What’s on this page
This Privacy Notice sets out the basis on which any Personal Information collects, uses, shares and otherwise processes. Please read the following carefully to understand Payfast’s views and practices regarding Personal Information and how Payfast will treat it. By accessing and using Payfast Services, including Payfast’s interactions with you via our websites (including but not limited to payfast.io), mobile sites and applications (“Sites”), you agree to the transfer, storing and processing of Personal Information as set out in this Privacy Notice.
“Card” When Payfast uses the word ‘card’ in this notice, it applies to all payment methods and types and not simply those involving a physical card; and use of the term ‘cardholder’ applies to any shopper or individual whose payment transactions may be processed.
“Payfast” means Network International Holdings Plc., 3G Direct Pay Holdings Limited, any of its subsidiaries or affiliates.
“Payfast Services” means the products and services which are being offered by Payfast.
“Personal Information or Personal Data” for purposes of this Policy means to any information relating to an identified or identifiable individual.
You are important
It is not mandatory for you to provide the Personal Information that we have requested, but, if you choose not to do so, unfortunately, we will not be able to provide you with our Services or respond to any queries you may have.
Principles of Data Processing
Payfast shall apply the following principles when processing your Personal Information:
1. Lawfulness, fairness and transparency: All Personal Information will processed fairly, transparently and in compliance with applicable laws.
2. Purpose: Any Personal Information collected will be used for a stated purpose.
3. Data Minimization: Payfast will collect only the Personal Information that is adequate and relevant to the purposes for which it is collected.
4. Accuracy: Payfast will keep the Personal Information accurate and, where necessary, kept up to date information.
5. Storage Limitation: Personal Information will be stored with Payfast for a defined period as per its policy or applicable law.
6. Integrity and Confidentiality: Payfast will implement appropriate technical, organizational and physical security measures to protect Personal Information.
What kind of Personal Information do we collect?
Payfast collects Personal Information relating to cardholders, merchants or other customers, suppliers and other business partners in order to carry out its business activities. Payfast may collect Personal Information from various sources, including:
- Information you voluntarily provide, either directly or via our customers;
- Information automatically collected when you use our Sites and Services, including in our role as a payment processor;
- Information collected by cookies and other tracking technologies when you use our Sites;
This Personal Information may include:
Contact information, Demographic information, Identification information, Payment transaction information, Financial and credit card information, Technical information, Social media posts, Applications (including job applications)
We also collect information in a form that does not, on its own, permit direct association with any specific individual such as occupation, language, zip/area code, location, time zone, etc. We may collect, use, transfer, and disclose non-personal information for any purpose. This information is aggregated and used to help us provide more useful information to our customers and to understand which portions of Services are of most interest. This aggregated data is considered non personal information for the purposes of this Privacy Notice.
How do we use your Personal Information?
Payfast uses Personal Information internally in relation to:
1. Conduct its Operations, Risk Management, Transaction Processing, Marketing, development of existing and new Products and for Legal, compliance, regulatory or law enforcement purposes.
2. Online Session Information and Use is Collected to Improve Your Experience
We may also collect technical and navigational related Personal Information, such as computer browser type, Internet protocol address, pages visited, and average time spent on our Site. This Personal Information may be used, for example, to alert you to software compatibility issues, or it may be analyzed to improve our design and functionality of the Payfast Sites and the Services.
We treat the information received from cookies and other technologies as non-personal information.
You will have the option to disable cookies. If you choose to do so, unfortunately, certain features of the Payfast website and the Services will not be available once cookies are disabled.
Some web browsers may send out ‘do not track’ signals. There is no industry standard currently in place as to what websites and other online services should do upon receipt of such signals. Should such a standard be developed, Payfast will re-visit its notice, but currently takes no action upon receipt of such signals.
Payfast may offer certain features that are only available through the use of tracking technologies. Temporary cookies are used to enable you to navigate our site and use its features. These are deleted when you close your browser. IP addresses are used in conjunction with cookies for the purpose of “remembering” computers or other devices used to access our Sites.
Analytical or performance cookies collect anonymous information about how visitors use our websites. They allow us to analyse information such as the count of visitors to our websites, what search terms our visitors are using, what pages are viewed, and the last page visited. This information is based on the visitor’s IP address, and we cannot view individual activity tied to a single person.
To the extent that Internet Protocol (IP) addresses (or similar identifiers) are clearly defined to be Personal Information under any local law and where such local law is applicable to Payfast Services, Payfast will manage such identifiers as Personal Information.
Payfast Sites may also contain links to and from third party websites, including those of partner Payfast, advertisers and affiliates. Please note that these websites may have their own privacy notices and cookies policies, and Payfast does not accept any responsibility or liability for these third party websites. The inclusion of links to third party websites in no way constitutes an endorsement by us of such websites’ content, actions, or policies.
How We Use Anonymized Data: Peer Comparisons, Research & Development
Payfast may make anonymous or aggregate Personal Information and disclose such data only in a non-personally identifiable manner to:
(i) advertising, measurement or analytics partners approved by Payfast that conduct research into consumer spending;
(ii) deliver products and services to other clients; and
(iii) Users of the Service for purposes of comparison of their financial situation relative to the broader community.
With whom does Payfast share Personal Information and for what purposes?
Before we share Personal Information, we ensure there are adequate safeguards in place to protect the processing of that data. Payfast does not disclose information that could identify you personally to anyone, except as described in this notice, including, but not limited to:
- Any Payfast group company;
- Any group company (such as advisers, share plan, payroll and other third party administrators, agents or contractors working on behalf of Payfast);
- Financial institution clients;
- Service providers and other third parties under contract who help with our business operations (including, but not limited to, fraud investigations, site analytics and operations);
- Regulatory, legal and judicial authorities;
- Social media sites integrated into web services that we offer;
- Governmental or quasi-governmental organizations; and
- Potential purchasers of Payfast.
Payfast may disclose Personal Information to third parties for the following purposes:
- Legal or regulatory purposes
- Business purposes
- Suppliers who assist Payfast with the provision of its Services
Information on cross-border data transfers
Payfast, has its headquarters in Cape Town, South Africa. Payfast, a subsidiary of Network International Holdings Plc., has it registered office in Dubai, UAE. Payfast has offices and operations in other countries including Kenya, Botswana, South Africa, Nigeria, Namibia, Ghana, Zambia, Malawi, Rwanda, Uganda, and UAE. The data Payfast collects from you may be transferred, stored and processed in a country different from where the data was collected.
By using our PayfastSites and Services, you are permitting Payfast (or its authorized service providers) to process, store and transfer Personal Information to a country which is different from where the data was collected. The transfer of information will often be in furtherance of a contract to which you or your bank/merchant are a party. In other cases, the transfer of information will be consistent with the legitimate interests of conducting Payfast Services.
Individual’s Privacy Rights (data subject rights)
Certain laws and regulations give individual data subject rights in relation to their Personal Information (for example, the right to access that data, to rectify inaccurate data, or to erase Personal Information). In certain circumstances, data subjects may have such rights in respect of the Personal Information processed by Payfast.
In such circumstances, where a request to exercise such a right is received by Payfast, it must be forwarded to [email protected] so that it can be handled in accordance with applicable laws and statutory timeframes.
How do we keep your Personal Information safe and secure?
We are bound by our Group Policies
Our employees are committed to maintain the highest data protection standards by complying with this Privacy Notice and our other policies including our Code of Conduct and Group Data Protection Policy. The Board Audit and Technology Committee has the overall responsibility to review the adequacy and effectiveness of the Group Data Protection Policy, ensure compliance with the same, and review and approve changes to the said Policy wherever considered appropriate.
All our employees receive trainings on these important requirements at least annually.
We Are Committed To Keeping Your Personal Information Secure
The security of your Personal Information is important to us. As discussed below, we utilize physical, electronic and procedural security measures to protect against loss, misuse, and alteration of Personal Information under our control. We adhere to industry standard practices and security measures and our practices are independently validated annually enabling us to comply with ISO 27001 (where applicable) and PCI-DSS standards to safeguard and secure the information we collect.
No method of transmission over the Internet, or method of electronic storage, is completely secure. Therefore, we cannot guarantee its absolute security. Any transmission is at your own risk.
We use a combination of firewall barriers, encryption techniques and authentication procedures, among others, to maintain the security of your online in-app session and to protect Payfast accounts and systems from unauthorized access. Our servers are in a secure facility. Access requires multiple levels of authentication. Security personnel monitor the system 7 days a week, 24 hours a day.
We Enforce Physical Access Controls to Our Facilities
No employee may put any Personal Information or account Personal Information on any insecure machine (i.e., nothing can be taken from the database and put on an insecure laptop). In addition, Payfast frequently tests the Service for any failure points that would allow hacking.
However, it is important to understand that these precautions apply only to our Service and systems. We exercise no control over how your Personal Information is stored, maintained or displayed by third parties or on third-party sites.
Our Service Ensures Secure Communications with Encryption
From the time you submit your login ID and password so that communications between your device and Payfast are encrypted. This enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering and message forgery.
You are responsible for keeping your login ID, password, mobile device, and email account safe and confidential.
You also agree that you control and limit access to the email account and mobile device. If your email address or your mobile device changes, you are responsible for informing us of that change.
Restrictions and Monitoring of Our Partners and third parties
Any partners we work with have been selected in accordance with our security and risk management policies and practices and are bound by contractual obligations which includes compliance with Payfast policies and requirements relating to confidentiality, privacy and security. They may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
We may also use third party vendors or service providers to help us provide the Service to you, such as sending e-mail messages on our behalf or hosting and operating a particular feature or functionality of the Service. We require such third parties to maintain the confidentiality of the Personal Information we provide to them.
How long does Payfast store and retain Personal Information?
Payfast will store Personal Information only for the greater of as long as necessary to achieve the purposes for which it was collected and applicable law. Retention periods for transaction and other data categories may vary, depending on our obligations. For example, legal and regulatory compliance with anti-money laundering (AML) and KYC requirements, operational demands, business requirements or dates we assigned based on contracts will also need to be taken into account, and may require retention for a period of up to 7 years after the data was collected or after the merchant or other customer relationship has ended.
What happens in case of a data breach?
In case Payfast is faced with a breach of Personal Information, Payfast shall inform the relevant authorities and the data subjects/data controller where required by applicable law and shall take necessary steps to mitigate the impact of such breach.
Changes and updates to the privacy notice
Payfast may, from time to time, make changes to this Privacy Notice. If any material changes are made as to how Payfast treat Personal Information, you will be notified through this notice on Payfast’s Sites.
We have appointed a Group Data Protection Officer (DPO). If you have questions, comments, concerns or feedback regarding this Privacy Notice or any other privacy concern, contact Payfast at [email protected]
Last modified: 30 March 2023