information to protect your legitimate interest and where it is necessary for pursuing the legitimate interest of the responsible party or a third party to whom the information is supplied. We process your personal information based on this justification only where we believe that such processing is beneficial to you and is limited to such processing that is necessary to achieve the purpose. Where our own or a third party’s legitimate interest is used as the justification, we always consider the nature of the legitimate interest and whether there is a risk of harm or an unreasonable infringement of your right to privacy.

• Tracking or recording what you say or do

We may record details of your interactions with us, including emails, telephone conversations, live chat, and any other kinds of communications as part of our operations in line with legislation. We may use these recordings to check your instructions to us, assess, analyse, and improve our service, train our people, manage risks or prevent and detect fraud and other crimes. We may also capture additional information about these interactions, such as information about the devices or software that you use.

• Consent required: Product and Service Improvement and Development

We may use your personal information to evaluate, improve and/or personalise existing and new products and services to your benefit. Our analysis includes data analytics, statistical or other analysis including profiling to better understand how you use our services, and to respond to any service issues you may have. You can opt out of this personal information usage at any time for direct marketing and personalised offers by changing the consent settings and communication preferences on your app or through the client care centre. Alternatively, send us a request on Processing Restriction Request | Privacy Centre | Capitec. This will only opt you out of services based on consent and legitimate interest and not where the processing of your personal information is necessary when required by law or when required to carry out the obligations of an agreement we have with you.

Where you have consented to us doing so:

• We may analyse the type of transactions you perform to provide you with personalised offers to improve existing and create new products that could benefit you. (Personalised offers)
• We may send you our latest offers and products through electronic communication. (Direct Marketing)
• We may send you financial educational information to assist you in improving your financial lives.

These services aim to keep you informed about and offer you new products, services and benefits that help you to live better, but also to educate you about good financial behaviours based on your previous actions or needs.

• Where we have obtained your explicit consent for further processing activity.
• Where the personal information is available in or derived from a public record or has been deliberately made public by yourself.
• Where further processing is necessary to comply with an obligation imposed by law or for the conduct of proceedings in a court or tribunal.
• Where your personal information is processed for any function required or permitted by law to protect members of the public against financial loss due to dishonesty, malpractice, or other serious improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, or other financial services.

We may share your personal information in the following instances with others where lawful to do so:

• To provide you with products or services you have requested, for example, fulfilling a payment request or sharing information with third-party vendors who Capitec utilises.
• Where Capitec has a public or legal duty to do so, for example, for credit assessments or to assist with detecting and preventing fraud, tax evasion and financial crime.
• Where Capitec must do so in connection with regulatory reporting, litigation, governmental audit or asserting or defending legal rights and interests, for example by subpoena or court order.
• Where Capitec has a legitimate business reason for doing so.
• Where Capitec is required to do so to either manage risks, verify your identity, provide you with services requested, or to assess your suitability for products and services.
• Where Capitec has asked your permission to share the personal information, and this was consented to.
• To our employees that require the personal information to do their jobs. These include our responsible management, human resources, accounting, audit, compliance, information technology, and other personnel.
• Where we do share your personal information with third parties, we ensure that this personal information is only shared with approved third parties and that the correct due diligence is in place, such as appropriate security safeguards and confidentiality obligations to ensure that such personal information that the third party is responsible for is kept safe. We may share your personal information with third parties for the following reasons:

We keep your information in line with our data retention policy. This enables us to comply with legal and regulatory requirements or use it where we need to for our legitimate purposes. This includes managing your account and dealing with any disputes or concerns that may arise, for example, to help us respond to queries or complaints, combatting fraud and financial crime and responding to requests from regulators. If we don’t need to retain information for this period, we may destroy, delete or de-identify it. Any information retained on our systems will be kept secure in line with our Information Security Policies and Standards.

Please note: We may keep your personal information even if we no longer have a banking relationship with you or if you request Capitec to delete or destroy it if the law permits or requires us to do so.

We will take the appropriate, reasonable, technical and organisational steps to protect your personal information in line with industry best practices.

• We ensure that known threats are accounted for. We have implemented administrative, technical, personnel and physical measures to protect your personal information against loss, theft, access, and unauthorised use or changes.
• We have implemented appropriate security controls to prevent the processing of your personal information from being accidentally or deliberately compromised. This includes physical and organisational security measures such as restricted user access, responsible information handling, malware controls, encryption or obfuscation or masking, vulnerability, and penetration testing.
• We always use secure methods of transfer when storing or sharing your personal information.
• Only approved Capitec employees are allowed access to your personal information requiring this access to perform their daily tasks for Capitec.
• We ensure that if we do share your personal information with third parties, the necessary safeguards, written agreements, and due diligence are in place to protect your personal information.

Your information may be transferred to and stored in locations outside of South Africa. When we do this, we will ensure it has an appropriate level of protection and that the transfer is lawful. We will ensure that the receiving region has the same level of protection as we need to abide by in South Africa. We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests.

We will not sell your personal information. No personal information will be disclosed to anyone except as provided in this privacy notice.

You have several rights in relation to the information that we hold about you. These rights include:

• The right to access the information we hold about you and to obtain information about how we process it.
• The right to withdraw your consent to our processing of your information, which you can do at any time. We may continue to process your information if we have another legitimate reason for doing so, although this may impact your ability to continue to have access to our products and services.
• The right to request that we rectify your information if it’s inaccurate or incomplete.
• The right to request that we delete or destroy your information. However, we will retain information that is lawful and within the legally permissible retention period.
• The right to object to, and to request that we restrict our processing of your information. There may be situations where you object to, or ask us to restrict, our processing of your information but we are entitled to lawfully continue processing your information and/or to refuse your request.
• You can exercise your rights in our Privacy Centre by clicking on the following link: Exercise Your POPIA Rights | Privacy Centre (capitecbank.co.za)

You can submit a grievance about the processing of your personal information in relation to this Privacy Notice through our Privacy Centre  POPIA / Other Complaint | Privacy Centre | Capitec

You also have the right to file a complaint with the Information Regulator about an alleged contravention of the protection of your personal information. The contact details of the Information Regulator are as follows:

If we change ownership, or a merger with, acquisition by, or sale of assets to another entity we may assign our rights to the personal information we process to a successor, purchaser, or separate entity. We will disclose the transfer on our website. If you are concerned about your personal information being transferred to a new owner, you may exercise your rights in our Privacy Centre by clicking on the following link: Exercise Your POPIA Rights | Privacy Centre (capitecbank.co.za)

We review our practices regularly to ensure that your personal information is appropriately safeguarded and used in a responsible way to provide you with the most value. This may require that we change our data privacy policies or this notice from time to time. We will notify you of any changes by displaying a notice in a prominent place on our website or the Capitec App, or by another communications method, for example, by updating the date of this privacy notice. The notice will indicate the changes that we have made and when they came into effect.

Please note that Capitec may not be able to continue a banking or insurance relationship with a client or provide clients with certain products or services if they object to or do not agree with the changes.

The latest version of the notice made available on Capitec’s website will apply to client interactions with Capitec and will be accessible on Privacy Notice | Privacy Centre | Capitec