This Privacy Policy explains how [FICAVault legal entity name]("FICAVault", "we") processes personal information when you use the FICAVault platform. FICAVault is the responsible party (as defined in the Protection of Personal Information Act, 4 of 2013 — "POPIA") for personal information you provide directly about yourself. For personal information that a business or institution uploads about its clients, FICAVault acts as operator under our Data Processing Addendum.
1. Responsible party
[FICAVault legal entity name]
Registration number: [Registration number]
Registered address: [Registered address]
Information Officer: [Information Officer name] — privacy@ficavault.app
2. Personal information we collect
- Account information: name, email, mobile number, password hash.
- Identity information: South African ID number, passport number, date of birth.
- Verification documents: ID document, proof of address, bank confirmation, SARS tax certificate, company registration and beneficial ownership documents.
- Contact and address details for you and, for business accounts, the entities you manage.
- Consent, sharing and audit metadata: when documents were shared, with whom, and how consent (usually OTP) was captured.
- Technical data: IP address, device and browser information, log data.
- Billing information processed by our payment providers on our behalf.
3. Why we process it (purpose and lawful basis)
- To create and operate your compliance passport (performance of the contract with you).
- To let you share documents with accountable institutions on your instruction (your consent).
- To send expiry reminders and service notifications (legitimate interest / performance of contract).
- To meet our own record-keeping and reporting obligations (compliance with a legal obligation).
- To secure the platform, prevent fraud and abuse (legitimate interest).
- To bill you and collect payment (performance of contract).
4. Who we share it with
- Accountable institutions and other recipients that you specifically approve — always with an audit trail.
- Operators / sub-processors that host, secure and support the platform (cloud hosting, email delivery, analytics, payment processing, customer support).
- Regulators, courts or law-enforcement where we are legally compelled to do so.
We never sell your personal information.
5. Cross-border transfers
Some of our sub-processors process data outside South Africa. Where this happens, we rely on POPIA-compliant safeguards, including adequacy findings, binding corporate rules or contractual protections that require a comparable standard of protection.
6. Retention
We keep personal information only as long as necessary for the purposes above or as required by law (for example FIC Act record-keeping). When you close your account we allow a 30-day export window and then delete or anonymise your content, except where a legal retention obligation requires us to keep it longer.
7. Security
We use encryption in transit and at rest, strict access controls, OTP-based consent for sharing, signed and time-limited share links, and continuous monitoring. No system is perfectly secure, but we work hard to protect your information and will notify you and the Information Regulator of any material personal-information breach as required by POPIA.
8. Cookies
See our Cookie Policy for details of the cookies and similar technologies we use.
9. Children
FICAVault is not directed at children under 18. We do not knowingly collect personal information of children without appropriate parental consent.
10. Your rights
Under POPIA you may:
- ask what personal information we hold about you and request a copy;
- ask us to correct or delete inaccurate or out-of-date information;
- object to processing that relies on legitimate interest;
- withdraw consent for future processing that relies on consent;
- complain to the Information Regulator (South Africa) — inforegulator.org.za.
To exercise these rights, contact privacy@ficavault.app.
11. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by email or in-app at least 14 days before they take effect.

