SDPKT Wallet

1. Introduction

The Other Bhengu (PTY) Ltd, trading as The Geek Network ("we", "us", "our"), is the responsible party as defined by the Protection of Personal Information Act 4 of 2013 ("POPIA") for the SDPKT digital wallet application ("SDPKT", "the App").

We are committed to protecting your personal information and ensuring that it is collected, used, stored, and disclosed in accordance with POPIA and all other applicable South African legislation. This Privacy Policy explains how we handle your personal information when you use SDPKT.

By registering for and using SDPKT, you acknowledge that you have read and understood this Privacy Policy, and you consent to the collection, processing, and storage of your personal information as described herein.

2. Information Officer

In terms of Section 55 of POPIA, we have appointed an Information Officer who is responsible for ensuring compliance with the conditions for the lawful processing of personal information.

Company: The Other Bhengu (PTY) Ltd t/a The Geek

Email: support@sdpkt.co.za

Country: Republic of South Africa

3. Personal Information We Collect

We collect personal information that is necessary for the provision of our digital wallet services. The categories of personal information we collect include:

3.1 Account Registration Information

• Full name and surname

• Mobile phone number (used as your primary identifier)

• Email address (optional)

• Date of birth

• Profile photograph

3.2 Know Your Customer (KYC) Documents

To comply with the Financial Intelligence Centre Act 38 of 2001 ("FICA") and related regulations, we collect the following identity verification documents:

• South African Identity Document (ID) or passport (photograph or scan)

• Live selfie photograph for facial verification

• Proof of residential address (utility bill, bank statement, or similar)

• ID number or passport number

3.3 Biometric Information

SDPKT collects and processes biometric data, which is classified as special personal information under Section 26 of POPIA. We collect:

• Facial recognition data derived from your selfie for identity verification

• Fingerprint or face unlock data used for app authentication (processed on-device only)

We process biometric data with your explicit consent, as required by Section 27 of POPIA. On-device biometric authentication data (fingerprint, face unlock) never leaves your device and is not transmitted to our servers.

3.4 Financial and Transaction Information

• Wallet balance and transaction history

• Payment method details (bank account, card information via tokenised payment gateways)

• Airtime, data, and electricity purchase records

• Peer-to-peer transfer records (sender, recipient, amount, date)

• Bill payment and vending transaction records

• Referral programme participation data

3.5 Device and Technical Information

• Device model, operating system, and version

• Unique device identifiers

• IP address and approximate location (for fraud prevention)

• App version and usage analytics (if you opt in)

• Push notification tokens

3.6 Communication Data

• In-app messages and chat history

• Support ticket correspondence

• OTP verification records

4. Purpose of Processing

In accordance with Section 13 of POPIA, we only process your personal information for specific, explicitly defined, and lawful purposes. These purposes include:

4.1 Service Provision

• Creating and managing your SDPKT wallet account

• Processing financial transactions, including top-ups, payments, and transfers

• Providing airtime, data, electricity, and other vending services

• Facilitating peer-to-peer money transfers

• Generating transaction receipts and statements

4.2 Legal and Regulatory Compliance

• FICA/KYC identity verification and customer due diligence

• Anti-money laundering (AML) and counter-terrorism financing (CTF) screening

• Reporting to the Financial Intelligence Centre (FIC) as required by law

• Compliance with RICA (Regulation of Interception of Communications and Provision of Communication-related Information Act) where applicable

• Tax reporting obligations under the Income Tax Act and Tax Administration Act

4.3 Security and Fraud Prevention

• Authenticating your identity when you access your account

• Detecting and preventing fraudulent transactions or unauthorised access

• Monitoring for suspicious activity patterns

• Verifying device integrity and managing trusted devices

4.4 Communication

• Sending transaction confirmations and receipts

• Delivering security alerts and account notifications

• Responding to your support enquiries

• Sending promotional communications (only with your opt-in consent)

4.5 Service Improvement

• Analysing usage patterns to improve our services (with your consent)

• Conducting internal research and development

• Personalising your experience within the App

5. Legal Basis for Processing

We process your personal information based on the following legal grounds as permitted by POPIA:

a. Consent (Section 11(1)(a)): You have provided voluntary, specific, and informed consent to the processing of your personal information, including special personal information such as biometric data.

b. Contractual Necessity (Section 11(1)(b)): Processing is necessary for the performance of our contract with you to provide digital wallet services.

c. Legal Obligation (Section 11(1)(c)): Processing is necessary to comply with FICA, the Financial Intelligence Centre Act, RICA, and other applicable legislation.

d. Legitimate Interest (Section 11(1)(f)): Processing is necessary for our legitimate interests in fraud prevention and security, provided such interests do not override your rights.

6. Third-Party Service Providers

We share your personal information with the following categories of third parties, strictly on a need-to-know basis and subject to appropriate data processing agreements:

6.1 Payment Gateways

To process payments into your SDPKT wallet, we integrate with the following South African payment providers:

• Ozow — instant EFT payments. Ozow processes your bank selection and payment authorisation. We do not receive or store your banking credentials.

• PayFast — card and EFT payments. PayFast handles card details in a PCI-DSS compliant environment. We receive only a payment confirmation token.

• SnapScan — QR code-based payments. SnapScan processes your payment independently; we receive only a transaction reference and amount.

6.2 Retail Vending Partners

• BL Telecoms / Glocell — our retail vending partner for airtime, data bundles, electricity, and other prepaid services. When you purchase a product, we share the minimum required information (such as your mobile number for airtime or meter number for electricity) to fulfil your transaction.

6.3 Other Third Parties

• Identity verification providers — to validate KYC documents and perform facial matching against your ID photograph.

• Cloud infrastructure providers — to host and secure our application infrastructure. Data is stored on servers located in South Africa or jurisdictions with adequate data protection laws.

• Law enforcement and regulators — where required by law, court order, or regulatory demand (e.g., the Financial Intelligence Centre).

We do not sell your personal information to any third party. We do not share your information for third-party marketing purposes without your explicit consent.

7. CircleAether Mesh Networking

SDPKT uses CircleAether, a decentralised mesh networking protocol, to provide connectivity when you do not have access to the internet. This section explains how your data is handled within the mesh network.

7.1 How Mesh Networking Works

CircleAether enables your device to communicate with our servers via other nearby devices using Bluetooth Low Energy (BLE), Wi-Fi Direct, or other local communication technologies. When you have no internet connection, your encrypted data packets may be relayed through other users' devices to reach a gateway node that has internet connectivity.

7.2 Data Protection in the Mesh

• End-to-end encryption: All data transmitted through the mesh network is encrypted end-to-end. Relay nodes cannot read, modify, or access the content of your data.

• No persistent storage on relay nodes: Data packets are held in memory only for the duration of relay and are not written to storage on any intermediary device.

• Anonymised routing: Relay nodes see only anonymised routing metadata (packet ID, hop count, TTL). They cannot identify the sender, recipient, or content of any relayed data.

• Your device as a relay: If you have connectivity, your device may relay encrypted data packets for other users. You cannot access the content of relayed packets. You may earn small incentive payments for relay participation.

7.3 Opting Out of Mesh Relay

You can disable your device's participation as a relay node in Settings > Privacy without affecting your ability to use SDPKT. Disabling relay participation means your device will not forward data for other users, but you may still use the mesh network to send your own data when you lack internet connectivity.

8. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account information: Retained for the duration of your account and for 5 years after account closure, as required by FICA.

• KYC documents: Retained for 5 years after the end of the business relationship, in compliance with FICA Section 22.

• Transaction records: Retained for 5 years from the date of the transaction, as required by FICA and the Tax Administration Act.

• Biometric data (server-side): Facial verification data is retained only until KYC verification is complete, after which only the verification result (pass/fail) is stored.

• Communication records: Support correspondence is retained for 3 years. In-app messages are subject to your configured message retention settings.

• Analytics data: Anonymised and aggregated within 12 months of collection.

When personal information is no longer required, it is securely deleted or anonymised in accordance with our data destruction procedures.

9. Data Security

In compliance with Section 19 of POPIA, we implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or damage:

• Encryption in transit: All communications between the App and our servers use TLS 1.2 or higher encryption.

• Encryption at rest: Sensitive data is encrypted at rest using industry-standard AES-256 encryption.

• Multi-factor authentication: Account access is protected by phone number verification (OTP), biometric authentication, and push-to-app approval.

• Tokenisation: Payment card details are tokenised by our payment gateway partners and are never stored on our servers.

• Access controls: Employee access to personal information is restricted on a need-to-know basis and subject to audit logging.

• Regular security assessments: We conduct periodic vulnerability assessments and penetration testing of our systems.

10. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights. You may exercise these rights by contacting us at support@sdpkt.co.za:

a. Right of access (Section 23): You may request confirmation of whether we hold personal information about you, and request a copy of such information.

b. Right to correction (Section 24): You may request that we correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.

c. Right to deletion (Section 24): You may request deletion of your personal information, subject to our legal retention obligations under FICA and other legislation.

d. Right to object (Section 11(3)): You may object to the processing of your personal information on reasonable grounds, unless legislation provides for such processing.

e. Right to withdraw consent: Where processing is based on your consent, you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

f. Right to lodge a complaint (Section 74): You have the right to lodge a complaint with the Information Regulator if you believe your personal information has been processed in violation of POPIA.

Regulator: The Information Regulator (South Africa)

Email: complaints.IR@justice.gov.za

Website: https://inforegulator.org.za

11. Cross-Border Data Transfers

We primarily store and process your personal information within the Republic of South Africa. Where it is necessary to transfer your personal information to a jurisdiction outside South Africa, we will ensure that:

• The recipient country has adequate data protection legislation as contemplated in Section 72 of POPIA; or

• The recipient is bound by a binding agreement or binding corporate rules that provide an adequate level of protection; or

• You have provided your explicit consent to the transfer; or

• The transfer is necessary for the performance of our contract with you.

12. Children's Information

SDPKT is not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18 without verifiable parental or guardian consent, as required by Section 35 of POPIA.

If we become aware that we have collected personal information from a child under 18 without appropriate consent, we will take steps to delete that information as soon as reasonably practicable. If you believe a child has provided us with personal information, please contact us at support@sdpkt.co.za.

13. Automated Decision-Making

We may use automated decision-making processes for the following purposes:

• KYC verification: Automated comparison of your selfie against your ID document photograph.

• Fraud detection: Automated monitoring of transaction patterns to identify potentially fraudulent activity.

• Transaction limits: Automated application of wallet and transaction limits based on your KYC verification level.

In accordance with Section 71 of POPIA, you have the right not to be subject to a decision based solely on automated processing that significantly affects you. You may request human review of any automated decision by contacting our support team.

14. Direct Marketing

In compliance with Section 69 of POPIA, we will only send you direct marketing communications (including promotional offers, new feature announcements, and partner promotions) if you have given us your explicit opt-in consent.

You may withdraw your consent to direct marketing at any time by:

• Adjusting your notification preferences in Settings > Notifications

• Using the unsubscribe link in any marketing email

• Contacting us at support@sdpkt.co.za

Please note that transactional communications (such as payment confirmations and security alerts) are not considered direct marketing and cannot be opted out of, as they are essential to the operation of your account.

15. Cookies and Tracking Technologies

When you access SDPKT through a web browser, we may use cookies and similar technologies to:

• Essential cookies: Maintain your session and authentication state. These are strictly necessary and cannot be disabled.

• Analytics cookies: Understand how you use the App to improve our services. These are only enabled with your consent.

We do not use third-party advertising cookies or cross-site tracking technologies.

16. Data Breach Notification

In accordance with Sections 21 and 22 of POPIA, if we become aware of a security compromise that results in unauthorised access to your personal information and there are reasonable grounds to believe that the breach may cause you harm, we will:

1. Notify the Information Regulator as soon as reasonably possible.

2. Notify you directly via your registered contact details (push notification, SMS, or email).

3. Provide details of what information was affected, what steps we have taken, and what you can do to protect yourself.

4. Take immediate action to contain the breach and prevent further compromise.

17. Account Closure and Data Deletion

You may request closure of your SDPKT account at any time. Upon account closure:

• Any remaining wallet balance must be withdrawn or transferred before closure.

• Your account will be deactivated immediately and your personal information will be flagged for deletion.

• Information subject to legal retention requirements (FICA, tax records) will be retained for the legally mandated period and then securely deleted.

• Information not subject to legal retention will be deleted within 30 days of account closure.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes:

• We will notify you via the App (push notification or in-app banner) at least 30 days before the changes take effect.

• The "Last updated" date at the top of this policy will be revised.

• Continued use of SDPKT after the effective date constitutes acceptance of the updated policy.

19. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of South Africa, including but not limited to the Protection of Personal Information Act 4 of 2013 (POPIA), the Electronic Communications and Transactions Act 25 of 2002 (ECTA), and the Financial Intelligence Centre Act 38 of 2001 (FICA).

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of the Republic of South Africa.

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal information, please contact us:

Company: The Other Bhengu (PTY) Ltd t/a The Geek

Email: support@sdpkt.co.za

In-App: Help & Support > Contact Us

We will respond to all data subject requests within 30 days, or inform you if we require an extension, as required by POPIA.