Privacy Policy

DEFINITIONS

The following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings:

1.1. "Applicable Laws" means all applicable laws, rules, codes, regulations, and formal regulatory guidelines and standards, made by a Regulator, legislature or other public authority with binding effect in force from time to time (construed having regard to related guidance and codes of practice issued or approved by a regulator or other public body);

1.2. "Controller" and "Processor" are read to refer to those equivalent terms;

1.3. "CrissCross," "we," "our," "us" means CrissCross Tech Pty Ltd, a company incorporated and registered in South Africa (registration number 2022/812239/07) ("CrissCross SA") together with all companies that are directly or indirectly (whether through one or more intermediaries or otherwise) control, or are controlled by, or are under common control with CrissCross SA;

1.4. "Data Breach" means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed;

1.5. "Data Protection Laws" means any Applicable Laws which regulate the Processing of Personal Information that is received by CrissCross;

1.6. "Data Subject" means each identified or identifiable (whether directly or indirectly) legal or natural person to whom any Personal Information relates;

1.7. "Personal Information" means information relating to any natural or legal person, the Processing of which is regulated by Data Protection Laws including:

  • (i) information relating to the race, gender, sex, marital status, national, ethnic or social origin, colour, age, disability, language and birth of the person;
  • (ii) information relating to the education or the medical, financial, criminal or employment history of the person;
  • (iii) information relating to the financial affairs of the person;
  • (iv) credit card details and transactional data;
  • (v) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
  • (vi) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • (vii) the views or opinions of another individual about the person;
  • (viii) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
  • (ix) any other information the Processing of which may be treated or defined as "personal information" in terms of any Applicable Laws, including Data Protection Laws;

1.8. "Policy" means this Privacy Policy;

1.9. "Process" means to collect, receive, record, organise, collate, store, develop, update, modify, retrieve, alter, consult, use, disseminate or perform any other act or action, including any other act or action which may be treated or defined as "process" or "processing" (or any equivalent term for a similarly-regulated activity) in terms of any Data Protection Laws, and "Processed" and "Processing" shall have a corresponding meaning;

1.10. "Regulator" shall mean any court or public body having regulatory or supervisory authority over all Personal Information;

1.11. "Responsible Party" and "Operator" have the meanings given to those terms in the Data Protection Laws, and where an equivalent term is used in Data Protection Laws (such as "Responsible Party" and "Operator", respectively);

1.12. "Special Personal Information" is sensitive Personal Information of a Data Subject or a child in terms of the Data Protection Laws.

2. PURPOSE

2.1. The purpose of this Policy is to inform you about how we Processes your Personal Information.

2.2. CrissCross, in its capacity as Responsible Party (and/or Operator, where applicable), shall strive to observe, and comply with its obligations under Data Privacy Laws as well as accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of a Data Subject.

2.3. This Policy applies to Personal Information collected by us in connection with the products and services which we provide to you. This includes information collected directly from you as a Data Subject, as well as information we collect indirectly through our service providers who collect your information on our behalf.

2.4. This Privacy Policy does not apply to the information practices of third party companies that we may engage with in relation to its business operations (including, without limitation, their websites, platforms and/or applications) which we do not own or control; or individuals that CrissCross does not manage or employ. These third party sites may have their own privacy policies and terms and conditions that people will have to comply with.

3. PROCESS OF COLLECTING PERSONAL INFORMATION

3.1. We will collect Personal Information directly from you as and when required for a defined purpose, unless an exception is applicable (such as, for example, where you have made the Personal Information public or the Personal Information is contained in or derived from a public record).

3.2. We will always collect Personal Information in a fair, lawful and reasonable manner to ensure that we protect your privacy and will Process the Personal Information based on legitimate grounds in a manner that does not adversely affect you.

3.3. Where we obtain Personal Information from third parties, we will ensure that we obtain your consent to do so. We will only Process your Personal Information without your consent where we are permitted to do so in terms of clause Error: Reference source not found above or the Data Protection Laws.

3.4. An example of such third parties includes:

  • (i) agencies;
  • (ii) other companies providing services to us; and
  • (iii) where we make use of publicly available sources of information.

4. LAWFUL PROCESSING OF PERSONAL INFORMATION

4.1. Where we are the Responsible Party, we will only Process your Personal Information (other than for Special Personal Information) where:

  • 4.1.1. your consent (or a competent person, where the Data Subject is a child) is obtained;
  • 4.1.2. Processing is necessary to carry out the actions for conclusion of a contract to which you are a party;
  • 4.1.3. Processing complies with an obligation imposed by Data Protection Laws on us;
  • 4.1.4. Processing protects your legitimate interests; and/or
  • 4.1.5. Processing is necessary for pursuing our legitimate interests or of a third party to whom the information is supplied.

4.2. We will only Process Personal Information where one of the legal bases referred to in paragraph 4.1 above are present.

4.3. We will make the manner and reason for which the Personal Information will be Processed clear to you.

4.4. Where we rely on your consent as the legal basis for Processing Personal Information, you may withdraw your consent or may object to us Processing your Personal Information at any time. However, this will not affect the lawfulness of any Processing carried out prior to the withdrawal of your consent or any Processing justified by any other legal ground provided under Data Privacy Laws.

4.5. If you withdraw your consent or if there is otherwise a justified objection against the use or the Processing of such Personal Information, we will ensure that the Personal Information is no longer Processed.

5. SPECIAL PERSONAL INFORMATION

5.1. We will generally not Process Special Personal Information unless:

  • 5.1.1. Processing is carried out in accordance with your consent;
  • 5.1.2. Processing is necessary for the establishment, exercise or defence of a right or obligation in law;
  • 5.1.3. Processing is for historical, statistical or research purposes, subject to stipulated safeguards;
  • 5.1.4. information has deliberately been made public by you; or
  • 5.1.5. specific authorisation applies in terms of Data Privacy Laws.

5.2. We will not Process any Personal Information concerning a child unless we have obtained the consent of the parent or guardian of that child or where it is permitted to do so in accordance with Applicable Laws.

6. PURPOSE FOR PROCESSING PERSONAL INFORMATION

6.1. We will make you aware of the fact that we are Processing your Personal Information and we will inform you of the purpose for which we will Processes such Personal Information.

6.2. We will only Process your Personal Information for a specific, lawful and clear purpose and we will ensure that we make you aware of such purpose(s) as far as possible.

6.3. We will ensure that there is a legal basis for the Processing of any Personal Information. Further, we will ensure that Processing will relate only to the purpose for and of which you have been made aware (and where relevant, consented to) and we will not Process any Personal Information for any other purpose(s).

6.4. We will generally use your Personal Information for purposes required to operate and manage our normal operations and these purposes include one or more of the following non-exhaustive purposes:

  • 6.4.1. for the purposes of providing services to you;
  • 6.4.2. for purposes of onboarding you;
  • 6.4.3. generally for procurement and supply purposes;
  • 6.4.4. for purposes of monitoring the use of our electronic systems and online platforms by you. We may, from time to time, engage third party service providers (who will Process your Personal Information on our behalf) to facilitate this;
  • 6.4.5. for purposes of preventing, discovering and investigating violations of this Policy, the Applicable Law and other CrissCross policies;
  • 6.4.6. in connection with the execution of payment processing functions;
  • 6.4.7. in connection with internal audit purposes (i.e. ensuring that the appropriate internal controls are in place in order to mitigate the relevant risks, as well as to carry out any investigations where this is required);
  • 6.4.8. in connection with external audit purposes. For this purpose, we engage external service providers and, in so doing, we may share your Personal Information with third parties;
  • 6.4.9. for company secretarial related purposes. For this purpose, we may, from time to time, collect information relating to you from third parties;
  • 6.4.10. for such other purposes to which you may consent from time to time;
  • 6.4.11. for such other purposes as authorised in terms of Data Protection Laws; and
  • 6.4.12. to comply with any Data Protection Laws or any query from a Regulator.

7. KEEPING PERSONAL INFORMATION ACCURATE

7.1. We will take reasonable steps to ensure that all Personal Information is kept as accurate, complete and up to date as reasonably possible depending on the purpose for which Personal Information is collected or further Processed.

7.2. We may not always expressly request you to verify and update your Personal Information unless this process is specifically necessary.

7.3. You must notify us from time to time in writing of any updates required in respect of your Personal Information.

8. STORAGE AND PROCESSING OF PERSONAL INFORMATION

8.1. We may store your Personal Information in hardcopy format and/or in electronic format using our own secure on-site servers or other internally hosted technology.

8.2. Your Personal Information may also be stored by third parties, via cloud services or other technology, with whom we have contracted to support our operations.

8.3. Our third party service providers, including data storage and processing providers, may from time to time also have access to your Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.

8.4. We will ensure that such third-party service providers will Process your Personal Information in accordance with the provisions of this Policy, all other relevant internal policies and procedures and Data Privacy Laws.

8.5. The third-party service providers will not use or have access to your Personal Information other than for purposes specified by us, and we will require such parties to employ at least the same level of security that we use to protect the Data Subjects' Personal Information.

8.6. Your Personal Information may be Processed in the country where you reside or another country where CrissCross and their third-party service providers maintain servers and facilities, and we will take steps, including by way of contracts, to ensure that it continues to be protected, regardless of its location, in a manner consistent with the standards of protection required under applicable law, including Data Privacy Laws.

9. DIRECT MARKETING

9.1. To the extent that we act in our capacity as a direct marketer, we shall strive to observe, and comply with our obligations under Data Privacy Laws when implementing principles and practices in relation to direct marketing.

9.2. We will only use your Personal Information to contact you for purposes of direct marketing from time to time where it is permissible to do so.

9.3. We may use your Personal Information to contact you and/or market CrissCross services directly to you if you are one of our existing clients, you have requested to receive marketing material from us, or we have your consent to market our services directly to you.

9.4. If you are our existing client, we will only use your Personal Information if we have obtained your Personal Information through the provision of a service to you and only in relation to similar services to the ones we previously provided to the Data Subject.

9.5. We will ensure that a reasonable opportunity is given to you to object to the use of your Personal Information for our marketing purposes when collecting your Personal Information and on the occasion of each communication to you for purposes of direct marketing.

9.6. We will not use your Personal Information to send you marketing materials if you have requested not to receive them. If you request that we stop Processing your Personal Information for marketing purposes, we shall do so.

10. RETENTION OF PERSONAL INFORMATION

10.1. We may keep records of your Personal Information, correspondence, or comments we have collected in an electronic or hardcopy file format.

10.2. In terms of Data Privacy Laws, we may not retain your Personal Information for a period longer than is necessary to achieve the purpose for which it was collected or Processed and will delete, destroy (in such a way that it cannot be reconstructed) or de-identify the information as soon as is reasonably practicable once the purpose has been achieved. This prohibition will not apply in the following circumstances:

  • 10.2.1. where the retention of the record is required or authorised by Applicable Laws or by any Regulator;
  • 10.2.2. where we require the record to fulfil our lawful functions or activities;
  • 10.2.3. retention of the record is required by a contract between the parties thereto;
  • 10.2.4. you (or competent person, where the Data Subject is a Child) has consented to such longer retention; or
  • 10.2.5. the record is retained for historical, research, archival or statistical purposes provided safeguards are put in place to prevent use for any other purpose. Accordingly, we will, subject to the exceptions noted in this Policy, retain your Personal Information for as long as necessary to fulfil the purposes for which your Personal Information was collected and/or as permitted or required by Data Protection Laws.

10.3. Where we retain your Personal Information for longer periods for statistical, historical, archival or research purposes, we will ensure that appropriate safeguards have been put in place to ensure that all your recorded Personal Information will continue to be Processed in accordance with this Policy and Data Protection Laws.

10.4. Once the purpose for which your Personal Information was initially collected and Processed no longer applies or becomes obsolete, we will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that no one can re-identify your Personal Information. In instances where we de-identify the Personal Information, we may use such de-identified information indefinitely.

11. FAILURE TO PROVIDE PERSONAL INFORMATION

Should we need to collect your Personal Information as prescribed by Applicable Laws or under our obligations as a service provider, and you fail to provide your Personal Information when requested, we may be unable to perform our duties as a service provider in terms of the Data Protection Laws.

12. SAFE-KEEPING OF PERSONAL INFORMATION

12.1. We shall preserve the security of your Personal Information and, in particular, prevent its alteration, loss and damage, or access by non-authorised third parties.

12.2. We will ensure the security and integrity of your Personal Information in our possession or under our control with appropriate, reasonable technical and organisational measures to prevent loss, unlawful access and unauthorised destruction of your Personal Information.

12.3. We have implemented physical, organisational, contractual and technological security measures (having regard to generally accepted information security practices or industry-specific requirements or professional rules) to keep your Personal Information secure, including measures protecting your Personal Information from loss or theft, unauthorised access, disclosure, copying, use or modification. Further, we maintain and regularly verify that our security measures are effective and we regularly update them in response to new risks.

13. DATA BREACHES

13.1. We will address any Data Breach in accordance with the terms of Data Privacy Laws.

13.2. We will notify the Regulator and the affected Data Subjects (unless the applicable law or a government authority requires that we delay notification to the Data Subjects) in writing in the event of a Data Breach (or a reasonable belief of a Data Breach) in respect of that Data Subject's Personal Information.

13.3. We will provide such notification as soon as reasonably possible after we become aware of any Data Breach.

13.4. Where we act as an 'Operator' for purposes of Data Privacy Laws and should any Data Breach affect the data of Data Subjects whose information we Processes as an Operator, we will (in terms of Data Privacy Laws) notify the relevant Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of relevant Data Subjects has been accessed or acquired by any unauthorized person.

14. PROVISION OF PERSONAL INFORMATION TO THIRD PARTY SERVICE PROVIDERS

14.1. We may disclose your Personal Information to third parties and we will enter into written agreements with such third parties to ensure that they Process any Personal Information in accordance with the provisions of this Policy, and Data Privacy Laws.

14.2. We will disclose your Personal Information with your consent or if we are permitted to do so without such consent in accordance with Data Protection Laws.

14.3. Further, we may also send your Personal Information to a foreign jurisdiction outside of the jurisdiction in which you reside, including for Processing and storage by third parties.

14.4. When your Personal Information is transferred to a jurisdiction outside of the jurisdiction you reside in including to any cloud, data centre or server located outside of the jurisdiction you reside in, we will obtain the necessary consent to transfer your Personal Information to such foreign jurisdiction or may transfer your Personal Information where we are permitted to do so in accordance with the provisions applicable to cross-border flows of Personal Information under Data Privacy Laws.

14.5. The Processing of your Personal Information in a foreign jurisdiction, if and to the extent such Processing does occur, may be subject to the laws of the country in which your Personal Information is held, and may be subject to disclosure to the governments, courts of law, enforcement or regulatory agencies of such other country, pursuant to the laws of such country.

15. RESPONSES

We will respond to each written request of a Data Subject not later than 30 (thirty) days after receipt of such requests. Under certain circumstances, we may, however, extend the original period of 30 days once for a further period of not more than 30 (thirty) days.

16. PRIVACY OFFICER

CrissCross has appointed a dedicated Privacy Information Officer who is responsible for the Processing and protection of Personal Information.