Back to Home

Privacy Policy

Last updated: 13 February 2026

1. Introduction

Thula Mali ("we," "our," or "us") is committed to protecting your personal information and respecting your privacy rights in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable South African data protection laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, apply for funding, or use our services. By using our services, you consent to the data practices described in this policy.

Information Officer: As required by POPIA, our Information Officer is responsible for ensuring compliance with data protection laws. You may contact our Information Officer at: [email protected]

2. Information We Collect

2.1 Personal Information

When you apply for funding or use our services, we collect the following categories of personal information:

  • Identity Information: Full name, ID number, date of birth, nationality
  • Contact Information: Email address, phone number, physical address
  • Business Information: Business name, registration details, business sector, years in operation
  • Financial Information: Monthly revenue, funding amount requested, bank account details, transaction history
  • Documentation: ID copies, bank statements, business registration documents, financial statements
  • Communication Records: WhatsApp messages, emails, SMS communications, application notes

2.2 Automatically Collected Information

When you visit our website, we automatically collect certain technical information:

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Data: Pages visited, time spent on pages, click patterns, referral sources
  • Cookies and Tracking: Session cookies, analytics cookies, preference cookies

3. How We Use Your Information

We process your personal information for the following lawful purposes under POPIA:

3.1 Contractual Necessity

  • Processing and evaluating funding applications
  • Conducting credit and risk assessments
  • Disbursing approved funding amounts
  • Managing repayment schedules and collections
  • Generating and managing funding contracts

3.2 Legal Obligations

  • Complying with Financial Intelligence Centre Act (FICA) requirements
  • Meeting National Credit Act (NCA) obligations
  • Responding to lawful requests from regulatory authorities
  • Preventing fraud and financial crime

3.3 Legitimate Interests

  • Improving our services and user experience
  • Analyzing application trends and portfolio performance
  • Sending service-related notifications (application status, payment reminders)
  • Managing partner referral programs
  • Protecting against fraud and security threats

3.4 Consent

  • Sending marketing communications about our services
  • Using cookies and tracking technologies
  • Sharing information with third-party service providers

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information with the following categories of recipients:

4.1 Service Providers

  • Payment Processors: Stripe (for disbursements and repayment processing)
  • Cloud Storage: AWS S3 (for secure document storage)
  • Communication Services: Email and SMS providers for notifications
  • Analytics: Website analytics to improve user experience

4.2 Business Partners

  • Referral partners (community centers, NGOs) who referred your application
  • Credit bureaus for credit assessment purposes

4.3 Legal Requirements

  • Law enforcement or regulatory authorities when legally required
  • Courts or tribunals in response to lawful orders
  • Financial Intelligence Centre (FIC) for suspicious transaction reporting

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: All data transmitted over the internet is encrypted using SSL/TLS protocols
  • Access Controls: Role-based access restrictions ensure only authorized personnel can access personal information
  • Secure Storage: Documents and data are stored on secure, encrypted cloud servers
  • Regular Audits: We conduct regular security assessments and vulnerability testing
  • Staff Training: All employees receive data protection and security training

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law:

  • Active Applications: Throughout the application review process and funding period
  • Funded Businesses: For the duration of the funding agreement plus 5 years (as required by tax and financial regulations)
  • Rejected Applications: 12 months from rejection date
  • Marketing Consent: Until consent is withdrawn
  • Legal Requirements: As required by South African law (typically 5-7 years for financial records)

7. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights regarding your personal information:

Right to Access

You have the right to request confirmation of whether we hold your personal information and to access that information.

Right to Correction

You may request correction of inaccurate, incomplete, or outdated personal information.

Right to Deletion

You may request deletion of your personal information, subject to legal retention requirements.

Right to Object

You may object to the processing of your personal information for direct marketing purposes or on grounds relating to your particular situation.

Right to Restrict Processing

You may request restriction of processing in certain circumstances, such as when contesting the accuracy of your data.

Right to Data Portability

You may request a copy of your personal information in a structured, commonly used, and machine-readable format.

To exercise any of these rights, please contact our Information Officer at [email protected]. We will respond to your request within 30 days as required by POPIA.

8. Complaints and Regulatory Authority

If you believe we have not handled your personal information in accordance with POPIA, you have the right to lodge a complaint with:

Information Regulator (South Africa)

Email: [email protected]

Website: www.justice.gov.za/inforeg

Phone: 012 406 4818

We encourage you to contact us first so we can address your concerns directly.

9. International Data Transfers

Some of our service providers (such as cloud storage and payment processors) may be located outside South Africa. When we transfer your personal information internationally, we ensure:

  • The recipient country has adequate data protection laws, or
  • We have implemented appropriate safeguards (such as standard contractual clauses), and
  • We have obtained your consent where required by POPIA

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Thula Mali - Information Officer

Email: [email protected]

Phone: +27 123 456 789

Address: [Your Physical Address]