1. INTRODUCTION AND RESPONSIBLE PARTY
PAKO (Pty) Ltd (“PAKO”, “we”, “us”), registration number 2025/752609, is the Responsible Party for the personal information processed through our mobile application and website. We are committed to the Eight Conditions for Lawful Processing as set out in POPIA. This notice describes how we collect, use, disclose, and protect your information.

2. INFORMATION WE COLLECT
We collect information categorized under POPIA as follows:
2.1 Identifying Information: Full names, South African Identity Number (for FICA/KYC compliance), and biometric data (if used for app authentication).
2.2 Contact Information: Email address, mobile number, and physical address.
2.3 Financial Information: Bank account numbers, real-time transaction history, account balances, and categorized spending data via our secure aggregators.
2.4 Credit & Risk Data: Credit scores, debt obligations, and affordability assessments.
2.5 Technical Data: IP addresses, device UUIDs, geolocation (to prevent fraud), and “usage cookies” for platform optimization.
2.6 Special Personal Information: We do not knowingly collect information regarding your religious beliefs, race, or health unless specifically required by law or if you voluntarily include such details in transaction descriptions.

3. HOW WE COLLECT DAT
3.1 Directly from You: During registration and profile completion.
3.2 Automated Technologies: Via cookies and app telemetry as you navigate the platform.
3.3 Third-Party Sources: We use Operators (Aggregators such as Stitch or Akahu) to securely link your bank accounts. By linking your account, you authorize us to retrieve data directly from your financial institution.

4. LAWFUL BASIS AND PURPOSE OF PROCESSING
In terms of Section 11 of POPIA, we process your information based on Contractual Necessity and your Express Consent for the following purposes:
4.1 AI Financial Analysis: Using machine learning to categorize transactions and provide “Smart Insights.”
4.2 Product Personalization: Tailoring budget “bubbles” and financial goals to your unique cash flow.
4.3 FICA & AML Compliance: Verifying your identity to prevent money laundering and fraud.
4.4 Communication: Sending system alerts, security notices, and (with your opt-in) marketing related to financial wellness.
4.5 AI Model Improvement: We use de-identified and aggregated data to train our algorithms to better serve the South African market.

5. SHARING AND DISCLOSURE
We do not sell your data. We only share information with:
5.1 Operators: Service providers who host our data (e.g., AWS Cape Town) or provide technical functionality.
5.2 Regulatory Bodies: When required by the South African Revenue Service (SARS), the Financial Intelligence Centre (FIC), or a court order.
5.3 Professional Advisors: Our legal and cyber-security auditors to ensure PAKO remains secure.

6. TRANS-BORDER DATA FLOWS
While we prioritize local hosting in the AWS Cape Town Region, some of our technical service providers (e.g., email delivery or analytics tools) may operate in the USA or Europe. In terms of Section 72 of POPIA, we ensure these third parties are subject to laws or agreements that provide a level of protection at least as robust as POPIA.

7. DATA SECURITY (POPIA CONDITION 7)
We implement “Appropriate, Reasonable, Technical, and Organisational Measures” to prevent loss or unauthorized access:
7.1 Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
7.2 Access Control: Strict “Least Privilege” access policies for PAKO employees.
7.3 Vulnerability Testing: Regular “Pen-Tests” to identify and patch potential exploits.

8. DATA RETENTION
We retain your information for as long as your account is active or as required by South African law (e.g., 5 years for FICA records). Once the retention period expires, your data is deleted or de-identified so it can no longer be linked to you.

9. YOUR LEGAL RIGHTS
Under POPIA, you have the right to:
9.1 Access: Confirm if we hold your data and request a copy.
9.2 Correction: Update inaccurate or out-of-date information.
9.3 Objection: Object to processing for direct marketing.
9.4 Complaint: If you believe we have misused your data, you have the right to lodge a complaint with the Information Regulator (South Africa):
Email: enquiries@inforegulator.org.za / PAIAComplaints@inforegulator.org.za

10. CONTACT OUR INFORMATION OFFICER
Antheo Naidoo is the designated Information Officer for PAKO (Pty) Ltd.

Email: hello@pako.co.za