Merchant Privacy Policy

Paystack South Africa (PTY) Limited (“Paystack”, “Company”, “we”, “us” or “our”) offers an online payment platform that makes it easy for Merchants to accept electronic payments from Customers. Paystack values the privacy of Merchants who use our website and all related sites, applications, services and tools (collectively, our “Services”). This Privacy Policy describes how we collect, use, store, share, and protect personal information from Merchants who engage with our Services. We therefore implement business practices that comply with the Protection of Personal Information Act 4 of 2013 ("POPIA"). This Privacy Policy applies to all processing of personal information.

Where we refer to "Personal Information" in this Privacy Policy, we mean personal information as defined in POPIA, being information that may be used to identify you directly or indirectly. Personal Information includes, for example, name, surname, email address, identity number (or company registration number), contact details, photograph, and location.

The Services are primarily intended for and provided to businesses and other organisations (“Merchants”), and not individual consumers. Thus, we generally process personal information at the direction of and on behalf of Merchants. When we do, we do so as a service provider or an “Operator'' or “Data Processor” to those Merchants, but we do not control and are not responsible for the privacy practices of those Merchants. If you are a Customer of a Paystack Merchant, you should read that Merchant’s Privacy Policy and direct any privacy inquiries to that Merchant.

This Privacy Policy does not apply to services that are not owned or controlled by Paystack, including third-party websites and the services of other Paystack Merchants. This Privacy Policy applies to all forms of systems, operations and processes within the Paystack environment that involve the processing of personal information. Paystack is a Stripe company; for more information about Stripe’s privacy practices, see the Stripe Privacy Policy https://stripe.com/en-gb/privacy.

By using or accessing our Services, you agree to the collection, use, and disclosure of your personal information as described in this Privacy Policy. Your use of our Services is also subject to Paystack’s Terms. Should you disagree to abide by such Terms, or if you revoke your consent to the processing of your personal information, your account will be disabled and you will no longer be able to access or interact with the Paystack platform.

1. The Information We Collect

1.1 Personal Information You Provide Directly

We collect personal information that you provide to us. For example:

  • Registration information. To gain full access to our website and services, you must register for a Paystack account. When you register for an account, we collect business data and personal information, which you voluntarily provide to us in order to complete the KYC (Know Your Customer) process (e.g. email address, bank details, name, telephone number). With your consent, we may also collect additional personal information such as survey responses.
  • Payment information. If you make a financial transaction, we collect credit card numbers, financial account information, and other payment details.
  • Communications. If you contact us directly, for example with an inquiry or a support request, we may receive additional personal information about you, including your email address and the content of your communications.

1.2 Personal Information We Collect Automatically

  • Device Information. We receive information about the device and software you use to access our Services, including internet protocol (IP) address, web browser type, operating system version, and device identifiers.
  • Usage Information. To help us understand how you use our Services, including the Demo portion of our website, and to help us improve them, we automatically receive information about your interactions with our Services. This information includes records of your transactions and information about your other activities related to our services.such as date and time of your sessions, the pages you view, links to/from any page, and time spent in a session. We gather certain information through the use of cookies and similar technologies as discussed below.
  • Location Information. When you use our Services, we may collect or infer your general location information. For example, your IP address may indicate your general geographic region.

1.3 Personal Information That We Receive from Others or Infer

  • Partners. We may retrieve additional personal information about you from third parties and other identification/verification services such as your financial institution and payment processor. We may combine that data with other information we have about you.
  • Publicly available sources. Public sources of information such as open government databases.
  • Inferences. We may infer additional personal data based on the personal information described above. For example, for website visitors, we may infer your interests based on the web pages you view.

When you are asked to provide personal information, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow our collection and use of information that is necessary for certain services or features, those services or features may not be available to you or fully functional.

2. How We Use Personal Information

We use the personal information we collect to:

  1. Provide you with the required Services
  2. Respond to your questions or requests and manage our relationship with you
  3. Improve features, website content and analyse data to develop products and services
  4. Address inappropriate use of our website and Services
  5. Prevent, detect and manage risk against fraud and illegal activities using internal and third party screening tools
  6. Send you marketing content, newsletters and service updates curated by Paystack (only in compliance with applicable laws or otherwise with your explicit consent)
  7. Verify your identity and the information you provide in line with Paystack’s statutory obligations using internal and third party tools
  8. Maintain up-to-date records of Merchants
  9. Resolve disputes that may arise, including investigations by law enforcement or regulatory bodies
  10. Any other purpose that we disclose to you in the course of providing Paystack Services to you or otherwise in compliance with applicable laws, if you consent to it or if it is in the public interest to do so

All purposes for the processing of your personal information will be legal in terms of POPIA.

3. How We Share Personal Information

Paystack does not sell, trade or rent personal information to anyone. Further, we will not share or disclose your personal information with a third party without your consent except as necessary to provide the Services or as described in this Privacy Policy.

  • Service providers. We share personal information with service providers, vendors or agents working on our behalf for the purposes described in this Privacy Policy. For example, companies we've hired to provide customer service support, to assist in protecting and securing our systems and services, or to perform sanctions screening and identity verification services may need access to personal information to provide those functions. The processing by such third parties shall be governed by a written contract with Paystack to ensure adequate protection and security measures are put in place for the protection of personal information in compliance with applicable data protection laws.
  • Financial services & payment processing. When you provide payment data, we will share payment and transactional data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services in terms of written agreements with those third parties and as required by POPIA.
  • Affiliates. We enable access to personal information across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is needed to provide our Services and operate our business.
  • Corporate transactions. We may disclose personal information as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
  • Legal and law enforcement. We may access, disclose, and preserve personal information in accordance with applicable law and when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
  • Security, safety, and protecting rights. We will disclose personal information if we believe it is necessary to:
    • protect us, our merchants and others, for example to prevent fraud, or to help prevent the loss of life or serious injury of anyone;
    • operate and maintain the security of our Services, including to prevent or stop an attack on our computer systems or networks; or
    • protect the rights or property or ourselves or others, including enforcing our agreements, terms, and policies.

Third party analytics and advertising companies also collect personal information through our website and apps including, marketing and communications data, demographic data, content and files, geolocation data, usage data, and inferences associated with identifiers and device information (such as cookie IDs, device IDs, and IP address) as described in the Cookies section of this Privacy Policy. These third parties may combine this data across multiple sites to improve analytics for their own purposes and others. For example, we use Google Analytics on our website to help us understand how users interact with our website. You can learn how Google collects and uses information at www.google.com/policies/privacy/partners.

Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide personal information to any of those third parties, or allow us to share personal information with them, that data is governed by their privacy policies.

Finally, we may share de-identified information in accordance with POPIA.

4. Cookies

We and our partners use cookies and similar technologies on our website to help collect information and operate the website. We use cookies to: remember visitors to our website; make your user experience easier; customise our Services, content and advertising; help you ensure that your account security is not compromised, mitigate risk and prevent fraud; and to promote trust and safety on our website. Cookies are small text files placed by a website and stored by your browser on your device.

Our cookies hold a unique random reference to you so that once you visit the website, we can recognise who you are and provide certain content to you.

Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this may impact your experience when using our website.

5. How We Protect your Information

Paystack has established adequate technical and organisational controls to protect the integrity and confidentiality of your Personal Information, both in digital and physical format, whilst preventing Personal Information from being accidentally or deliberately compromised.

Paystack is committed to managing your Personal Information in line with best practices and in compliance with POPIA. We protect your Personal Information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorised access, disclosure and alteration, we also use industry recommended security protocols to safeguard your Personal Information. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to our buildings and files and only granting access to Personal Information to only employees who require it to fulfil their job responsibilities.

In compliance with the Payment Card Industry Data Security Standard (PCI DSS Requirements”), we implement access control measures, security protocols and standards including the use of encryption and firewall technologies to ensure your card information is safe and secure in our servers. Additionally, we implement periodical security updates to ensure that our security infrastructures are in compliance with reasonable industry standards.

Paystack also maintains a data breach procedure in order to deal with incidents concerning Personal Information or practices leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise processed. You may contact our Information Officer (IO) upon becoming aware of any breach of Personal Information or if your access credentials have been compromised, to enable us to take the necessary steps towards ensuring the security of your Personal Information or account. We will report any breaches that will compromise your rights and freedoms to the Information Regulator in compliance with POPIA.

6. Storage Limitation

We will retain your information for the following periods:

  • As long as reasonably necessary for the purpose of providing our Services to you
  • For the duration your account is active and we have your consent
  • For the period needed to comply with our legal and statutory obligations
  • As needed to verify your information with a financial institution
  • For our legitimate business purposes

Paystack is statutorily obliged to retain the data you provide in order to process transactions, ensure settlements, make refunds, identify fraud and to comply with applicable laws and regulatory guidelines, and will retain certain information in compliance with various applicable laws.

Under the Financial Intelligence Centre Act 38 of 2001 we are mandated to retain transactional records (customer and beneficiary names, addresses, identification number, amount, currency etc.) for at least five years following the completion of the transaction. Paystack is also required to maintain records of data relating to the establishment of a business relationship for five years following the termination of said business relationship.

Therefore, even after closing your Paystack account, we will retain certain Personal Information and transaction data to comply with these obligations. All Personal Information shall be destroyed by Paystack where possible, or anonymised in other instances.

This Privacy Policy also applies when we retain your Personal Information after our relationship has come to an end. We may also retain your Personal Information for the duration of any period necessary to establish, exercise or defend any legal rights and may keep Personal Information indefinitely in a de-identified format for statistical purposes, which may include for example statistics of how you use the Services.

The length of storage of Personal Information shall, amongst other things, be determined by:

  • The contract terms agreed between Paystack and the Merchant or as long as it is needed for the purpose for which it was obtained; or
  • Whether the transaction or relationship has statutory implication or a required retention period; or
  • Whether there is an express request for deletion of Personal Information by the Merchant, provided that such request will only be treated where the Data Subject is not under any investigation which may require Paystack to retain such Personal Information or there is no subsisting contractual arrangement with the Data Subject that would require the processing of the Personal Information; or
  • Whether Paystack has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.

7. Transfer of Personal Information

As part of our Service provision and due to the nature of our business, we may rely on third-party servers, databases co-located with hosting providers, and resident in foreign jurisdictions, which constitutes the transfer of your personal information to computers or servers in foreign countries. We take steps designed to ensure that the data we collect under this Privacy Policy is processed and protected according to the provisions of this Privacy Policy and applicable laws wherever the data originates from or is located.

Where personal information is to be transferred to a country outside South Africa, Paystack shall put adequate measures in place to ensure the security of such Personal Information. Any transfer of Personal Information out of South Africa will be in accordance with the provisions of POPIA and relevant data protection regulations. In particular, Paystack shall, among other things, use contractual terms to ensure protection of the data or ensure the country has adequate data protection laws (i.e. listed in the National Information Technology Development Agency’s [“NITDA”] White List of Countries, or the General Data Protection Regulation’s [“GDPR”] Adequacy List).

Should you wish to transfer personal information to a country deemed to have inadequate data protection laws, Paystack will take all necessary steps to ensure that informed consent is obtained from you, and you are aware of the risks entailed with consenting to such transfer. In all instances, Paystack will ensure Personal Information is transmitted in a safe and secure manner. Details of the protection given when your Personal Information is transferred abroad, and details of the basis of such transfers, will be provided to you upon request.

8. Grounds for Processing of Personal Information

Processing of Personal Information by Paystack shall be lawful if at least one of the following applies:

  • the Data Subject has given consent to the processing of his/her Personal Information for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • the processing is necessary for compliance with a legal obligation to which Paystack is subject;
  • the processing is necessary in order to protect the legitimate interests of the Data Subject;
  • the processing protects a legitimate interest of the data subject, or is necessary for pursuing the legitimate interest of Paystack or of a third party to whom it is supplied.

All purposes for the processing of your personal information will be legal in terms of POPIA.

9. Choices and Rights

Data Subjects have the following rights in respect of their personal information:

  • Right of access – the right to be informed of and request access to the Personal Information that we process about you;
  • Right to rectification – you may request that your Personal Information be amended or updated where it is inaccurate or incomplete;
  • Right to erasure – the right to request that we delete your Personal Information, subject to applicable limitations and exceptions;
  • Right to restrict processing – you may request that we temporarily or permanently stop processing your Personal Information;
  • Right to object –
    • you may object to us processing your Personal Information; and
    • to your Personal Information being processed for direct marketing purposes;
  • Right not to be subject to automated decision-making – where a decision that has a legal or other significant effect is based solely on automated decision making, including profiling, you may request that your Personal Information not be processed in that manner.

Where you have provided consent for us to process your Personal Information, you may also withdraw your consent where our processing is based on your consent. However, we may continue to process your Personal Information if another legal justification exists for the processing.

10. Quality and access to your information

Quality. Where we are the Responsible Party, we want to ensure that your personal information is accurate and up to date. You may ask us to correct or remove any personal information that you think is inaccurate, by sending us an email to [email protected]

Object. You may, on reasonable grounds, object to us using your personal information for certain purposes. If you object, we will stop using your personal information, except if POPIA allows its use. To exercise this right or to discuss it with us, please contact us at [email protected]

Access. You have the right to request us to provide you with personal information that we hold about you. You must contact us directly to do so by sending an email to [email protected] This request may be subject to an access to information request in terms of applicable laws and may require you to verify your identity, identify the rights you are wishing to exercise and pay a fee. If a third party is the responsible party for the information, any request will need to be addressed to that third party. The right to access your personal information may further be limited in terms of POPIA and other applicable laws.

Your request will be reviewed and answered by Paystack's Information Officer as soon as reasonably possible. You may review your account settings and update your Personal Information directly or by contacting us.

11. Direct Marketing

We may process your Personal Information to contact you to provide you with information regarding updates about the Services and new features and products that may be of interest to you. Where we provide Services to you, we may send information to you regarding our Services and other information that may be of interest to you, using the contact details that you have provided to us. We will only send you direct marketing communications where you have consented to us sending you direct marketing or otherwise in compliance with POPIA. The law does not require consent for all marketing, but where consent is required, Paystack will only do marketing with the necessary consent.

You may unsubscribe from direct marketing communications at any time by clicking on the unsubscribe link that we include in every direct marketing communication or by contacting us and requesting us to do so. You can also ask us to not send you direct marketing communications when you register to use our Services. After you unsubscribe, we will not send you any direct marketing communications, but we will continue to contact you when necessary in connection with providing you with the Services or in connection with our business.

If we process personal information for direct marketing purposes on the instructions of a third party for their own purposes, that third party as the responsible party has the obligation to comply with all direct marketing requirements in terms of POPIA.

We will not sell your personal information or provide it to third parties outside of the group of companies to which we belong or to original equipment manufacturers with whom we are affiliated for their marketing purposes without your consent.

12. Changes to This Privacy Policy

We may need to update, modify or amend our Privacy Policy as our technology evolves and as required by law. If we materially change the ways in which we use or share personal information previously collected from you through our Services, we will provide notice or obtain consent regarding such changes as may be required by law. The Privacy Policy will apply from the effective date provided on our website.

13. Contact Paystack’s Information Officer

If you have any questions relating to this Privacy Policy or would like to find out more about exercising your data protection rights, please reach out to our Information Officer via email at [email protected].

For any further queries, please send all correspondence to the following address:

45 Kingfisher Dr,
Fourways,
Sandton, 2055
South Africa.

14. Lodging a complaint

If you want to raise any objection or have any queries about our privacy practices, you can contact our Information Officer at [email protected].

You also have the right to formally lodge a complaint to the Information Regulator in terms of POPIA as follows:

General enquiries email: [email protected]

Effective Date: Monday, Apr 25, 2022