BankMe Privacy Policy

1. Information we collect

BankMe collects several categories of information to operate our platform. We describe what we collect and how we obtain it so you can understand our data practices:

1.1 Information you provide directly

When you create an account, subscribe to a plan, contact customer support, upload documents or otherwise communicate with us, you may provide:

• Identity and contact data: full name, surname, company name, job title/position, postal/physical address, telephone number and email address.
• Business registration data: company registration number, tax or VAT registration number, and other business identifiers (these may be required under credit-application regulations).
• Payment and billing data: billing address and payment card details (processed securely by our payment processor).
• Account credentials: username and password (these are encrypted and cannot be retrieved).
• Document data: files you upload to BankMe, such as bank statements, financial statements, debtors/creditors age analyses, tax returns, business registration documents, personal identification documents, and other confidential financial or business documents. Documents may contain personal information about you, your employees, shareholders or other individuals. You are responsible for having a lawful basis to share this information with us.
• Communications data: feedback, support requests and other messages you send to us (including email or in-app messages).

1.2 Data collected automatically

When you interact with BankMe online, we automatically collect certain technical and usage information to improve and secure our Services:

• Usage data: account activity, page views, searches, document uploads and other interactions with the platform.
• Technical data: IP address, device type, operating system, browser type and version, and other device identifiers.
• Location data: approximate location inferred from your IP address.
• Cookies and tracking data: identifiers stored in your browser or device that help us authenticate users, maintain sessions, remember preferences, measure usage and deliver analytics. See Section 5 for more details.

1.3 Data from third parties

We may obtain information about you from third-party sources:

• Payment providers: e.g., Stripe for payment card processing. These providers collect and process your payment details directly; BankMe only receives limited information such as the last four digits of your card and payment status.
• Authentication providers: if you choose to sign in using Google, Apple or other single-sign-on providers, we receive your name, email address and other information authorised by that provider.
• Analytics services: aggregate usage information to improve our Services.

2. How we collect information

We collect information through multiple channels to operate our Services:

• Direct submissions: you provide information when you register, subscribe, upload documents, or communicate with us.
• Automated technologies: we use cookies, server logs and similar technologies to collect usage and technical data.
• Third-party integrations: we receive information when you interact with integrated services (for example, payment processors or single-sign-on providers).

3. Legal basis for processing

Our legal bases for processing personal information vary depending on the context and the applicable data protection law (GDPR, POPIA, CCPA/CPRA, etc.). We rely on the following grounds:

• Performance of a contract: we process your personal data to create your account, provide access to the platform, manage subscriptions and billing, and deliver customer support.
• Legitimate interests: we process data to operate, secure and improve the Services, prevent fraud and abuse, analyse usage, and communicate with you about similar products or features. We balance these interests against your privacy rights.
• Compliance with legal obligations: we process and retain certain data to comply with tax laws, accounting regulations, anti-money-laundering and credit-application regulations, or to respond to lawful requests by authorities.
• Consent: we obtain your consent for marketing emails, the use of cookies and other optional processing activities. You may withdraw your consent at any time (see Section 9). In jurisdictions such as South Africa's POPIA, consent must be voluntary, specific and informed.

4. How we use information

BankMe uses your personal information for the purposes described below and as otherwise described to you at the time of collection:

• Account creation and administration: register your account, verify your identity, process subscriptions and handle billing.
• Service delivery: allow you to upload, organise and manage documents; grant access sessions to authorised parties; send invitations and notifications; facilitate comments and document requests.
• Security and fraud prevention: monitor usage, enforce our terms, investigate suspicious activity and protect your information and our Services.
• Communications: send transactional communications (e.g., account updates, security alerts, support responses) and marketing communications (subject to your consent).
• Analytics and improvements: analyse usage patterns, improve our user interface, develop new features and evaluate the effectiveness of our Services.
• Legal compliance: comply with regulatory obligations (e.g., credit and tax regulations), enforce our rights or defend legal claims.

We will not use your personal information for purposes incompatible with those set out above without notifying you or obtaining your consent.

5. Cookies and similar technologies

BankMe uses cookies, pixels and local storage to operate and improve the Services. These small data files are placed on your device or browser and perform the following functions:

• Essential cookies: required to authenticate users, prevent fraud and enable core functionality.
• Preference cookies: remember your settings and customise your experience.
• Analytics cookies: collect aggregated usage data to help us understand how the Services are used and improve performance.
• Marketing cookies: used only with your consent to deliver personalised communications and measure the effectiveness of our marketing campaigns.

You can manage or disable cookies through your browser settings. If you disable essential cookies, some features of the Services may not function properly.

6. How we share information

We share personal data only when necessary to deliver our Services, comply with legal obligations or protect our rights. We do not sell personal information and do not share it with third parties for their own marketing purposes. We may disclose personal data to:

• Service providers and processors: trusted companies that perform services on our behalf, such as cloud hosting (Supabase), payment processing (Stripe), analytics, email delivery, document storage and security. We only provide these partners with the information needed to perform their services and require them to protect your data and use it solely for our purposes.
• Authorised third parties: if you grant access to a bank or another institution via BankMe's access sessions, we will share the documents and comments you explicitly select. The bank or institution must agree to use the data only for the credit assessment or other purpose authorised by you.
• Legal and regulatory authorities: if required to comply with laws, regulations, court orders or other legal processes. Under POPIA, we may need to report data breaches to the Information Regulator and affected individuals.
• Corporate transactions: as part of mergers, acquisitions, financing or the sale of company assets, subject to confidentiality agreements and applicable laws.

7. International transfers

BankMe operates in South Africa but uses service providers located in other countries. If you are based outside South Africa, or if your data is stored in another region, we may transfer personal data across borders. We will comply with applicable laws governing international data transfers. Safeguards may include:

• Contractual clauses: standard contractual clauses approved by the European Commission or the UK Information Commissioner's Office for transfers from the EU/UK.
• Data Processing Agreements (DPAs): ensuring that service providers protect data and limit processing to our instructions.
• Participation in approved data transfer frameworks: such as the EU-U.S. Data Privacy Framework when applicable.

If you have questions about cross-border data transfers, please contact us (see Section 15).

8. Data retention

We retain personal information only as long as necessary to fulfil the purposes described in this Policy or to comply with legal obligations. Our typical retention practices include:

• Account and business data: retained for the lifetime of your subscription and as required by law (e.g., tax and accounting obligations).
• Usage and analytics data: retained for a limited period (usually 12-24 months) to improve the Services.
• Financial and transaction records: retained as long as required by tax, financial and anti-fraud laws.
• Documents uploaded by customers: retained until the account holder deletes them or the retention period defined by their plan expires. Once data is deleted from your account, it will be securely removed from our active systems and backups within a reasonable timeframe.

We honour your request to delete your data (see Section 9), subject to applicable legal requirements and legitimate interests (e.g., preventing fraud or enforcing agreements). We may also anonymise data so it no longer identifies you.

9. User rights

Depending on your location and applicable law (e.g., GDPR, POPIA, CCPA/CPRA, LGPD), you may have certain rights regarding your personal information:

• Access: request a copy of your personal data we hold.
• Correction: request that we correct incomplete or inaccurate data.
• Deletion: request that we delete personal data where legally permitted.
• Restriction/Opt-out: limit how we use your data, including opting out of marketing or analytics.
• Data portability: request your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests, including direct marketing.
• Withdraw consent: withdraw your consent where we rely on consent as the legal basis. Withdrawal does not affect processing prior to withdrawal.
• Lodge a complaint: lodge a complaint with your local data protection authority if you are unhappy with our data practices.
• Opt-out of sale/sharing (CCPA/CPRA): BankMe does not sell personal information. California residents may still exercise the right to opt out of sharing for cross-context behavioural advertising, if applicable. To submit a request, use the contact methods below.

To exercise your rights, please contact us using the details in Section 15. We may ask you to verify your identity before responding. We will respond within the timeframes required by law (generally 30 days, with extensions where permitted).

10. POPIA-specific rights and conditions (South Africa)

Because BankMe operates from South Africa, we follow the Protection of Personal Information Act (POPIA). Under POPIA, personal information may only be processed if at least one of the following conditions is met:

• Consent: the data subject consents to the processing.
• Contractual necessity: the processing is necessary to carry out actions for the conclusion or performance of a contract with the data subject.
• Legal obligation: processing is required by law or to comply with a public duty.
• Legitimate interests of the responsible party: the processing protects a legitimate interest of the data subject or is necessary to pursue the legitimate interests of the responsible party.

Under POPIA you also have the right to be notified of personal data collection or security compromises, to request confirmation and details about personal information held by us, to object to processing, and to request correction, deletion or destruction of your data.

If you believe BankMe has not complied with POPIA, you may lodge a complaint with the Information Regulator (South Africa) at https://www.justice.gov.za/inforeg/

11. Security measures

BankMe uses technical and organisational measures to secure personal information against unauthorised access, accidental loss, alteration or destruction. These measures include:

• Encryption: encryption of data in transit (e.g., via TLS/HTTPS) and at rest.
• Role-based access control: limiting employee access to data based on job function.
• Secure infrastructure: hosting on secure cloud platforms with strong physical and network safeguards (Supabase and our storage providers have ISO and SOC certifications).
• Authentication and session controls: multi-factor authentication for administrative access, rotating credentials and session timeouts.
• Monitoring and audits: regular security monitoring, vulnerability scanning and penetration testing.
• Incident response: procedures to detect, investigate and respond to security events.

Although we take reasonable steps to protect your information, no method of transmission or storage is completely secure. If we discover a breach that may have compromised your personal information, we will notify you and regulators as required by law.

12. Third-party websites and services

Our Services may contain links to or integrate with websites or services not operated by BankMe (for example, external payment forms or third-party login providers). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

13. Children's privacy

BankMe is not intended for use by children under the age of 16 (or lower age as defined by local law). We do not knowingly collect personal data from children. If you believe that a child has provided personal information through our Services, please contact us and we will take steps to delete the data.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technologies or legal requirements. The "Last updated" date at the top of this policy indicates when it was last revised. We will notify you of material changes through the Services or via email. Please review this policy periodically.

15. Contact us

If you have any questions, requests or complaints regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

You can also lodge a complaint with your local data protection authority (for example, the European Data Protection Supervisor, the UK Information Commissioner's Office, the California Privacy Protection Agency, or South Africa's Information Regulator).