Privacy Policy

By Onemoola • May 4, 2025

1. Introduction and Scope

1.1. Welcome to Onemoola. This Privacy Policy explains how Onemoola (Pty) Ltd (Registration Number: 2016 / 385410 / 07), (“Onemoola”, “we”, “us”, “our”) collects, uses, shares, protects, and otherwise processes your Personal Information when you use our website, mobile application, and related financial advisory and intermediary services (collectively, the “Services”).

1.2. We are committed to protecting your privacy and processing your Personal Information lawfully, transparently, and securely, in accordance with the South African Protection of Personal Information Act, 4 of 2013 (“POPIA”) and other applicable legislation.

1.3. By registering for or using our Services, you acknowledge that you have read and understood this Privacy Policy. This Policy forms part of our Terms of Use.

1.4. Definitions:

Personal Information: Means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including, but not limited to the types of information listed in Section 3 below.
Processing: Means any operation or activity concerning Personal Information, including its collection, use, storage, dissemination, modification, or destruction.
Responsible Party: Means the entity that determines the purpose and means of Processing Personal Information (in this case, Onemoola).
Operator: Means a party who processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party.
Data Subject: Means the person to whom Personal Information relates (in this case, “you”, our user).

2. Our Role and Contact Details

2.1. Onemoola acts as the Responsible Party for the Processing of your Personal Information.

2.2. Our designated Information Officer is the Chief Executive Officer (CEO).

2.3. If you have any questions about this Privacy Policy or how we handle your Personal Information, please contact our Information Officer at:

Email: connect@onemoola.com

3. Personal Information We Collect

We collect various types of Personal Information necessary to provide our Services, comply with legal obligations, and manage our platform. This includes:

3.1. Identification and Contact Information:

Full names, date of birth, gender, nationality.
South African Identity Number (or passport number for foreign nationals).
Residential address and proof thereof (e.g., utility bill, bank statement).
Email address, telephone number(s).
Contact details for your next-of-kin.

3.2. Financial Information:

Income details (including proof like payslips).
Information about your assets, liabilities, and existing investments.
Bank account details (for verification and facilitating instructions to fund managers).
Information regarding your financial goals, risk tolerance, investment objectives, and retirement plans.
Information and documentation regarding the source of your funds or wealth (as required by FICA).

3.3. Verification Information (FICA/KYC Compliance):

Copies of your identification documents (ID book/card, passport).
Proof of residential address documents.
Photographs submitted by you for identity verification purposes.
Data related to One-Time Pin (OTP) verification sent to your phone or email.

3.4. Technical Information:

Internet Protocol (IP) address.
Device information (type, operating system, identifiers).
Browser type and version.
Usage data, logs regarding your interaction with our Services (e.g., pages visited, features used, time spent).
Information collected via cookies and similar technologies.

3.5. Communications Information:

Records of your interactions with us, including emails, platform messages, chat logs (including potential use of channels like WhatsApp, subject to terms), call recordings (if applicable), and survey responses.

3.6. Referral Information:

Information on how you were referred to Onemoola (e.g., search engine, social media, existing user).

3.7. Information Regarding Minors:

We do not knowingly collect Personal Information directly from individuals under the age of 18. If our Services are used to manage finances for a minor, the necessary Personal Information must be provided by their legal guardian. Processing of children’s information is done strictly based on the guardian’s consent and instructions, solely for providing the agreed Services, and in compliance with POPIA Section 35.

4. How We Collect Your Information

4.1. Directly from You: When you register, complete your profile, upload documents, respond to questionnaires, or communicate with us.

4.2. Automatically: When you interact with our Services, we collect Technical Information using cookies, logs, and other technologies.

4.3. From Third Parties: We may receive information from third-party verification services (for FICA/KYC checks) or publicly available sources (e.g., sanctions lists).

5. How and Why We Use Your Personal Information (Purpose and Legal Basis)

We process your Personal Information only for specific, explicit, and legitimate purposes, based on valid legal grounds under POPIA. These include:

5.1. To Provide and Manage Your Account and Our Services
Purpose includes: Registering you as a user; Providing automated financial advice & planning; Facilitating human advisor review/approval; Acting as intermediary to external fund managers; Providing customer support.
Categories of Personal Information used: Identification, Contact, Financial, Verification, Technical, Communications.
Legal basis under POPIA: Necessary to Perform our Contract with you (as per our Terms of Use).

5.2. To Comply with Legal and Regulatory Obligations
Purpose includes: Identity verification (KYC/CDD) under the Financial Intelligence Centre Act (FICA); Anti-Money Laundering (AML) & Counter-Terrorist Financing (CFT) checks; Fraud prevention and detection; Reporting to authorities (FIC, FSCA, SARS, etc.); Responding to legal process.
Categories of Personal Information used: Identification, Contact, Financial, Verification, Technical, Transactional.
Legal basis under POPIA: Necessary for Compliance with a Legal Obligation to which Onemoola is subject.

5.3. To Verify Your Identity using Submitted Photographs
Purpose includes: Comparing your submitted photograph with your ID document for verification purposes.
Categories of Personal Information used: Verification Information (Photographs, ID documents).
Legal basis under POPIA: Consent. (Processing Biometric Information requires your explicit consent. You provide this when uploading your photo for this specific purpose).

5.4. To Improve and Personalize Our Services
Purpose includes: Analysing usage patterns to enhance platform functionality; Developing new features; Tailoring content and recommendations (within the scope of financial advice).
Categories of Personal Information used: Technical, Financial (anonymised/aggregated where possible), Referral, Communications (feedback).
Legal basis under POPIA: Our Legitimate Interest (to improve our services, user experience, and business efficiency), provided your fundamental rights are not overridden.

5.5. To Ensure Platform Security
Purpose includes: Monitoring for suspicious activity; Protecting against unauthorised access; Troubleshooting and debugging.
Categories of Personal Information used: Identification, Technical, Verification (OTP).
Legal basis under POPIA: Our Legitimate Interest (to maintain the security and integrity of our platform and user data).

5.6. For Direct Marketing Communications
Purpose includes: Sending emails or notifications about Onemoola features, promotions, or financial education content.
Categories of Personal Information used: Identification (Name), Contact (Email).
Legal basis under POPIA: Consent. (You provide this via the opt-in checkbox during sign-up and can withdraw it anytime via your profile settings or unsubscribe links).

5.7. To Communicate with You
Purpose includes: Responding to your inquiries; Sending essential service-related updates and notifications (non-marketing).
Categories of Personal Information used: Identification, Contact, Communications.
Legal basis under POPIA: Necessary to Perform our Contract; Our Legitimate Interest (to manage our relationship with you effectively).

5.8. Further Processing
We will not process your Personal Information for any purpose incompatible with the original purpose for which it was collected, unless we obtain your consent or are required by law.

We do not sell your Personal Information. We may share your information only in the following circumstances and with appropriate safeguards:

6.1. External Fund / Money Managers: When you instruct us to implement an approved financial plan, we share the necessary information (e.g., your identification, contact details, investment instructions) with the specific third-party fund or money managers you select, to enable them to open your account and manage your investments according to your mandate.

6.2. Third-Party Service Providers (Operators): We use trusted Operators to perform functions on our behalf. These include:

Cloud Hosting Providers: (e.g., Google Cloud) to host our platform and store data.
Identity Verification Services: To assist with FICA/KYC checks.
Analytics Providers: (e.g., Google Analytics) to help us understand service usage.
Communication Platforms: (e.g., Google Workspace, potentially WhatsApp for specific communications) for internal and external communication.

We have contracts in place with these Operators requiring them to protect your Personal Information adequately, use it only for the purposes we instruct, and comply with POPIA.

6.3. Legal and Regulatory Authorities: We may disclose your information to the Financial Intelligence Centre (FIC), South African Revenue Service (SARS), Financial Sector Conduct Authority (FSCA), the Information Regulator, law enforcement agencies, or courts when required by law, subpoena, or court order, or when necessary to prevent fraud or other crimes.

6.4. Professional Advisors: We may share information with our lawyers, auditors, or compliance consultants (like Masthead (Pty) Ltd) under duties of confidentiality when necessary for obtaining advice or managing legal risks.

6.5. Business Transfers: If Onemoola undergoes a merger, acquisition, or sale of assets, your Personal Information may be transferred as part of that transaction, subject to the receiving party agreeing to uphold commitments similar to those in this Privacy Policy.

6.6. With Your Consent: We may share your information with other third parties if you have explicitly consented to such sharing.

7. International Data Transfers

7.1. Some of the third-party service providers we use (such as Google Cloud, Google Analytics, Google Workspace) are located or operate infrastructure outside of the Republic of South Africa.

7.2. This means your Personal Information may be transferred outside of South Africa to countries that may have different data protection laws.

7.3. When we transfer your Personal Information internationally, we take legally required steps to ensure it receives an adequate level of protection, comparable to that provided by POPIA. This is typically achieved through:

Ensuring the recipient country is deemed to have adequate data protection laws.
Implementing contractual safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), with the third-party provider.

8. Data Security

8.1. We are legally obliged under POPIA (Condition 7) to implement appropriate, reasonable technical and organizational measures to secure the integrity and confidentiality of your Personal Information and prevent loss, damage, unauthorized destruction, or unlawful access or processing.

8.2. Measures we implement include:

Encryption: Data is encrypted both in transit (e.g., using TLS/SSL) and at rest.
Access Control: Strict access controls limit employee access to user data based on roles and necessity. Procedures are in place for granting temporary, audited access when required for support or maintenance.
Secure Infrastructure: Utilizing reputable cloud providers (Google Cloud) with robust security practices.
Verification Security: Using methods like OTP for transaction or login verification.
Secure Development Practices: Integrating security into our software development lifecycle.
Employee Training: Training staff on data protection and security obligations.
Incident Response: Having procedures to detect and respond to potential data breaches.

8.3. While we strive to protect your Personal Information, no system is entirely infallible. You are also responsible for maintaining the confidentiality of your account credentials (password, PINs) and securing the devices you use to access our Services. Please notify us immediately if you suspect any unauthorized access to your account.

8.4. Data Breach: Should a data breach occur that is likely to result in a risk to your rights and freedoms, we will notify the Information Regulator and affected data subjects as required by POPIA.

9. Data Retention

9.1. We retain your Personal Information only for as long as necessary to fulfil the purposes for which it was collected (as outlined in Section 5), unless a longer retention period is required or permitted by law.

9.2. Key considerations for retention periods include:

Legal Obligations: FICA requires records related to customer due diligence and transactions to be kept for at least five (5) years after the termination of the business relationship. Other financial sector laws may impose different requirements.
Ongoing Service Provision: We retain data while you are an active user.
Dispute Resolution: We may retain data if needed to resolve disputes or defend legal claims.

9.3. Upon expiry of the necessary retention period, or upon your valid request for deletion (subject to legal overrides), we will securely destroy or de-identify your Personal Information. If requested to delete your account, we may need to archive certain data solely to comply with our legal retention obligations; this archived data will not be used for any other purpose.

10. Your Rights Under POPIA

As a Data Subject in South Africa, you have the following rights regarding your Personal Information. You can exercise these rights by contacting our Information Officer (connect@onemoola.com):

10.1. Right of Access: You have the right to request confirmation of whether we hold Personal Information about you, and to request a copy of that information.

10.2. Right to Correction: You have the right to request the correction of any inaccurate, incomplete, or outdated Personal Information we hold about you. You may be able to update some information directly via your profile settings.

10.3. Right to Deletion (Erasure): You have the right to request the deletion or destruction of your Personal Information under certain conditions (e.g., if it’s no longer necessary for the original purpose, or consent is withdrawn and there’s no other legal ground), subject to our legal retention obligations.

10.4. Right to Object: You have the right to object, on reasonable grounds relating to your particular situation, to the processing of your Personal Information where we rely on Legitimate Interest as our legal basis. You have an absolute right to object to the processing of your Personal Information for direct marketing purposes.

10.5. Right to Restrict Processing: You have the right to request the restriction of the processing of your Personal Information under certain circumstances (e.g., while verifying accuracy, or if processing is unlawful).

10.6. Right to Withdraw Consent: Where we process your Personal Information based on your consent (e.g., for direct marketing, processing biometric photos), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. You can typically withdraw marketing consent via your profile settings or unsubscribe links.

10.7. Right to Data Portability: Where processing is based on consent or contract and carried out by automated means, you may have the right to receive your Personal Information in a structured, commonly used, machine-readable format, or request us to transmit it directly to another controller where technically feasible.

10.8. Right to Lodge a Complaint: You have the right to lodge a complaint with the South African Information Regulator if you believe we are processing your Personal Information unlawfully.

11. The Information Regulator (South Africa)

If you are unsatisfied with our response to your data protection concerns, you have the right to complain to the Information Regulator:

Website: https://inforegulator.org.za/
Email: complaints.IR@justice.gov.za (for complaints) / POPIAComplaints@inforegulator.org.za (Please verify the current correct email address on their website)
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, Johannesburg, 2017

We use cookies and similar technologies on our website and application. For more detailed information about the types of cookies we use, why we use them, and how you can manage your preferences.

13. Changes to this Privacy Policy

13.1. We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws.

13.2. The date at the top indicates when the latest revisions were made.

13.3. We will notify you of material changes by posting the updated policy on our platform, or via email or other appropriate communication channels. We encourage you to review this Policy periodically. Your continued use of our Services after changes have been posted constitutes your acknowledgement of the updated Policy.