Please wait while we prepare your dashboard...
BudgetPay (Pty) Ltd · Effective Date: 10 April 2026 · Last Updated: 10 April 2026
This Privacy Policy explains how BudgetPay (Pty) Ltd (“BudgetPay”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects your personal information when you use our platform.
This policy is issued in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), the Electronic Communications and Transactions Act 25 of 2002 (ECTA), and all applicable South African laws.
The responsible party for the processing of your personal information is:
BudgetPay (Pty) Ltd
Registration Number: [INSERT]
Registered Address: [INSERT FULL ADDRESS]
Email: privacy@budgetpay.co.za
Information Officer: [INSERT NAME]
Information Officer Email: privacy@budgetpay.co.za
You may contact our Information Officer with any queries, requests, or complaints relating to the processing of your personal information.
Your SA ID number is classified as special personal information under Section 26 of POPIA.
We process your SA ID number on the following lawful basis: (1) your explicit consent provided during registration; (2) it is necessary for the establishment, exercise, or defence of a right or obligation in law (specifically, to verify your identity, prevent fraud, and comply with FICA); and (3) it is necessary for a legitimate purpose related to our services, namely matching your identity to outstanding accounts held by vendors and service providers.
| Purpose | Lawful Basis (POPIA) |
|---|---|
| To create and manage your BudgetPay account | Consent and performance of contract |
| To verify your identity and prevent fraud | Legal obligation (FICA) and legitimate interest |
| To retrieve your outstanding debts and account balances | Consent |
| To facilitate payments, payment plans, and debit order collections | Performance of contract |
| To process wallet top-ups, transfers, and settlements | Performance of contract |
| To send transactional notifications (confirmations, reminders, receipts) | Performance of contract |
| To send service-related communications (security alerts, account updates) | Legitimate interest |
| To comply with legal and regulatory requirements (SARB, NCR, FICA, POPIA) | Legal obligation |
| To conduct affordability assessments where applicable | Legal obligation (NCA) |
| To improve the Platform and analyse usage patterns | Legitimate interest |
| To detect and prevent fraud, money laundering, and unauthorised access | Legal obligation and legitimate interest |
| To send marketing communications about BudgetPay services | Consent (opt-in only) |
We share your personal information only in the following circumstances:
When you use BudgetPay to view or pay an account, we share necessary information (such as your name, account/reference number, and payment details) with the relevant vendor to process the transaction and update your account.
We use Paystack (a Stripe company) to process payments, debit orders, and settlements. Paystack processes your payment details in accordance with PCI-DSS requirements. We do not store your full card details on our servers.
Where we use third-party identity verification services (such as Smile Identity or Jumio), we share your SA ID number and verification data solely for the purpose of verifying your identity. These providers are contractually bound to process your information only for verification purposes.
We use Resend for transactional email delivery and Twilio for SMS notifications. These providers receive your email address or phone number solely for delivering communications on our behalf.
We may disclose your personal information where required by law, regulation, or court order, including to the SARB, NCR, Financial Intelligence Centre (FIC), SAPS, Information Regulator, or any court of competent jurisdiction.
We may share information with our legal, accounting, and auditing advisors under conditions of professional confidentiality.
In the event of a merger, acquisition, or sale of BudgetPay's business, your personal information may be transferred to the successor entity. You will be notified and your rights will remain protected.
We endeavour to store and process your personal information within South Africa. Where we use service providers that process data outside of South Africa, we ensure that the recipient country has adequate data protection laws, or the recipient is bound by a binding agreement providing adequate protection in accordance with Section 72 of POPIA, or you have provided your consent to the transfer.
| Data Category | Retention Period |
|---|---|
| Account and identity information | Duration of your account + 5 years after account closure |
| Transaction and payment records | 5 years from the date of the transaction (tax and financial record-keeping requirements) |
| KYC and verification documents | Duration of your account + 5 years after closure (FICA requirement) |
| Communication records (emails, SMS logs) | 3 years |
| Usage and analytics data | 2 years (aggregated/anonymised data may be retained indefinitely) |
| Marketing consent records | Duration of consent + 1 year after withdrawal |
When no longer needed, we will securely delete or de-identify your personal information.
We implement appropriate technical and organisational measures to protect your personal information. These include:
All data in transit is encrypted using TLS. Sensitive data at rest (bank account details, vendor API credentials) is encrypted using AES-256.
We support passkey/biometric authentication (WebAuthn/FIDO2) for secure, passwordless login.
Access to personal information is restricted to authorised personnel on a need-to-know basis with role-based controls.
Payment processing is handled by Paystack (PCI-DSS Level 1 compliant). We do not store full card numbers.
We conduct periodic security reviews and update our practices in response to new threats.
In the event of a security breach, we will notify you and the Information Regulator within a reasonable time as required by Section 22 of POPIA.
As a data subject in South Africa, you have the following rights under POPIA:
Right to be informed
You have the right to know what personal information we hold and how it is being processed (Section 5).
Right of access
You may request a copy of the personal information we hold about you (Section 23).
Right to correction
You may request that we correct or update inaccurate or incomplete personal information (Section 24).
Right to deletion
You may request that we delete your personal information where it is no longer necessary, subject to legal retention requirements (Section 24).
Right to object
You may object to the processing of your personal information on reasonable grounds, and to receiving direct marketing communications at any time (Section 11(3)).
Right to withdraw consent
Where processing is based on your consent, you may withdraw consent at any time. This does not affect the lawfulness of prior processing.
Right to data portability
You may request your personal information in a structured, machine-readable format.
Right to lodge a complaint
You may lodge a complaint with the Information Regulator if you believe your information has been processed in violation of POPIA.
How to Exercise Your Rights
Email our Information Officer at privacy@budgetpay.co.za with subject line “POPIA Data Subject Request — [Your Full Name]”. We will verify your identity and respond within 30 days.
Right to Deletion — Account Closure
Email privacy@budgetpay.co.za with subject line “Account Deletion Request”. We will delete your account within 30 days of verifying your identity. Certain information may be retained where required by law (e.g., transaction records for 5 years under tax legislation, KYC records for 5 years under FICA). Active payment plans or outstanding balances must be settled before account deletion.
BudgetPay is not intended for use by children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@budgetpay.co.za.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential / Session Cookies | Authentication, security, session management | Session (deleted when browser closes) |
| Functional Cookies | Remembering your preferences (e.g., notification settings) | Up to 12 months |
| Analytics Cookies | Understanding how users interact with the Platform | Up to 24 months |
We do not use advertising or third-party tracking cookies. You can manage cookie preferences through your browser settings.
We will only send you marketing communications if you have opted in to receive them. You may opt out at any time by:
Transactional communications (payment confirmations, security alerts) are not marketing and will continue as part of our service.
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date, notify you by email or through the Platform, and where required by POPIA, seek your consent to the changes.
If you are not satisfied with how we have handled your personal information, you may lodge a complaint with the Information Regulator:
The Information Regulator (South Africa)
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email: complaints.IR@justice.gov.za
Website: https://inforegulator.org.za
Tel: 010 023 5207
This Privacy Policy is governed by and construed in accordance with the laws of the Republic of South Africa, including POPIA, ECTA, and the Constitution of the Republic of South Africa.
For any questions or concerns about this Privacy Policy or our data practices:
BudgetPay (Pty) Ltd
Email: privacy@budgetpay.co.za
Website: https://budgetpay.co.za
Information Officer: [INSERT NAME]
This Privacy Policy was last updated on 10 April 2026.