Privacy Policy

Last updated: January 2025

Version 2.0 - POPIA Compliant

πŸ“‹ Important Notice

This Privacy Policy is legally binding. By using e-skoloto, you acknowledge that you have read, understood, and agree to be bound by this policy. If you do not agree, please do not use our services.

Minimum Age: Our services are only available to persons 18 years and older. We do not knowingly collect information from minors.

🏒 Responsible Party Information

Company: Townishmart (Pty) Ltd

Trading As: e-skoloto

Registration: South African Private Company

Information Officer: Sibusiso Elliot Nhlapo

Email: services@townishmart.co.za

Privacy Email: services@townishmart.co.za

WhatsApp (Messages Only - No Calls): +27 67 224 0565

Address: Johannesburg, Gauteng, South Africa

πŸ“Š Legal Basis for Processing (POPIA Section 11)

We process your personal information based on the following lawful grounds:

βœ… Your Consent

For marketing communications, optional features, and non-essential processing. You may withdraw consent at any time.

πŸ“ Contractual Necessity

To provide loan services, process applications, manage your account, and fulfill our obligations to you.

βš–οΈ Legal Obligation

To comply with FICA (identity verification), NCA (responsible lending), tax laws, and other regulatory requirements.

πŸ›‘οΈ Legitimate Interest

For fraud prevention, service improvement, security monitoring, and protecting our legal rights.

πŸ“Š Data We Collect

We collect only the minimum information necessary to provide our services:

1. Account Information (Required)

What: Full name, ID number, email address, phone number

Why: Account creation, identity verification (FICA), communication

Legal Basis: Contract, Legal Obligation

2. Financial Data (Required for Loans)

What: Bank statement analysis results, income/expense patterns, loan history

Why: Loan assessment, affordability checks, NCA compliance

Legal Basis: Contract, Legal Obligation

Note: Bank statements are processed immediately and deleted within 24 hours. Only analysis results are retained.

3. Credit Information (When Applicable)

What: Credit bureau reports, credit score, payment history

Why: Credit assessment, NCA compliance, responsible lending

Legal Basis: Consent, Legal Obligation

4. Usage Data (Automatic)

What: IP address, device type, browser, pages visited, timestamps

Why: Security, fraud prevention, service improvement

Legal Basis: Legitimate Interest

5. Communications (When You Contact Us)

What: Email content, support tickets, chat messages

Why: Customer support, complaint resolution

Legal Basis: Contract, Legitimate Interest

🌍 Cross-Border Data Transfers (POPIA Section 72)

⚠️ Important Disclosure

Your data is stored on Google Cloud Platform and Firebase servers, which may be located outside South Africa (including USA, Europe, Singapore, and other regions).

Why We Transfer Data Internationally:

We use Google Cloud Platform and Firebase for secure, reliable infrastructure. These services operate globally to provide optimal performance and redundancy.

Adequate Protection Measures:

  • βœ… Standard Contractual Clauses: Google uses EU-approved data transfer agreements
  • βœ… ISO 27001 Certification: International security standards
  • βœ… SOC 2 Type II Compliance: Audited security controls
  • βœ… GDPR Compliance: Meets European data protection standards
  • βœ… Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)

Your Rights:

By using our service, you consent to this international data transfer. You may withdraw consent, but this will prevent us from providing services. Contact our Information Officer to discuss alternatives.

Google's Privacy Policy: policies.google.com/privacy

⏰ Data Retention Periods (POPIA Section 14)

We retain your information only as long as necessary for legal and business purposes:

Bank Statement Files:

Processed immediately and permanently deleted within 24 hours of upload

Financial Analysis Results:

Retained for 12 months from last loan application or until account closure

Account Information:

Duration of active account + 5 years after closure (FICA requirement)

Loan Records & Agreements:

5 years after loan closure (NCA requirement - Section 67)

FICA Verification Documents:

5 years after account relationship ends (FICA Section 22)

Transaction Records:

5 years (FICA and tax compliance)

Marketing Consent:

Until withdrawn or 2 years of inactivity

Usage Analytics (Anonymized):

24 months for service improvement

Note: After retention periods expire, data is securely deleted or anonymized beyond recovery.

🎯 How We Use Your Data (Purpose Specification)

We use your personal information only for the following specific purposes:

  • Loan Processing: Assess eligibility, calculate affordability, process applications, disburse funds
  • Account Management: Create and maintain your account, authenticate access, provide dashboard
  • Regulatory Compliance: FICA identity verification, NCA responsible lending checks, tax reporting
  • Credit Assessment: Analyze financial health, check credit bureaus (with consent), determine loan terms
  • Financial Insights: Provide AI-powered budgeting advice, spending analysis, savings recommendations
  • Communication: Send loan notifications, account updates, security alerts, customer support
  • Fraud Prevention: Monitor suspicious activity, verify identity, protect against unauthorized access
  • Service Improvement: Analyze usage patterns (anonymized), fix bugs, enhance features
  • Marketing (with consent): Send promotional offers, product updates, financial tips
  • Legal Obligations: Respond to court orders, comply with law enforcement, enforce terms

We will never use your data for purposes beyond those listed without obtaining your explicit consent.

🀝 Third-Party Data Sharing

We share your information only when necessary and with your consent:

🏦 Credit Bureaus (With Your Consent)

Who: TransUnion South Africa, Experian South Africa, Compuscan, XDS

What: Name, ID number, loan application details, repayment history

Why: Credit checks, NCA compliance, fraud prevention

Your Rights: Access your credit report, dispute inaccuracies, request corrections

☁️ Technology Providers

Google Firebase/Cloud: Authentication, database, hosting (see Cross-Border Transfers section)

Security: Encrypted data, access controls, audit logs

πŸ’³ Payment Processors (When Applicable)

Purpose: Loan disbursement, repayment processing

Data: Bank account details (encrypted), transaction amounts

Compliance: PCI-DSS certified processors only

βš–οΈ Legal & Regulatory

Who: NCR, SARS, law enforcement, courts

When: Legal obligation, court order, regulatory audit

What: Minimum necessary information only

🚫 What We DON'T Do

❌ Sell your data to marketers

❌ Share with social media platforms

❌ Provide to data brokers

❌ Use for unrelated purposes

πŸ›‘οΈ Security Measures (POPIA Section 19)

πŸ” Encryption

TLS 1.3 in transit, AES-256 at rest

πŸ”‘ Authentication

Firebase Auth, multi-factor available

🏦 No Bank Credentials

We never store banking passwords

☁️ Serverless Architecture

No persistent servers, auto-scaling

πŸ“Š Access Controls

Role-based permissions, audit logs

πŸ” Monitoring

24/7 security monitoring, intrusion detection

🚨 Data Breach Notification (POPIA Section 22)

In the event of a data breach that compromises your personal information:

1. We Will Notify You

Within 72 hours of discovering the breach, via email and in-app notification

2. We Will Notify the Information Regulator

As required by POPIA Section 22(1)

3. We Will Provide Details

Nature of breach, data affected, potential impact, remedial actions taken

4. Your Rights

You may lodge a complaint with the Information Regulator (contact details below)

πŸ€– Automated Decision-Making & AI

We use artificial intelligence and machine learning for:

  • Bank Statement Analysis: Automated categorization of transactions
  • Loan Eligibility: AI-powered affordability assessment
  • Financial Recommendations: Personalized budgeting and savings advice
  • Fraud Detection: Pattern recognition for suspicious activity

Your Rights Regarding Automated Decisions:

βœ… Request human review of any automated decision

βœ… Understand the logic and factors behind AI decisions

βœ… Challenge decisions you believe are incorrect

βœ… Opt-out of automated marketing (does not affect loan processing)

πŸ‘€ Your Rights Under POPIA

πŸ“„ Access (Section 23)

Request a copy of all personal data we hold about you

Timeframe: 30 days

✏️ Correction (Section 24)

Update or correct inaccurate information

Timeframe: 7 days for simple corrections

πŸ—‘οΈ Deletion (Section 25)

Request deletion of your data (subject to legal retention requirements)

Note: Some data must be retained for 5 years (FICA/NCA)

πŸ“¦ Portability

Export your data in machine-readable format (JSON/CSV)

Timeframe: 14 days

🚫 Object (Section 11(3))

Object to processing based on legitimate interest

Note: May affect service availability

⏸️ Restrict Processing

Temporarily limit how we use your data

When: Disputing accuracy or lawfulness

❌ Withdraw Consent

Withdraw consent for marketing or optional processing

Effect: Immediate, does not affect past processing

πŸ“’ Lodge Complaint

File complaint with Information Regulator

No cost: Free complaint process

How to Exercise Your Rights:

πŸ“§ Email: services@townishmart.co.za

πŸ“± WhatsApp (Messages Only - No Calls): +27 67 224 0565

πŸ’» In-app: Account Settings β†’ Privacy & Data

We will respond within 30 days and provide reasons if we cannot fulfill your request.

πŸ”„ Consent Withdrawal Process

You may withdraw consent for non-essential processing at any time:

Method 1: Email

Send request to services@townishmart.co.za with subject "Withdraw Consent"

Method 2: Account Settings

Log in β†’ Settings β†’ Privacy β†’ Manage Consents

Method 3: WhatsApp

Message +27 67 224 0565 (WhatsApp only - no calls) and request consent withdrawal

Processing Time: Immediate for marketing. Up to 30 days for other processing. Note: Withdrawal may affect our ability to provide certain services.

πŸͺ Cookies and Tracking

Essential Cookies (Required)

Authentication, security, session management

Cannot be disabled - necessary for service functionality

Analytics Cookies (Optional)

Google Analytics (anonymized IP), usage patterns, performance monitoring

Can be disabled in browser settings

We do NOT use advertising or social media tracking cookies.

πŸ‘Ά Children's Privacy

Our services are NOT available to persons under 18 years of age.

We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at services@townishmart.co.za and we will delete it within 48 hours.

πŸ”— Third-Party Links

Our service may contain links to third-party websites (e.g., credit bureaus, payment processors). We are not responsible for their privacy practices. Please review their privacy policies before providing any information.

πŸ“ Policy Updates

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes:

  • βœ… We will notify you via email and in-app notification
  • βœ… We will update the "Last Updated" date at the top
  • βœ… We will provide 30 days notice before changes take effect
  • βœ… Continued use after changes constitutes acceptance

You may request previous versions of this policy by contacting services@townishmart.co.za

πŸ“ž Contact & Complaints

Information Officer

Name: Sibusiso Elliot Nhlapo

Email: services@townishmart.co.za

WhatsApp (Messages Only - No Calls): +27 67 224 0565

Response Time: 30 days

Privacy Inquiries

Email: services@townishmart.co.za

Subject Line: Include "Privacy Request"

Response Time: 5 business days

Information Regulator (South Africa)

Website: inforegulator.org.za

Email: inforeg@justice.gov.za

WhatsApp: 012 406 4818

Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Complaints: Free of charge

πŸ‡ΏπŸ‡¦ POPIA Compliance Statement

e-skoloto is committed to full compliance with South Africa's Protection of Personal Information Act (POPIA), Act 4 of 2013.

βœ… Accountability (Section 8)

Designated Information Officer, documented policies, regular audits

βš–οΈ Processing Limitation (Section 9-12)

Lawful basis, purpose specification, minimal collection, consent management

🎯 Purpose Specification (Section 13-14)

Clear purposes, specific retention periods, secure deletion

πŸ“Š Further Processing (Section 15)

Compatible purposes only, new consent for unrelated uses

ℹ️ Information Quality (Section 16-17)

Accurate, complete, up-to-date, correction mechanisms

πŸ‘οΈ Openness (Section 18)

Transparent policy, accessible documentation, clear communication

πŸ”’ Security Safeguards (Section 19)

Encryption, access controls, breach procedures, regular testing

πŸ‘€ Data Subject Participation (Section 23-25)

Access, correction, deletion rights, complaint procedures

πŸ“‹ Regulatory Compliance

This policy complies with:

  • Protection of Personal Information Act (POPIA), Act 4 of 2013 - Full compliance with all 8 conditions
  • National Credit Act (NCA), Act 34 of 2005 - Responsible lending, consumer protection, record retention (Section 67)
  • Financial Intelligence Centre Act (FICA), Act 38 of 2001 - Customer due diligence, identity verification, 5-year retention (Section 22)
  • Electronic Communications and Transactions Act (ECTA), Act 25 of 2002 - Electronic signatures, data messages
  • General Data Protection Regulation (GDPR) - International data protection standards
← Back to Dashboard

By using e-skoloto, you acknowledge that you have read and agree to this Privacy Policy.

Version 2.0 | Last Updated: January 2025 | POPIA Compliant