Last updated on 8 August 2023
Welcome to the home of Mukuru.
We know your privacy is important to you, it is also important to us. Our intention is to be open and honest with you about the information we gather about you, how we use it, and who we share it with.
In simple terms, this Notice explains what we do with your personal information.
1. Definitions we use in this Notice.
- The term “Mukuru” or “us” or “we” or “our” refers to the companies or any one of them that make up the “Mukuru Group”.
- The “Mukuru Group” is made up of companies connected to Mukuru. This connection can be because they are owned by the same company, or because they are part of a group of related companies (also known as affiliates or members). The Mukuru Group operates under the “Mukuru” brand.
- The term “you” or “your” refers to a natural person (an individual), or where applicable, a juristic person (company).
- The term “Mukuru Services” means the remittance service and ancillary financial products and services provided by the Mukuru Group of companies under the trading name of Mukuru®. In South Africa, the remittance service is provided by Mukuru Africa (Pty) Ltd, and the ancillary financial products and services are provided by Mukuru Financial Services (Pty) Ltd. Outside of South Africa, the remittance service is provided by Remitix Limited with the assistance of Remitix Affiliates and the ancillary financial products and services are provided by the Remitix Affiliates. If we use the terms “our services” or “the services” in this Notice, we mean any products and services that form part of the Mukuru Services.
- The term “personal data” or “personal information” means any information about you that can be used to identify you.
- A “controller” is an entity that collects personal data and determines why and how it will be used.
- A “processor” is the entity that processes personal data for a controller.
- When we use the phrase “applicable privacy law” we are referring to the laws that apply to us and you when we process personal data. It includes, the Protection of Personal Information Act, 2013 (POPIA), the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR (UK GDPR), or the UK Data Protection Act 2018.
2. Who is responsible for your personal data?
This will depend on what services you use. Depending on the service, we may function as a controller providing you with the service, or as a processor, if we are processing on behalf of another party.
Different services are also provided by different companies within the Mukuru Group. Any sharing of personal data between Mukuru Affiliates is covered by our Binding Corporate Rules, to make sure your personal data is looked after.
If you need more information on a Mukuru Affiliate, please email [email protected]
3. How do we collect your data, when and why?
Mukuru is in the business of providing you with services and we collect your data for that purpose. Below are details on when, why, and how. We do our best to name every instance possible where your data might be processed by us. If your personal data is processed by us in a way or for a reason that isn’t listed in this Notice, rest assured that it will be processed according to applicable data protection laws. You can ask us about the personal data we process, any time, by emailing [email protected].
We get most of our data from you. For example:
- When: You enter into an agreement with us, create an account or profile or ask for help.
Why: So that we can provide you with the services you want, help you before you enter into an agreement and to meet our obligations to you and the law applicable to us and our services.
- When: We provide you with services.
Why: If you use our services, we need specific information to conduct our obligations. This information must be complete and correct.
- When: You communication with us.
Why: We keep record of all email and chat correspondence you send us. We want to make sure we understand what you want us to do, and we want to improve our service to you. Telephone calls made to and from the Contact Centre will be recorded for quality, training, and monitoring purposes.
- When: You apply for a job or sign up to receive job posting updates. We collect this information directly from you or from the online platform you uploaded your resume or application on.
Why: So that we can consider you for recruitment purposes.
- Other information you give us.
When: You fill in a form on our website or App (for example, the ‘Get in touch’ section), when you take part in competitions, surveys, or questionnaires about our products or services, or otherwise. It includes, for example, information you provide when you ask about our services, ask us to contact you or when you report a problem with our website, or service.
- When: You provide your products or services to us and you are our supplier or partner, we may need to collect personal data of the juristic and/or natural persons involved. We may also collect personal data related to “business contacts” (supplier’s representatives and other individuals acting as a contact point between the supplier and Mukuru).
Data might be collected from you directly, or from your organisation.
When we provide services to you, we rely on our legitimate interest to carry out these activities. But where you are our contractual counterpart, we process your data because it’s necessary for the performance of an agreement for services.
We get data about you from other members of the Mukuru Group.
- When: You create an account or profile with us, use our services, ask for information or help, or otherwise communicate with us.
Why: So that we can give you the services and information you want, ensure top customer service, and follow our legal and internal anti-money laundering, fraud, and AML obligations.
We only share your data with Mukuru Affiliates in connection with our services to you, or when you have given us consent (for example, when you want to create a Mukuru profile). When we provide services to you, we rely on our legitimate interest, otherwise, we rely on your consent to carry out these activities. But where you and Mukuru have a contract, we process your data because it’s necessary for the performance of an agreement for services.
We also get your personal data from other sources. For example:
- Recruiters, for job opportunities and from job applicants if you are named as a reference.
- From someone who refers you for a position.
- Providers who do background, criminal, credit, education, and identity checks or collect information from LinkedIn or other public sources or from data enrichment providers, for us when needed in connection with recruitment, employment and investigations.
- When you take part in market research done by us or our research third-party providers.
- Social Media – Depending on your settings or the privacy policies for social media and messaging services such as Facebook, LinkedIn, and Instagram, you might give us permission to access information from those accounts or services.
We will never ask you to share personal, account or security information on social media platforms. But we might ask you to message us in private through one of our official social media accounts.
- From other accounts we have reason to believe you control.
- From sanction lists, to make sure that the people we deal with aren’t subject to a sanction.
- Third parties we work with to make services available to you, customers taking part in refer-a-friend programmes, advertising networks, analytics providers, and search information providers.
- Log Files – Log data is the information we record on when, how, and which visitors are using our website or App.
- Mobile App (or “App”) – When you download our Mobile App, we will collect Log Files and: Your identity information, the type of device you are using, its operating system version, and system and performance information.
Your identity and device information is used to make sure you receive proper notifications. If you let us, we may send you push notifications to tell you about events or promotions. You can turn this off at device level.
We may use mobile analytics software to help us to understand how our mobile software works on your device. It is also used to find and fix problems. This software looks at how often you use the Mobile App, the events that occur in the App, aggregated usage, performance data, and from where you downloaded the Mobile App. We don’t link this information to the personal information you put in Mobile App.
- Cookies and similar technologies
A cookie is a small file placed on your device’s hard drive. It allows our website or App to identify your device. Cookies also make it possible for us to store your preferences so we can display content, options or functions that are specific to you.
The information we collect is used to:
– Give you a better experience of our website or App (functional).
– Count the pages you visit (statistics).
– Serve you relevant promotions and advertising (marketing).
Cookies don’t give us access to your device.
- When: You visit our offices or premises we may collect your personal data, including CCTV recordings in certain areas (we may use third parties to provide these services). Only images are caught on camera, no voice is recorded.
Why: To manage access control, to ensure the safety of employees, customers, and visitors and to identify and investigate criminal activity. This processing is done based on our legitimate interests.
Access to CCTV footage is controlled and data cannot be accessed and used without proper authorisation. You have the right to access your data, but not other’s data, unless permitted by applicable law.
- Biometric Data
Biometric data is a type of personal information that can uniquely identify an individual. For example, fingerprints and facial images.
If your device enables biometric recognition, you may consent to it being used to access the App securely.
We may also use your biometric data where processing is necessary for reasons of substantial public interest to prevent or detect unlawful acts, prevent fraud, and on suspicion of terrorist financing and money laundering.
- Google Maps API(s)
Why else do we process your data?
- To Comply with laws and regulations. Including rules regulating financial services, credit, insurance and more. We may also use your personal information to help detect or prevent crime (including terrorism financing, money laundering, fraud and other illicit activities and financial crimes).
We will only do this on the basis that it’s needed to comply with a legal obligation or it’s in our legitimate interests and that of others.
- Troubleshoot and detect problems with the service and keep our services secure.
When we carry out these activities, we might use account and usage data. Usage data is especially relevant for investigating fraudulent activities – it allows us to construct the timeframe of account user’s activities in the case of security-related incidents and to take adequate steps for mitigation.
The security of our services is crucial for us, so for these activities we rely on our legitimate interest to maintain and improve the security of our services.
- Product and Service Improvement
We use data you generate while on our website or other channels to evaluate, improve and/or personalise existing and new products and services. Our analysis includes data analytics, statistical or other analysis to better understand how you use our services, and to respond to any service issues you may have.
The general goal of these activities is to enhance your experience and improve our products and services, keep you informed about and offer you new products, services, and benefits that we hope will help you but also educate you about good financial service behaviours based on your previous actions or needs, and we rely on our legitimate interest when conducting them.
The rules around marketing vary depending on where you are located. In some cases, you must subscribe to receive marketing communications. In others, you might not need to subscribe but will be given the option to not receive marketing communications.
Marketing communications may include competitions, promotions, our rewards program, and any other communication you ask us for. We will rely on your consent or our legitimate interest, depending on the applicable data protection law.
For B2B (business-to-business) marketing, we rely on our legitimate interest to maintain and improve our business relationships. You may proactively manage your preferences or opt-out any time, using the links/commands given in our marketing communications.
When you unsubscribe from marketing (i.e., withdraw your consent or object to the processing), we will stop sending you marketing materials. But we may keep a so-called “suppression list”. It lists your email address or phone number just to be sure that we don’t contact you with unwanted content. We rely on our legitimate interest to respect your choices when we keep this information.
- Automated systems
We use automated system/s for decision-making and profiling for some products and services as part of our continuous improvement of new and existing products and services.
You may query any action we take, based on an automated decision, and ask for ‘human intervention’
- Further use of your data
We process your personal data so we can do the thing you asked us to do. The only time we will use it for another ‘further’ purpose is if:
– You gave us your consent for the further processing activity.
– The personal data is available from a public record or made public by you.
– We need to, to comply with a legal obligation.
4. What data do we collect
Mukuru’s primary goal is to provide you with our products & services. The type of data we collect depends on what you want to do, and the below list may not be everything.
You must be 18 years or older to use our services. We don’t provide services directly to children (as per applicable law) or proactively collect their personal information.
Customer (Sender and Policy Holder)
|Title||Full Name & Surname||Preferred Name||Country of Origin||Country of Residence||Mobile Number|
|Email Address||Date of Birth||Address||Proof of Address Image||Gender||ID Number|
|Selfie||ID Document Image||Occupation||Monthly Income||Proof of Income Image||Banking Details|
|Order Purpose||Mukuru card details||Customer Identity Profile (i.e., Sanctions)||Medical Information (Specific to policy holder – i.e., death certificate)|
Customers (Legal/Juristic persons) & Suppliers, Partners, Service Providers etc
|Information on Legal/Juristic Customers and its representatives (employees, shareholders, directors etc) including position/designation within the entity||Registered and Trading Names, Registration numbers, ID and Passport Numbers, Physical addresses, Banking Details, Email Addresses, Telephone numbers, position/designation within the entity, date of birth.|
|Director Information||Corporate documents (registration documents etc.)|
|Full names & Surname||ID Number||ID Document Image||Date of Birth||Country||Mobile Number|
|Relationship to Sender||Gender||Identity profile (i.e., Sanctions)||Mukuru Card details||City (i.e., Payment Location)||Signature (Collection Slip Image)|
Customer (Policy Holder’s Dependent/Beneficiary and Witnessing Family Member)
|Full names & Surname||Date of Birth||ID / Passport / Birth Certificate Number||Contact Number|
|Title||Full Name & Surname||Preferred Name||Place of residence||Mobile Number||Email Address|
|Date of Birth||Gender||Address||Proof of Address Image||ID Number||Photo|
|ID Document Image||Banking Details||Education||Work history||Medical Information|
|Credit, criminal and offences checks||Evaluation and assessment results||Professional information about you from business networking sites (like LinkedIn)||Internal interview notes||Information on your next of kin or emergency contact/s.||Information you share (during interviews, on your cover letter and resume etc)|
Visitors to our premises
|Full names & Surname||Employer||Mobile number||Reason for visit|
5. How long do we keep your personal data?
We only keep your personal data for as long as we need to. This will depend on the services you want, the applicable law we must follow, our need to respond to queries or complaints, our obligation to fight fraud, financial crime and to respond to requests from regulators. We may also keep your data where we need to for our legitimate purposes.
If we don’t need to keep it, we will destroy, delete or de-identify it. All information kept on our systems is kept secure in line with our Information Security Policies and Standards.
6. Who do we share your personal data with and why?
- Members of the Mukuru Group, for the reasons given in this Notice.
- Business partners, suppliers and/or vendors, to help us process your personal data, for the purposes under this Notice.
- Legal & Regulated Authorities. To comply with our legal obligations.
- Merger and acquisition stakeholders.
As part of disclosure in the event of a merger, sale, or other asset transfer. Your information may be transferred as part of such a transaction, as permitted by law or contract.
- Social media and Advertising partners.
You can learn about Google’s practices by going to google.com/policies/privacy/partners, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at tools.google.com/dlpage/gaoptout.
We also use Google Maps/Google Earth for some of our services. Please visit Google Maps/Google Earth Additional Terms of Service at https://maps.google.com/help/terms_maps.html for more information.
- Meta (Facebook)
We may use Meta Business Tools. Depending on the Meta Business Tool we use, we might share with Meta actions that you take on our website or App like, your visits to our website, your interactions on our website, use of Facebook Connect and information collected from cookies or similar technologies including the Facebook Pixel.
We do this to measure how effective our advertising is, to improve our marketing practices, and to deliver more relevant advertising to you and people like you.
You can exercise your data protection rights and find more information on how your data is used here.
7. What Are Your Rights?
- You have the right:
- To be informed about our collection and use of your personal data.
- Of access to your personal data.
- To rectify personal data, you think is inaccurate and complete information you think is incomplete.
- To erasure (to be forgotten) – You may ask us to erase your personal data.
- To restrict the processing of your personal data.
- To object to the processing of your personal data.
- To data portability – means you can ask us to transfer your personal data to another organisation. This only applies in some countries, so please contact us for more information.
- To question automated decisions – You have the right to query a decision that we make about our services if the decision was made without any human involvement.
- If you want to exercise one of these rights, we may ask you for proof of your identity first. Some of these rights do have limitations. For example, if you ask for something, but it could reveal some else’s personal information, we may refuse. If you ask that we delete your information, but legally we must keep it, or we have a compelling legitimate interest or contractual obligation to keep it, we may.
- All requests must be in writing. We will try to respond within a reasonable period, but within 30 days from the date you ask. If we need more time, we will explain why. We may charge a fee for the request or refuse to action your request if it is excessive or unfound. We will give reasons if that is the case.
- Please contact us at [email protected] if you want to enforce any of these rights.
8. How do we carry out international transfers of your personal data?
Mukuru is international. For this reason, we may transfer your personal information to other countries. Those countries may have different laws and data protection compliance requirements, than the country where you are located.
Over border transfers will be done in line with applicable data protection laws that require specific technical and organisational security measures and contractual transfer safeguards, like the EU’s Standard Contractual Clauses and the UK’s Addendum for restricted transfers.
9. Our Security Practices
Mukuru’s security systems and controls are designed to keep confidentiality, prevent loss, unauthorised access, and damage to information by unauthorised parties. Our cyber security strategy is aligned to industry standard frameworks to ensure effective cyber security risk management for the organisation. We conduct continuous security vulnerability assessments to improve our security posture and provide assurance to all our stakeholders.
Our security measures have been implemented following ISO 27001:2013 standard requirements. The list of our current and up-to-date certificates can be found here.
Unfortunately, the transmission of information via the internet (including by email) is not completely secure. We will do our best to protect your personal information, but we cannot guarantee the security of your data transmitted to our site; and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
10. Changes to this Privacy Notice
The most current version of this Privacy Notice governs our practices for collecting, processing, and disclosing personal data. Changes will be noted on this page.
11. Contact Details
- Mukuru Africa (Pty) Ltd (South Africa) with Registration number 2013/003424/07, owns and runs our Site. Mukuru Africa is an ADLA Category II licence holder and is supervised by SARB and regulated by FIC.
Registered address: Mukuru Africa (Pty) Ltd, Suite 20-101A, Building 20, The Waverly Business Park, Wyecroft Road, Mowbray, 7925, Cape Town, South Africa.
- Remitix Limited is a regulated Authorised Payment Institution, licensed under Money Transmitter Licence Number 12234310 (issued by Her Majesty’s Revenue and Customs) and is registered with the Financial Conduct Authority under Registration Number 576623 in the United Kingdom.
Registered address: 12 Old Mills Industrial Estate, Paulton, Bristol, United Kingdom, BS39 7SU.
- We are regulated by the Information Regulator in South Africa and the Information Commissioner Officer in the United Kingdom (UK).
To contact the Data Protection Officer or Information Officer or for queries under this Privacy Notice, please email [email protected] marked “Attention DPO”.
Download the pdf version here.