This Privacy Policy outlines how 22seven (Pty) Ltd, trading as Vault22 (“Vault22,” “we,” “us,” or “our”), a subsidiary of Vault22 Solutions Holdings Ltd. (Registration number 8385), collects, uses, discloses, and protects your Personal Data in compliance with the South African Protection of Personal Information Act, 2013 (POPIA) and DIFC Data Protection Law No. 5 of 2020 (DP Law). By accessing our website at www.vault22.io (“Website”) or our mobile application (“Mobile App”) (collectively, “Service Channels”), you consent to the practices described herein. If you disagree with any part of this policy, you must immediately discontinue using our Service Channels and refrain from providing Personal Data.

This policy applies to all Data Subjects using our Service Channels, including those engaging with our DFSA-regulated robo-advisory services for arranging investment deals and advising on financial products, such as portfolios of US-listed stocks. Vault22, authorized by the DFSA (firm reference number 4407) in the DIFC and as a Juristic Representative of Chalford Capital (FSP No. 52925) in South Africa, ensures compliance with all Applicable Laws, including the Financial Advisory and Intermediary Services Act (FAIS) and DFSA Rules.

In the event of a business transfer (e.g., merger, sale, or reorganization), your Personal Data may be shared with the successor entity under strict confidentiality and security measures, compliant with POPIA, DP Law, and this policy.

The following definitions align with POPIA, DP Law, and other Applicable Laws:
“Applicable Law”: Any statute, regulation, rule, code, directive, or requirement of any governmental or regulatory authority (e.g., POPIA, DP Law, DFSA Rules, FAIS) applicable to Vault22’s obligations or Service Channel use.

“Consent”: Your voluntary, specific, and informed permission for Processing Personal Data.

“Data Subject” or “You”: An identified or identifiable natural or juristic person, identifiable by name, ID number, or other specific identifiers. 

“Information Officer”: Cliff Nkuna, Vault22’s appointed Information Officer for POPIA and Data Protection Officer for DP Law compliance.

“Operator”: A third party or Third-Party Service Provider Processing Personal Data on Vault22’s behalf. 

“Personal Data”: Information relating to an identifiable, living natural person or juristic person, including name, contact details, biometric data, financial history, or Special Personal Data (e.g., race, health, criminal records).

 “Policy” or “Privacy Policy”: This Privacy Policy. “Processing”: Any operation involving Personal Data, including collection, storage, use, dissemination, or deletion, whether automated or manual. “Responsible Party”: Vault22, determining the purpose and means of Processing Personal Data. 

“Special Personal Data”: Data concerning religious beliefs, race, health, biometric information, or criminal behavior, as defined under POPIA and DP Law. 

“Service Channels”: Vault22’s Website and Mobile App, including robo-advisory functionalities. 

“Social Media Platforms”: Platforms like Facebook, LinkedIn, Twitter, Instagram, Pinterest, YouTube, WeChat, WhatsApp, TikTok, and similar services. 

“Third Party Service Providers”: Entities providing services through Service Channels, including Regulated Third-Party Providers (e.g., GTN Asia Financial Services Pte Ltd).

 “Vault22”: 22seven (Pty) Ltd (Registration number 2023/181742/07), regulated by the DFSA (firm reference number 4407) in the DIFC and as a Juristic Representative of Chalford Capital (FSP No. 52925) in South Africa.

Vault22 is committed to safeguarding your Personal Data, implementing reasonable technical, physical, and organizational measures to prevent unauthorized access, loss, or unlawful Processing, as required by POPIA, DP Law, and DFSA Rules. These measures include: 

Data encryption, authentication, and virus detection. Restricted employee access to necessary data only. 

Regular risk assessments and security audits. 

Background checks and employee training on POPIA and DP Law compliance. 

Binding agreements with Third Party Service Providers meeting DFSA and POPIA standards.

While we strive to ensure robust protection, no internet transmission is 100% secure, and you provide data at your own risk. We comply with all Applicable Laws to protect your data.

Providing Personal Data is generally voluntary but may be mandatory for specific services (e.g., anti-money laundering (AML) compliance, contract performance, or DFSA/FAIS requirements). Failure to provide required data may prevent service delivery or legal compliance.

We collect Personal Data through: 

Information You Provide: Via forms, registration, client portals, app store searches, or communications (e.g., email, phone, Mobile App interactions, social media functions). 

Information Automatically Collected: When using Service Channels or Social Media Platforms. Information from Third Parties: Publicly or commercially available data combined with collected data.

Types of Personal Data and Purpose: 

Account Information: Name, email, phone number, postal/work address, date of birth, ID/passport numbers, username, password, photograph—for service provision, identity verification, and AML compliance. 

Connection Information: IP address, browser type/version, device type, operating system, screen resolution, mobile network, time zone, referring/exit pages—for usability optimization, usage analysis, and unauthorized access detection. 

Financial Information: Bank account details, credit card information, transaction history, balances, credit scores, debit orders, tax calculations, trading positions, beneficiary details—for service delivery, credit checks, and investment facilitation. 

Transaction Information: Value, merchant, credit/debit type, dates—for service delivery and compliance. 

Public Forum Information: Name and messages on public forums, visible to all users and retained post-account termination. 

Verification Information: Identity documents, utility bills—for account unlocking or DFSA/FAIS compliance. 

Financial Product Data: Mobile number, gender, income, occupation, residential details, smoker status, education level, driver’s license—for personalized product pricing and uptake. 

Optional Information: Age, employment status, marital status, number of children, geolocation, financial goals, personal interests—for customized insights and recommendations. 

Research and Analysis: Data for market research or statistical analysis to enhance services. 

Special Personal Data: Collected with explicit Consent or legal justification (e.g., AML compliance), per POPIA and DP Law. 

Device and Log Information: Device type, browser, traffic data, weblogs—for service improvement and security. 

Demographic Information: Postcode, hometown, gender, browsing/search history—for personalized features and analytics. 

Location Information: GPS-based location, with Consent, for specific features (adjustable via device settings).

By providing Personal Data, you acknowledge Vault22 may Process it for these purposes, unless explicit Consent is required by Applicable Law (e.g., direct marketing). Processing of data related to children is expressly prohibited unless for specific, lawful purposes.

We use Personal Data to: 

Provide, maintain, and enhance Service Channels, including facilitating payments, sending receipts, delivering robo-advisory services, and developing new features. 

Perform internal operations (e.g., fraud prevention, software troubleshooting, data analysis, testing, research, and compliance with DFSA/FAIS regulations). 

Send communications about products, services, promotions, events, or contests, subject to your Consent where required. 

Notify you of Service Channel updates. 

Enable interactive features (e.g., robo-advisory tools, social media functions). 

Ensure security and compliance with Applicable Laws. 

Personalize services, including recommendations, content, social connections, and advertisements.

Processing is lawful under POPIA, DP Law, or other Applicable Laws, and we do not engage in automated decision-making unless explicitly notified.

We may share Personal Data: 

With affiliates within Vault22 Solutions Holdings Ltd., under strict confidentiality. 

With employees on a need-to-know basis, trained in POPIA and DP Law compliance. 

With Third Party Service Providers (e.g., Alpaca Securities LLC) under data processing agreements, ensuring DFSA and POPIA-compliant security. 

With competent authorities or government entities to comply with legal processes or protect our rights, per Applicable Laws. 

With third parties in aggregated/anonymized form that cannot identify you. 

During mergers, acquisitions, or business transfers, under confidentiality measures. 

With third parties upon your explicit Consent (e.g., for marketing), with clear disclosure of shared data.

We are not responsible for third parties’ use of your data post-sharing; review their privacy policies before consenting.

Vault22 operates from South Africa and the DIFC. Your Personal Data may be transferred, stored, or processed in jurisdictions with different data protection laws (e.g., United Arab Emirates, other countries). Transfers occur only: 

To countries with equivalent or stronger data protection than South Africa or the DIFC. 

With processors under agreements ensuring POPIA and DP Law compliance. 

Under legal derogations, per DP Law, where applicable.

Your use of Service Channels and data submission constitute Consent to such transfers. We ensure secure treatment, per DFSA, POPIA, and DP Law standards.

We retain Personal Data only as necessary for the purposes outlined or as required by Applicable Laws (e.g., six years post-account termination for AML compliance).

Upon account termination, we securely delete data unless legally required to retain it, maintaining strict security controls, per DFSA and POPIA.

Vault22 implements robust measures to prevent unauthorized access, loss, or unlawful Processing, including: 

Data encryption, authentication, and virus detection. 

Restricted employee access to necessary data only. 

Regular risk assessments and security audits, per DFSA requirements. 

Background checks and employee training on POPIA and DP Law. 

Binding agreements with Third Party Service Providers meeting DFSA and POPIA standards.

While no internet transmission is 100% secure, and you provide data at your own risk, we strive to protect it per Applicable Laws.

Cookies enhance your Service Channel experience by storing unique identifiers to recognize returning users, remember preferences, and track interactions. They support personalized content, marketing analysis, and usage trends. Types include: 

Essential: Google Tag Manager for tag deployment. 

Analytics: Google Analytics, Pingdom, Hotjar for usage and behavior tracking. 

Advertising: DoubleClick, Twitter, Facebook, LinkedIn for ad optimization.

You can disable Cookies via browser settings, but this may limit functionality. Visit
www.aboutcookies.org for guidance.

Under POPIA and DP Law, you have the following rights: 

Access and Correction: Access your Personal Data free of charge (subject to PAIA/DP Law fees for excessive requests) and request correction of inaccuracies. 

Object to Processing: Object to Processing based on legitimate interests, unless legally required. 

Withdraw Consent: Revoke Consent (e.g., for marketing) by contacting us; Processing will cease unless another legal basis applies. 

Restriction: Request Processing restriction (e.g., during accuracy disputes, for legal claims, or if Processing is unlawful but you oppose erasure). 

Erasure: Request deletion (“right to be forgotten”) unless retention is legally required (e.g., for legal claims). 

Data Portability: Receive data provided to us in a structured, machine-readable format, where Processing is Consent-based and automated. 

Opt-Out of Marketing: Opt out via provided options; service-related messages will continue. 

Lodge Complaints: Complain to the South African Information Regulator or DIFC Commissioner of Data Protection if your rights are infringed.

To exercise these rights, contact our Information Officer/Data Protection Officer. We will verify inaccuracies, correct data, and notify relevant third parties, though third-party databases may retain outdated data until refreshed.

In the event of a Personal Data breach, Vault22 will follow incident management procedures, notifying affected Data Subjects and the South African Information Regulator or DIFC Commissioner of Data Protection, as required by POPIA and DP Law.

Service Channels may link to third-party websites or services. We are not responsible for their privacy practices. Review their policies before sharing Personal Data, as we are not liable for losses arising from third-party actions.

This Privacy Policy is read alongside our Terms of Service, governing Service Channel use. In case of conflict, this policy prevails for Personal Data matters.

We may update this policy to reflect changes in practices or legal requirements, revising the “Last Updated” date. Significant changes will be communicated via Service Channels or email. Continued use after changes constitutes acceptance. Review this policy periodically.

For questions, concerns, or to exercise your rights, contact:

Vault22 Information Officer/Data Protection Officer:
‍
Email: support@vault22.io
Physical Address: Innovation City Darter Studios, Darter Road, Long kloof, Gardens,Cape Town, 8001.

You may also contact the Information Regulator for further complaints or inquiries at the Information Regulator’s website.

This Privacy Policy is governed by South African law for South African operations, with disputes resolved in South African courts. For DFSA-regulated services, DIFC law applies, with disputes resolved in DIFC Courts (Small Claims Tribunal for disputes under AED 1,000,000).