Privacy Notice

Last updated on 8 August 2023

PRIVACY NOTICE:

Welcome to the home of Mukuru.

We know your privacy is important to you, it is also important to us. Our intention is to be open and honest with you about the information we gather about you, how we use it, and who we share it with.

In simple terms, this Notice explains what we do with your personal information.

To read in full, you can download a PDF version of our Privacy Notice.

1. Definitions we use in this Notice.

The term “Mukuru” or “us” or “we” or “our” refers to the companies or any one of them that make up the “Mukuru Group”.
The “Mukuru Group” is made up of companies connected to Mukuru. This connection can be because they are owned by the same company, or because they are part of a group of related companies (also known as affiliates or members). The Mukuru Group operates under the “Mukuru” brand.
The term “you” or “your” refers to a natural person (an individual), or where applicable, a juristic person (company).
The term “Mukuru Services” means the remittance service and ancillary financial products and services provided by the Mukuru Group of companies under the trading name of Mukuru®. In South Africa, the remittance service is provided by Mukuru Africa (Pty) Ltd, and the ancillary financial products and services are provided by Mukuru Financial Services (Pty) Ltd. Outside of South Africa, the remittance service is provided by Remitix Limited with the assistance of Remitix Affiliates and the ancillary financial products and services are provided by the Remitix Affiliates. If we use the terms “our services” or “the services” in this Notice, we mean any products and services that form part of the Mukuru Services.
The term “personal data” or “personal information” means any information about you that can be used to identify you.
A “controller” is an entity that collects personal data and determines why and how it will be used.
A “processor” is the entity that processes personal data for a controller.
When we use the phrase “applicable privacy law” we are referring to the laws that apply to us and you when we process personal data. It includes, the Protection of Personal Information Act, 2013 (POPIA), the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR (UK GDPR), or the UK Data Protection Act 2018.

2. Who is responsible for your personal data?

This will depend on what services you use. Depending on the service, we may function as a controller providing you with the service, or as a processor, if we are processing on behalf of another party.

Different services are also provided by different companies within the Mukuru Group. Any sharing of personal data between Mukuru Affiliates is covered by our Binding Corporate Rules, to make sure your personal data is looked after.

If you need more information on a Mukuru Affiliate, please email [email protected]

3. How do we collect your data, when and why?

Mukuru is in the business of providing you with services and we collect your data for that purpose. Below are details on when, why, and how. We do our best to name every instance possible where your data might be processed by us. If your personal data is processed by us in a way or for a reason that isn’t listed in this Notice, rest assured that it will be processed according to applicable data protection laws. You can ask us about the personal data we process, any time, by emailing [email protected].

We get most of our data from you. For example:

When: You enter into an agreement with us, create an account or profile or ask for help.
Why: So that we can provide you with the services you want, help you before you enter into an agreement and to meet our obligations to you and the law applicable to us and our services.
When: We provide you with services.
Why: If you use our services, we need specific information to conduct our obligations. This information must be complete and correct.
When: You communication with us.
Why: We keep record of all email and chat correspondence you send us. We want to make sure we understand what you want us to do, and we want to improve our service to you. Telephone calls made to and from the Contact Centre will be recorded for quality, training, and monitoring purposes.
When: You apply for a job or sign up to receive job posting updates. We collect this information directly from you or from the online platform you uploaded your resume or application on.
Why: So that we can consider you for recruitment purposes.
Other information you give us.

When: You fill in a form on our website or App (for example, the ‘Get in touch’ section), when you take part in competitions, surveys, or questionnaires about our products or services, or otherwise. It includes, for example, information you provide when you ask about our services, ask us to contact you or when you report a problem with our website, or service.
When: You provide your products or services to us and you are our supplier or partner, we may need to collect personal data of the juristic and/or natural persons involved. We may also collect personal data related to “business contacts” (supplier’s representatives and other individuals acting as a contact point between the supplier and Mukuru).

Data might be collected from you directly, or from your organisation.

When we provide services to you, we rely on our legitimate interest to carry out these activities. But where you are our contractual counterpart, we process your data because it’s necessary for the performance of an agreement for services.

We get data about you from other members of the Mukuru Group.
When: You create an account or profile with us, use our services, ask for information or help, or otherwise communicate with us.
Why: So that we can give you the services and information you want, ensure top customer service, and follow our legal and internal anti-money laundering, fraud, and AML obligations.

We only share your data with Mukuru Affiliates in connection with our services to you, or when you have given us consent (for example, when you want to create a Mukuru profile). When we provide services to you, we rely on our legitimate interest, otherwise, we rely on your consent to carry out these activities. But where you and Mukuru have a contract, we process your data because it’s necessary for the performance of an agreement for services.

We also get your personal data from other sources. For example:
Recruiters, for job opportunities and from job applicants if you are named as a reference.
From someone who refers you for a position.
Providers who do background, criminal, credit, education, and identity checks or collect information from LinkedIn or other public sources or from data enrichment providers, for us when needed in connection with recruitment, employment and investigations.
When you take part in market research done by us or our research third-party providers.
Social Media – Depending on your settings or the privacy policies for social media and messaging services such as Facebook, LinkedIn, and Instagram, you might give us permission to access information from those accounts or services.

We will never ask you to share personal, account or security information on social media platforms. But we might ask you to message us in private through one of our official social media accounts.
From other accounts we have reason to believe you control.
From sanction lists, to make sure that the people we deal with aren’t subject to a sanction.
Third parties we work with to make services available to you, customers taking part in refer-a-friend programmes, advertising networks, analytics providers, and search information providers.
Log Files – Log data is the information we record on when, how, and which visitors are using our website or App.
Mobile App (or “App”) – When you download our Mobile App, we will collect Log Files and: Your identity information, the type of device you are using, its operating system version, and system and performance information.

Your identity and device information is used to make sure you receive proper notifications. If you let us, we may send you push notifications to tell you about events or promotions. You can turn this off at device level.

We may use mobile analytics software to help us to understand how our mobile software works on your device. It is also used to find and fix problems. This software looks at how often you use the Mobile App, the events that occur in the App, aggregated usage, performance data, and from where you downloaded the Mobile App. We don’t link this information to the personal information you put in Mobile App.
Cookies and similar technologies

A cookie is a small file placed on your device’s hard drive. It allows our website or App to identify your device. Cookies also make it possible for us to store your preferences so we can display content, options or functions that are specific to you.
The information we collect is used to:

– Give you a better experience of our website or App (functional).
– Count the pages you visit (statistics).
– Serve you relevant promotions and advertising (marketing).

Cookies don’t give us access to your device.

Please visit our Cookie Policy here for more information.
When: You visit our offices or premises we may collect your personal data, including CCTV recordings in certain areas (we may use third parties to provide these services). Only images are caught on camera, no voice is recorded.
Why: To manage access control, to ensure the safety of employees, customers, and visitors and to identify and investigate criminal activity. This processing is done based on our legitimate interests.

Access to CCTV footage is controlled and data cannot be accessed and used without proper authorisation. You have the right to access your data, but not other’s data, unless permitted by applicable law.
Biometric Data

Biometric data is a type of personal information that can uniquely identify an individual. For example, fingerprints and facial images.
If your device enables biometric recognition, you may consent to it being used to access the App securely.

We may also use your biometric data where processing is necessary for reasons of substantial public interest to prevent or detect unlawful acts, prevent fraud, and on suspicion of terrorist financing and money laundering.
Google Maps API(s)

We use Google Places API (used to get location data and autocomplete data) and Geocoding API (which converts addresses into geographic coordinates). This data is used for address verification purposes to meet our legal requirements and for other services you may use. Google’s privacy terms applicable to the collection of this data is applicable and can be found here Privacy Policy – Privacy & Terms – Google.

Why else do we process your data?
To Comply with laws and regulations. Including rules regulating financial services, credit, insurance and more. We may also use your personal information to help detect or prevent crime (including terrorism financing, money laundering, fraud and other illicit activities and financial crimes).

We will only do this on the basis that it’s needed to comply with a legal obligation or it’s in our legitimate interests and that of others.
Troubleshoot and detect problems with the service and keep our services secure.

When we carry out these activities, we might use account and usage data. Usage data is especially relevant for investigating fraudulent activities – it allows us to construct the timeframe of account user’s activities in the case of security-related incidents and to take adequate steps for mitigation.

The security of our services is crucial for us, so for these activities we rely on our legitimate interest to maintain and improve the security of our services.
Product and Service Improvement

We use data you generate while on our website or other channels to evaluate, improve and/or personalise existing and new products and services. Our analysis includes data analytics, statistical or other analysis to better understand how you use our services, and to respond to any service issues you may have.

The general goal of these activities is to enhance your experience and improve our products and services, keep you informed about and offer you new products, services, and benefits that we hope will help you but also educate you about good financial service behaviours based on your previous actions or needs, and we rely on our legitimate interest when conducting them.
Marketing

The rules around marketing vary depending on where you are located. In some cases, you must subscribe to receive marketing communications. In others, you might not need to subscribe but will be given the option to not receive marketing communications.

Marketing communications may include competitions, promotions, our rewards program, and any other communication you ask us for. We will rely on your consent or our legitimate interest, depending on the applicable data protection law.

For B2B (business-to-business) marketing, we rely on our legitimate interest to maintain and improve our business relationships. You may proactively manage your preferences or opt-out any time, using the links/commands given in our marketing communications.

When you unsubscribe from marketing (i.e., withdraw your consent or object to the processing), we will stop sending you marketing materials. But we may keep a so-called “suppression list”. It lists your email address or phone number just to be sure that we don’t contact you with unwanted content. We rely on our legitimate interest to respect your choices when we keep this information.
Automated systems

We use automated system/s for decision-making and profiling for some products and services as part of our continuous improvement of new and existing products and services.

You may query any action we take, based on an automated decision, and ask for ‘human intervention’
Further use of your data

We process your personal data so we can do the thing you asked us to do. The only time we will use it for another ‘further’ purpose is if:

– You gave us your consent for the further processing activity.
– The personal data is available from a public record or made public by you.
– We need to, to comply with a legal obligation.

4. What data do we collect

Mukuru’s primary goal is to provide you with our products & services. The type of data we collect depends on what you want to do, and the below list may not be everything.

Children’s Information

You must be 18 years or older to use our services. We don’t provide services directly to children (as per applicable law) or proactively collect their personal information.

Customer (Sender and Policy Holder)

Title	Full Name & Surname	Preferred Name	Country of Origin	Country of Residence	Mobile Number
Email Address	Date of Birth	Address	Proof of Address Image	Gender	ID Number
Selfie	ID Document Image	Occupation	Monthly Income	Proof of Income Image	Banking Details
Order Purpose	Mukuru card details	Customer Identity Profile (i.e., Sanctions)	Medical Information (Specific to policy holder – i.e., death certificate)

Customers (Legal/Juristic persons) & Suppliers, Partners, Service Providers etc

Information on Legal/Juristic Customers and its representatives (employees, shareholders, directors etc) including position/designation within the entity	Registered and Trading Names, Registration numbers, ID and Passport Numbers, Physical addresses, Banking Details, Email Addresses, Telephone numbers, position/designation within the entity, date of birth.
Director Information	Corporate documents (registration documents etc.)

Recipient

Full names & Surname	ID Number	ID Document Image	Date of Birth	Country	Mobile Number
Relationship to Sender	Gender	Identity profile (i.e., Sanctions)	Mukuru Card details	City (i.e., Payment Location)	Signature (Collection Slip Image)

Customer (Policy Holder’s Dependent/Beneficiary and Witnessing Family Member)

Full names & Surname

Date of Birth

ID / Passport / Birth Certificate Number

Contact Number

Employment

Title	Full Name & Surname	Preferred Name	Place of residence	Mobile Number	Email Address
Date of Birth	Gender	Address	Proof of Address Image	ID Number	Photo
ID Document Image	Banking Details	Education	Work history	Medical Information
Credit, criminal and offences checks	Evaluation and assessment results	Professional information about you from business networking sites (like LinkedIn)	Internal interview notes	Information on your next of kin or emergency contact/s.	Information you share (during interviews, on your cover letter and resume etc)

Visitors to our premises

Full names & Surname

Employer

Mobile number

Reason for visit

5. How long do we keep your personal data?

We only keep your personal data for as long as we need to. This will depend on the services you want, the applicable law we must follow, our need to respond to queries or complaints, our obligation to fight fraud, financial crime and to respond to requests from regulators. We may also keep your data where we need to for our legitimate purposes.

If we don’t need to keep it, we will destroy, delete or de-identify it. All information kept on our systems is kept secure in line with our Information Security Policies and Standards.

6. Who do we share your personal data with and why?

Members of the Mukuru Group, for the reasons given in this Notice.
Business partners, suppliers and/or vendors, to help us process your personal data, for the purposes under this Notice.
Legal & Regulated Authorities. To comply with our legal obligations.
Merger and acquisition stakeholders.
As part of disclosure in the event of a merger, sale, or other asset transfer. Your information may be transferred as part of such a transaction, as permitted by law or contract.
Social media and Advertising partners.
1. Google
  We use Google Analytics, which uses cookies and similar technologies to collect and analyse information about use of the Sites and report on activities and trends. This service may also collect information regarding the use of other websites, apps, and online services.
  You can learn about Google’s practices by going to google.com/policies/privacy/partners, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at tools.google.com/dlpage/gaoptout.
  We also use Google Maps/Google Earth for some of our services. Please visit Google Maps/Google Earth Additional Terms of Service at https://maps.google.com/help/terms_maps.html for more information.
2. Meta (Facebook)
  We may use Meta Business Tools. Depending on the Meta Business Tool we use, we might share with Meta actions that you take on our website or App like, your visits to our website, your interactions on our website, use of Facebook Connect and information collected from cookies or similar technologies including the Facebook Pixel.
  We do this to measure how effective our advertising is, to improve our marketing practices, and to deliver more relevant advertising to you and people like you.
  You can exercise your data protection rights and find more information on how your data is used here.

7. What Are Your Rights?

You have the right:
1. To be informed about our collection and use of your personal data.
2. Of access to your personal data.
3. To rectify personal data, you think is inaccurate and complete information you think is incomplete.
4. To erasure (to be forgotten) – You may ask us to erase your personal data.
5. To restrict the processing of your personal data.
6. To object to the processing of your personal data.
7. To data portability – means you can ask us to transfer your personal data to another organisation. This only applies in some countries, so please contact us for more information.
8. To question automated decisions – You have the right to query a decision that we make about our services if the decision was made without any human involvement.
If you want to exercise one of these rights, we may ask you for proof of your identity first. Some of these rights do have limitations. For example, if you ask for something, but it could reveal some else’s personal information, we may refuse. If you ask that we delete your information, but legally we must keep it, or we have a compelling legitimate interest or contractual obligation to keep it, we may.
All requests must be in writing. We will try to respond within a reasonable period, but within 30 days from the date you ask. If we need more time, we will explain why. We may charge a fee for the request or refuse to action your request if it is excessive or unfound. We will give reasons if that is the case.
Please contact us at [email protected] if you want to enforce any of these rights.

8. How do we carry out international transfers of your personal data?

Mukuru is international. For this reason, we may transfer your personal information to other countries. Those countries may have different laws and data protection compliance requirements, than the country where you are located.

Over border transfers will be done in line with applicable data protection laws that require specific technical and organisational security measures and contractual transfer safeguards, like the EU’s Standard Contractual Clauses and the UK’s Addendum for restricted transfers.

9. Our Security Practices

Mukuru’s security systems and controls are designed to keep confidentiality, prevent loss, unauthorised access, and damage to information by unauthorised parties. Our cyber security strategy is aligned to industry standard frameworks to ensure effective cyber security risk management for the organisation. We conduct continuous security vulnerability assessments to improve our security posture and provide assurance to all our stakeholders.

Our security measures have been implemented following ISO 27001:2013 standard requirements. The list of our current and up-to-date certificates can be found here.

Unfortunately, the transmission of information via the internet (including by email) is not completely secure. We will do our best to protect your personal information, but we cannot guarantee the security of your data transmitted to our site; and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

10. Changes to this Privacy Notice

The most current version of this Privacy Notice governs our practices for collecting, processing, and disclosing personal data. Changes will be noted on this page.

11. Contact Details

Mukuru Africa (Pty) Ltd (South Africa) with Registration number 2013/003424/07, owns and runs our Site. Mukuru Africa is an ADLA Category II licence holder and is supervised by SARB and regulated by FIC.
Registered address: Mukuru Africa (Pty) Ltd, Suite 20-101A, Building 20, The Waverly Business Park, Wyecroft Road, Mowbray, 7925, Cape Town, South Africa.
Remitix Limited is a regulated Authorised Payment Institution, licensed under Money Transmitter Licence Number 12234310 (issued by Her Majesty’s Revenue and Customs) and is registered with the Financial Conduct Authority under Registration Number 576623 in the United Kingdom.
Registered address: 12 Old Mills Industrial Estate, Paulton, Bristol, United Kingdom, BS39 7SU.
We are regulated by the Information Regulator in South Africa and the Information Commissioner Officer in the United Kingdom (UK).

To contact the Data Protection Officer or Information Officer or for queries under this Privacy Notice, please email [email protected] marked “Attention DPO”.

Download the pdf version here.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_122991777_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_gtag_UA_122991777_5	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_UA-122991777-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
SPSI		This cookie is used for setting a unique ID for the session and it collects user behaviour on the website during the session. This collected information is used for statistical purposes.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
adOtr	past	No description available.
CONSENT	16 years 6 months 1 day 4 hours 12 minutes	No description
current_mode	session	No description
embed_source		No description
mobi_country	session	No description
mukurusession	2 hours	No description
RUL	1 year	No description
SPSE		No description available.
UTGv2	5 months 27 days	No description available.
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.