Privacy Policy | BluCross Capital

1 Who We Are

BluCross Capital (Pty) Ltd ("BluCross Capital", "we", "us" or "our") is a registered South African company operating as a short-term credit provider and financial services provider.

Company Details

Trading Name: BluCross Capital

Type: Registered Credit Provider

Country: South Africa

Website: blucrosscapital.com

Regulatory Status

NCR: Registered under NCA 34 of 2005

FSP: FAIS Act 37 of 2002

FIC: PCC 25 · Item 12

POPIA: Act 4 of 2013 compliant

As a responsible party under POPIA, BluCross Capital determines the purpose and means of processing your personal information. We are committed to processing your information lawfully, fairly, transparently and in a manner that respects your right to privacy as guaranteed under section 14 of the Constitution of the Republic of South Africa, 1996.

2 Scope & Application

This Privacy Policy applies to:

All personal information collected through our website (blucrosscapital.com)
Information collected at any of our physical branch locations across South Africa
Information collected via telephone, email, WhatsApp or any other communication channel
Information submitted through loan applications, account registration, or support requests
Information collected from third parties (credit bureaux, employers, banks) in connection with your application

This policy does not cover the privacy practices of third-party websites or services that may be linked from our website. We encourage you to read the privacy policies of any third-party sites you visit.

By using our services, submitting a loan application, or providing us with any personal information, you acknowledge that you have read and understood this Privacy Policy.

3 Personal Information We Collect

We collect only the information that is necessary for the purposes described in this policy. The categories of personal information we collect include:

Category	Examples	Why We Need It
Identity Information	Full name, ID number, date of birth, nationality, gender	Identity verification, FICA compliance, NCA requirements
Contact Information	Phone number, email address, physical address, postal address	Communication, correspondence, account management
Financial Information	Income details, employment information, bank account number, bank statements, credit history	Affordability assessment (NCA s.81), credit checks, disbursement
Employment Information	Employer name, payslip details, employment type, salary pay date	Creditworthiness assessment, responsible lending
Account Information	Username, password (encrypted), login history, branch preference, application history	Account management, security, service delivery
Document Information	Bank statement PDFs, ID document copies, supporting documents	Application verification, NCA compliance, fraud prevention
Technical Information	IP address, browser type, device information, pages visited, time and date of access	Website security, analytics, fraud prevention, service improvement
Communication Records	Emails, WhatsApp messages, call logs, support requests	Record-keeping, dispute resolution, service quality

We do not intentionally collect special personal information (race, religion, health, biometrics, political views, sexual orientation) unless strictly required by law or with your explicit consent.

4 How We Collect Your Information

Directly from You

When you create an account on our website
When you submit a loan application (online or in branch)
When you contact us via phone, email or WhatsApp
When you submit a support request or complaint
When you visit any of our branch offices
When you provide documents for verification

From Third Parties

Credit bureaux (affordability and credit checks)
Banking institutions (account verification)
Employers (employment verification, where applicable)
Fraud prevention databases
Government databases (identity verification)
Other credit providers (credit history)

Automatically (Website)

Cookies and session data
IP address and location data
Browser and device information
Pages visited and time spent
Referring websites

In Branch

Identification document copies
Completed paper application forms
CCTV footage for security purposes
In-person verification of identity

5 Lawful Basis for Processing (POPIA Conditions)

Under POPIA Chapter 3, we may only process your personal information if at least one of the following conditions (lawful bases) applies:

POPIA Condition	How It Applies to Us
Consent (s.11(1)(a))	By creating an account and submitting a loan application, you consent to the processing of your personal information as described in this policy. You may withdraw consent, subject to legal and contractual limitations.
Contractual Necessity (s.11(1)(b))	Processing is necessary to enter into or perform a credit agreement with you — including identity verification, affordability assessment and disbursement.
Legal Obligation (s.11(1)(c))	We are required by law to process certain information — e.g., FICA (FIC Act 38 of 2001), NCA affordability assessment (s.81), NCR registration requirements, SARS compliance.
Legitimate Interest (s.11(1)(f))	We have a legitimate business interest in processing information for fraud prevention, debt recovery, security, and improving our services — provided this does not override your rights.
Vital Interest (s.11(1)(d))	In rare circumstances where processing is necessary to protect your vital interests or those of another person.

6 Purpose of Processing Your Information

We process your personal information only for the specific, explicitly defined purposes listed below. We will not process your information for any other purpose without your prior consent:

Loan Application Processing — Evaluating, approving or declining credit applications.

Identity Verification — Confirming your identity as required by FICA and the NCA.

Affordability Assessment — Conducting a responsible lending assessment (NCA s.81).

Credit Bureau Checks — Assessing creditworthiness with registered credit bureaux.

Disbursement — Transferring approved loan funds directly to your verified bank account.

Account Management — Managing your client portal, loan history, and profile.

Communication — Sending notices, statements, payment reminders and updates.

Fraud Prevention — Detecting, investigating and preventing fraud and financial crime.

FIC/FICA Compliance — Meeting our obligations under the Financial Intelligence Centre Act.

Regulatory Reporting — Reporting to the NCR, FIC, SARS and other authorities as required.

Debt Recovery — Pursuing overdue repayments through lawful means.

Service Improvement — Improving our products, systems and customer experience.

7 Information Sharing & Disclosure

We do not sell your personal information to third parties. We may share your information only in the following circumstances:

Recipient	Purpose	Legal Basis
Registered Credit Bureaux (e.g. TransUnion, Experian, XDS)	Credit checks, affordability assessment, reporting of payment behaviour	NCA s.70 obligation; contractual necessity
Financial Intelligence Centre (FIC)	Suspicious transaction reporting, cash transaction reporting, FICA compliance	FIC Act 38 of 2001 — legal obligation
National Credit Regulator (NCR)	Regulatory reporting, compliance submissions	NCA 34 of 2005 — legal obligation
South African Revenue Service (SARS)	Tax compliance, mandatory reporting	Income Tax Act — legal obligation
Banking Institutions	Disbursing loan funds, debit order processing	Contractual necessity
Debt Collectors / Attorneys	Recovery of overdue loan amounts	Legitimate interest; contractual terms
IT Service Providers & Operators	Cloud hosting, website management, cybersecurity	Operator agreement (POPIA s.20–22); legitimate interest
Courts & Law Enforcement	Compliance with court orders, subpoenas, or lawful directives	Legal obligation

All third parties who process your information on our behalf are required to comply with POPIA and are bound by appropriate operator agreements or data sharing agreements.

8 Data Retention

We retain your personal information only for as long as is necessary for the purpose it was collected, or as required by law. Our retention schedule is as follows:

Information Type	Retention Period	Reason
Loan application records	5 years after agreement end	NCA requirement; SARS compliance
Identity documents (FICA)	5 years after business relationship ends	FIC Act s.22 requirement
Financial statements & bank records	5 years	NCA, Companies Act, SARS
Credit bureau report records	5 years	NCA; legitimate interest
Active client accounts	Duration of relationship + 5 years	Contractual; regulatory
Communication records	3 years	Dispute resolution; audit trail
Website access logs	12 months	Security; fraud prevention
Marketing preferences	Until you opt out or 3 years inactive	POPIA s.69; CPA compliance

After the retention period expires, your personal information will be destroyed or de-identified in a secure manner, unless retention is required for legal proceedings or regulatory investigations.

9 Information Security Measures

As required by POPIA section 19, we take reasonable technical and organisational measures to secure your personal information against loss, damage, unauthorised access, disclosure, interference or destruction.

Technical Controls

TLS/SSL encryption for all data in transit
Encrypted storage of sensitive data at rest
Encrypted password hashing (bcrypt/Django PBKDF2)
Secure HTTPS-only website access
Firewall and intrusion detection systems
Regular security patching and updates
Session timeout and secure session management

Organisational Controls

Role-based access control (staff see only what they need)
Staff confidentiality agreements and POPIA training
Background checks on staff with data access
Documented data handling procedures
Regular internal audits and risk assessments
Secure physical office environments
Incident response plan and data breach procedure

Data Breach Notification: In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Regulator within the prescribed timeframe and notify you as a data subject where required by POPIA section 22.

10 Your Rights as a Data Subject (POPIA)

Under POPIA sections 5, 23, 24 and 68–73, you have the following rights in relation to your personal information:

Right to be Informed

To know that your information is being collected, why, and how it is processed. (POPIA s.18)

Right of Access

To request a copy of the personal information we hold about you. (POPIA s.23 / PAIA)

Right to Correction

To request correction or deletion of inaccurate, outdated or incomplete information. (POPIA s.24)

Right to Object

To object to processing based on legitimate interest or for direct marketing purposes. (POPIA s.11(3))

Right to Deletion

To request destruction or de-identification of your information once retention is no longer justified.

Right Against Automated Decisions

Not to be subject to purely automated decisions that significantly affect you. (POPIA s.71)

Right to Complain

To lodge a complaint with the Information Regulator if you believe we have violated your rights. (POPIA s.74)

Right to Withdraw Consent

To withdraw consent at any time, subject to legal and contractual obligations.

To exercise any of these rights, submit a written request to our Information Officer at admin@blucrosscapital.com. We will respond within 30 days as required by POPIA.

We may require you to verify your identity before processing your request. There is no fee for submitting a request, although a nominal fee may be charged for providing information in bulk or in specific formats in terms of PAIA.

11 Cookies & Digital Tracking

Our website uses cookies and similar tracking technologies to improve your experience. Cookies are small text files stored on your device by your browser.

Cookie Type	Purpose	Duration
Essential / Session	Required for login sessions, form submissions, security (CSRF tokens)	Session (deleted on close)
Functional	Remembering your branch preference, language and display settings	Up to 12 months
Analytics	Understanding how visitors use our website (page views, navigation paths)	Up to 24 months
Security	Detecting suspicious activity, fraud prevention, bot protection	Session / 30 days

You can control or disable cookies through your browser settings. Note that disabling essential cookies may prevent you from logging in or using certain features of our website. We do not use tracking cookies for advertising or share your browsing data with advertising networks.

12 Direct Marketing

Under POPIA section 69 and the Consumer Protection Act (CPA), you have the right to opt out of direct marketing communications at any time.

We may send marketing communications by email, SMS or WhatsApp to existing clients about relevant products and services.
We will only send marketing to you if you have consented or if you are an existing client and the communication relates to similar services.
Every marketing message includes a clear and free opt-out mechanism.
To opt out, reply "STOP" to any SMS, click "Unsubscribe" in any email, or email us at admin@blucrosscapital.com.
Once you opt out, we will stop sending marketing within 5 business days.

13 Cross-Border Information Transfers

In limited circumstances, your personal information may be transferred to or processed in countries outside South Africa — for example, if we use cloud-based infrastructure hosted internationally.

We comply with POPIA section 72, which requires that cross-border transfers may only occur if:

The recipient country provides an adequate level of data protection;
You have consented to the transfer;
The transfer is necessary for performance of a contract with you; or
The transfer is subject to a binding agreement that upholds POPIA principles.

We take reasonable steps to ensure any third-party international processors are bound by appropriate data protection agreements.

14 Children's Personal Information

Our services are not directed at persons under the age of 18. We do not knowingly collect personal information from minors. In terms of the NCA, you must be 18 years or older to enter into a credit agreement. If you are under 18, please do not submit any personal information to us. If we become aware that we have collected information from a minor without parental consent, we will delete it immediately. If you believe a minor has provided us with their information, please contact our Information Officer immediately.

15 Information Officer

As required by POPIA section 55, we have appointed an Information Officer responsible for ensuring compliance with POPIA. You may direct any privacy-related queries, requests or complaints to:

Role: Information Officer

Organisation: BluCross Capital (Pty) Ltd

Email: admin@blucrosscapital.com

Phone: 067 474 2000

Physical: Visit any branch — see offices

Response Time: Within 30 days of request

16 Complaints & The Information Regulator

If you are dissatisfied with our response to a privacy complaint, or believe we are processing your information in violation of POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa.

INFORMATION REGULATOR — SOUTH AFRICA

33 Hoofd Street, Forum III, 3rd Floor, Braampark, Johannesburg, 2001

inforeg@justice.gov.za

+27 (0) 10 023 5207

www.justice.gov.za/inforeg

We encourage you to contact us first before escalating to the Regulator. We are committed to resolving all privacy concerns promptly and fairly.

17 Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will:

Update the "Last Updated" date at the top of this page;
Post a notice on our website home page; and/or
Notify you by email or SMS if the changes materially affect your rights.

Your continued use of our services after any updated policy has been published constitutes your acceptance of the updated terms, to the extent permitted by law.

18 Contact Us

For any privacy-related queries, requests to exercise your POPIA rights, or general questions about this policy, please contact us:

Email

admin@blucrosscapital.com

Phone

067 474 2000

Related documents: Terms & Conditions | Contact & Support