Last updated on 16 May 2024
Welcome to the home of Mukuru.
We know your privacy is important to you, it is also important to us. Our intention is to be open and honest with you about the information we gather about you, how we use it, and who we share it with.
In simple terms, this notice explains what we do with your personal data.
1. Definitions we use in this notice.
- The term “Mukuru” or “us” or “we” or “our” refers to the companies or any one of them that make up the “Mukuru Group”.
- The “Mukuru Group” is made up of companies connected to Mukuru. This connection can be because they are owned by the same company, or because they are part of a group of related companies (also known as affiliates or members). The Mukuru Group operates under the “Mukuru” brand.
- The term “you” or “your” refers to a natural person (an individual), or where applicable, a juristic person (company).
- The term “Mukuru Services” means the money transfer service and other financial products and services provided by the Mukuru Group of companies under the trading name of Mukuru®. In South Africa, the money transfer service is provided by Mukuru Africa (Pty) Ltd, and the other financial products and services are provided by Mukuru Financial Services (Pty) Ltd. Outside of South Africa, the money transfer service is provided by Remitix Limited with the help of other Mukuru Group companies and the other financial products and services are provided by other Mukuru Group companies. If we use the terms “our services” or “the services” in this Notice, we mean any products and services that form part of the Mukuru Services.
- The term “personal data” or “personal information” means any information about you that can be used to identify you.
- A “controller” is a company that collects personal data and determines why and how it will be used.
- A “processor” is the company that processes personal data for a controller.
- When we use the phrase “applicable privacy law” we are referring to the laws that apply to us and you when we process personal data. It includes but is not limited to the Protection of Personal Information Act, 2013 (POPIA), the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR (UK GDPR), or the UK Data Protection Act 2018.
2. Who is responsible for looking after your personal data?
This will depend on what services you use. Depending on the service, Mukuru may function as a controller providing you with the service, or as a processor, if we are processing on behalf of someone else.
Different services are also provided by different companies within the Mukuru Group. Any sharing of personal data between companies in the Mukuru Group is covered by our intra group company agreement, to make sure your personal data is looked after.
If you need more information on a Mukuru Group company, please email [email protected]
3. How do we collect your data, when and why?
Mukuru is in the business of providing you with services and we collect your data for that purpose. Below are details on when, why, and how. We do our best to name every instance possible where your data might be processed by us. If your personal data is processed by us in a way or for a reason that isn’t listed in this notice, rest assured that it will be processed according to applicable data protection laws. You can ask us about the personal data we process, any time, by emailing [email protected].
We collect most of your personal data from you. For example:
- When: You enter into an agreement with us, create an account or profile or ask for help.
Why: So that we can provide you with the services you want, help you before you enter into an agreement and to meet our obligations to you and the law applicable to us and our services. - When: We provide you with services.
Why: If you use our services, we need specific information to conduct our obligations. This information must be complete and correct. - When: You communicate with us.
Why: We keep record of all email and chat correspondence you send us. We want to make sure we understand what you want us to do, and we want to improve our service to you. Telephone calls made to and from the Mukuru contact centre will be recorded for quality, training, and monitoring purposes. - When: You apply for a job or sign up to receive job posting updates. We collect this information directly from you or from the online platform you uploaded your resume or application on.
Why: So that we can consider you for recruitment purposes. - Other information you give us.
When: You fill in a form on our website or the Mukuru app (for example, the ‘Get in touch’ section), when you take part in competitions, surveys, or questionnaires about our products or services, or otherwise. It includes, for example, information you provide when you ask about our services, ask us to contact you or when you report a problem with our website, or service. - When: You provide your products or services to us and you are our supplier or partner, we may need to collect personal data of the juristic and/or natural persons involved. We may also collect personal data related to “business contacts” (supplier’s representatives and other individuals acting as a contact point between the supplier and Mukuru).
Data might be collected from you directly, or from your organisation.
When we provide services to you or your organisation, we process your data because it’s necessary for the performance of an agreement with you or your organisation.
We get data about you from other members of the Mukuru Group. - When: You create an account or profile with us, use our services, ask for information or help, or otherwise communicate with us.
Why: So that we can give you the services and information you want, ensure top customer service, and follow our legal and internal anti-money laundering, fraud, and AML obligations.
We only share your data with other companies in the Mukuru Group in connection with our services to you, or when you have given us consent (for example, when you want to create a Mukuru profile). When we provide services to you, under a contract, we process your data because it’s necessary for the performance of an agreement for services or because the law requires us to process your personal data. For marketing, we will ask for your consent to contact you.
We may also get your personal data from other sources, for example in these circumstances: - Recruiters, for job opportunities and from job applicants if you are named as a reference.
- From someone who refers you for a position.
- Providers who do background, criminal, credit, education, and identity checks or collect information from LinkedIn or other public sources or from data enrichment providers, for us when needed in connection with recruitment, employment and investigations.
- When you take part in market research done by us or our research third-party providers.
- Social media – depending on your settings or the privacy policies for social media and messaging services such as Facebook, LinkedIn, Instagram and others you might give us permission to access information from those accounts or services.
We will never ask you to share personal, account or security information on social media platforms. But we might ask you to message us in private through one of our official social media accounts. - From sanction lists, to make sure that the people we deal with aren’t subject to a sanction.
- Third parties we work with to make services available to you, customers taking part in refer-a-friend programmes, advertising networks, analytics providers, and search information providers.
- If one of our customers lists, you as a beneficiary on an insurance policy.
- Log Files – Log data is the information we record on when, how, and which visitors are using our website or the Mukuru app.
- Mukuru app – When you download the Mukuru app, we will collect Log Files and: your identity information, the type of device you are using, its operating system version, and system and performance information.
Your identity and device information is used to make sure you receive proper notifications. If you let us, we may send you push notifications to tell you about events or promotions. You can turn this off at device level.
We may use mobile analytics software to help us to understand how our mobile software works on your device. It is also used to find and fix problems. This software looks at how often you use the Mukuru app, the events that occur in the Mukuru app, aggregated usage, performance data, and from where you downloaded the Mukuru app. We don’t link this information to the personal data you put in Mukuru app. - Cookies and similar technologies
A cookie is a small file placed on your browser. It allows our website or the Mukuru app to identify your device. Cookies also make it possible for us to store your preferences so we can display content, options or functions that are specific to you.
The information we collect is used to:
– Give you a better experience of our website or the Mukuru app (functional).
– Count the pages you visit (statistics).
– Serve you relevant promotions and advertising (marketing).
Cookies don’t give us access to your device, but rather let us know information like which pages you visited on our website or the Mukuru app.
Please visit our Cookie Policy here for more information - When: You visit our offices or premises we may collect your personal data, including CCTV recordings in certain areas (we may use third parties to provide these services). Only images are caught on camera, no voice is recorded.
Why: To manage access control, to ensure the safety of employees, customers, and visitors and to identify and investigate criminal activity. This processing is done based on our legitimate interests.
Access to CCTV footage is controlled and data cannot be accessed and used without proper authorisation. You have the right to access your data, but not others’ data, unless permitted by applicable law. - Biometric Data
Biometric data is a type of personal data that can uniquely identify an individual. For example, fingerprints and facial images.
If your device enables biometric recognition, you may consent to it being used to access the Mukuru app securely. For this purpose, the biometric information is stored on your device and security managed on your device.
We may also use your biometric data where we use facial coding in KYC (Know Your Customer) verification or when processing is necessary for reasons of public interest to prevent or detect unlawful acts, prevent fraud, and on suspicion of terrorist financing and money laundering. - Google Maps API(s)
We use Google Places API (used to get location data and autocomplete data) and Geocoding API (which converts addresses into geographic coordinates). This data is used for address verification purposes to meet our legal requirements. Google’s privacy terms applicable to the collection of this data is applicable and can be found here Privacy Policy – Privacy & Terms – Google.
Why else do we process your data? - To comply with laws and regulations
Including rules regulating financial services, credit, insurance and more. We may also use your personal data to help detect or prevent crime (including terrorism financing, money laundering, fraud and other illegal activities and financial crimes).
We will only do this on the basis that it’s needed to comply with a legal obligation or it’s in our legitimate interests and that of others. - Troubleshoot and detect problems with the service and keep our services secure
When we carry out these activities, we might use account and usage data. Usage data is especially relevant for investigating fraudulent activities – it allows us to piece together the timeframe of account user’s activities in the case of security-related incidents and to take adequate steps for mitigation.
The security of our services is crucial for us, so for these activities we rely on our legitimate interest to maintain and improve the security of our services. - Product and Service Improvement
We use data you generate while on our website or other channels to evaluate, improve and/or personalise existing and new products and services. Our analysis includes data analytics, statistical or other analysis to better understand how you use our services, and to respond to any service issues you may have.
The general goal of these activities is to enhance your experience and improve our products and services, keep you informed about and offer you new products, services, and benefits that we hope will help you but also educate you about good financial service behaviours based on your previous actions or needs, and we rely on our legitimate interest when conducting them. - Marketing
Where we are required to do so by law, we will ask for your consent for us to send you marketing communications. These communications may include competitions, promotions, our rewards program, and any other communication you ask us for.
For B2B (business-to-business) marketing, we rely on our legitimate interest to maintain and improve our business relationships.
You may proactively manage your preferences or opt-out any time, using the links/commands given in our marketing communications.
When you unsubscribe from marketing (i.e., withdraw your consent or object to the processing), we will stop sending you marketing materials. But we may keep a so-called “suppression list”. It lists your email address or phone number just to be sure that we don’t contact you with unwanted content. - Automated systems
We use automated system/s for decision-making and profiling for some products and services as part of our continuous improvement of new and existing products and services.
You may query any action we take, based on an automated decision, and ask for ‘human intervention’. - Further use of your data
We process your personal data in line with this notice and relevant data protection laws. The only time we will use it for another ‘further’ purpose is if:- You gave us your consent for the further processing activity.
- The personal data is available from a public record or made public by you, where we are legally allowed to do so.
- We need to comply with a legal obligation.
4. What data do we collect?
- Children’s Data
You must be 18 years or older to use our services. We don’t provide services directly to children (as per applicable law) or proactively collect their personal data. - Customers (Sender and Policy Holder)
Title ID and/or Passport Number Full Names & Surname ID and/or Passport Number Image Preferred Name Selfie Country of Origin Occupation Country of Residence Monthly Income Mobile Number Proof of Income Image Email Address Banking Details Date of Birth Mukuru Card Details Address Customer Identity Profile (e.g. Sanctions) Proof of Address Image Medical Information (Specific to policy holder – i.e. death certificate) Gender Criminal Data (for KYC purposes) - Agents
First Names & Surname Email Address ID number Telephone Number ID image Device IMEI Number Photo Banking Details Physical Address - Customers (Legal/Juristic persons), Suppliers, Partners, Service Providers, etc.
Information on Legal/Juristic Customers and its representatives (employees, shareholders, directors etc) including position/designation within the entity. Registered and Trading Names, Registration numbers, ID and Passport Numbers, Physical addresses, Banking Details, Email Addresses, Telephone numbers, position/designation within the entity, date of birth. Director Information Corporate documents (registration documents, banking documents etc.) - Recipients
Full Names & Surname Relationship to Sender ID and/or Passport Number Gender ID Document and/or Passport Image Identity profile (e.g. Sanctions) Date of Birth Mukuru Card details Country Signature (Collection Slip Image) Mobile Number - Customers (Policy Holder’s Dependent/Beneficiary and Witnessing Family Member)
Full names & Surname Date of Birth ID / Passport / Birth Certificate Number Contact Number - Employment candidates
Title ID Document Image Full Names & Surname Banking Details Preferred Name Education Place of residence Work history Mobile Number Medical Information Email Address Credit, criminal and offences checks Date of Birth Evaluation and assessment results Gender Professional information about you from business networking sites (like LinkedIn) Address Internal interview notes Proof of Address Image Information on your next of kin or emergency contact/s. ID Number Information you share (during interviews, on your cover letter and resume etc) Photo - Visitors to our premises
Full names & Surname Employer Mobile number Reason for visit
5. How long do we keep your personal data?
We only keep your personal data for as long as we need to. This will depend on the services you want, the applicable law we must follow, our need to respond to queries or complaints, our obligation to fight fraud, financial crime and to respond to requests from regulators.
If we don’t need to keep it, we will destroy, delete or de-identify it. All information kept on our systems is kept secure in line with our Information Security Policies and Standards.
6. Who do we share your personal data with and why?
- Members of the Mukuru Group, for the reasons given in this Notice.
- Business partners, suppliers and/or vendors, to help us deliver our services to you.
- Legal & regulatory authorities to comply with our legal obligations.
- Other Mukuru customers who wish to create a payment for you, using one of the Mukuru products, if the functionality is available. During the payment process they will enter your phone number and we will show them your name so they can confirm the payment is going to the right recipient.
- Merger and acquisition stakeholders
As part of disclosure in the event of a merger, sale, or other asset transfer. Your information may be transferred as part of such a transaction, as permitted by law or contract. - Social media and advertising partners
- Google
We use Google Property Analytics, Google ads and other Google marketing tools which use cookies and similar technologies to collect and analyse information about use of the Sites, apps and online services and report on activities, actions and trends.
You can learn about Google’s practices by going to google.com/policies/privacy/partners, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at tools.google.com/dlpage/gaoptout. - Meta (Facebook)
We may use Meta Business Tools. Depending on the Meta Business Tool we use, we might share with Meta actions that you take on our website or App like, your visits to our website, your interactions on our website, use of Facebook Connect and information collected from cookies or similar technologies including the Facebook Pixel.
We do this to measure how effective our advertising is, to improve our marketing practices, and to deliver more relevant advertising to you and people like you.
You can exercise your data protection rights and find more information on how your data is used here. - Personalised advertising
We use advertising partners including Google and Meta for personalised advertising with our intention to deliver more relevant advertising to you and people like you. As part of this we share your personal data, but we observe appropriate technical measures to secure your data and identity. You can manage your preferences in this regard in your user account settings.
- Google
7. What Are Your Rights?
- You have the right:
- To be informed about our collection and use of your personal data.
- To access to your personal data.
- To rectify personal data that you think is inaccurate and to complete information you think is incomplete.
- To erasure (to be forgotten). You may ask us to erase your personal data.
- To restrict the processing of your personal data.
- To object to the processing of your personal data.
- To data portability. This means you can ask us to transfer your personal data to another organisation. This only applies in some countries, so please contact us for more information.
- To question automated decisions. You have the right to query a decision that we make about our services if the decision was made without any human involvement.
- If you want to exercise one of these rights, we may ask you for proof of your identity first. Some of these rights do have limitations. For example, if you ask for something, but it could reveal some else’s personal data, we may refuse. If you ask that we delete your information, but we have a legal obligation to keep it, or we have a legitimate interest or contractual obligation to keep it, we may keep your personal even if you want us to delete it.
- All requests must be in writing. We will try to respond within a reasonable period, but within 30 days from the date you ask. If we need more time, we will explain why. We may charge a fee for the request or refuse to action your request if it is excessive or unfound. We will give reasons if that is the case.
- Please contact us at [email protected] if you want to enforce any of these rights.
8. How do we carry out international transfers of your personal data?
The Mukuru Group is an international group of companies. For this reason, we may transfer your personal data to other countries. Those countries may have different laws and data protection compliance requirements to the country where you are located.
Cross border transfers will be done in line with applicable data protection laws that require specific technical and organisational security measures and contractual transfer safeguards, like the EU’s Standard Contractual Clauses and the UK’s Addendum for restricted transfers.
9. Our Security Practices
Mukuru’s security systems and controls are designed to maintain confidentiality, prevent loss, unauthorised access, and damage to information by unauthorised parties. Our cyber security strategy is aligned to industry standard frameworks to ensure effective cyber security risk management for the organisation. We conduct continuous security vulnerability assessments to improve our security posture and provide assurance to all our stakeholders.
Our security measures have been implemented following ISO 27001:2013 standard requirements. For more information refer to our website here.
Unfortunately, the transmission of information via the internet (including by email) is not completely secure. We will do our best to protect your personal data, but we cannot guarantee the security of your data transmitted to our site; and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.
10. Changes to this notice
The most current version of this notice governs our practices for collecting, processing, and disclosing personal data and customers and contracting third parties will be notified when this notice is updated.
11. Contact Details
To contact the Data Protection Officer or Information Officer or for queries under this Privacy Notice, please email [email protected] marked “Attention DPO”.
12. Country-specifics
In addition to the above there are some country-specifics for us to note.
SOUTH AFRICA
Under POPIA, Personal Data is referred to as Personal Information but is the same term. Likewise, Data Controller and Data Processor mean Responsible Party and Operator respectively.
ZAMBIA
In addition to the data listed in What do we collect detailed above, for money transfers involving a recipient in Zambia the regulations require that we collect the TPIN (Taxpayer Identification Number) of the recipient being paid.
ZIMBABWE
In addition to the data listed in What do we collect detailed above, for money transfers involving a recipient in Zimbabwe regulations require that we collect city of the recipient being paid.