ECT Act Compliance.

Flamingo Pay (Pty) Ltd (“Flamingo”, “we”, “us”, “our”) operates an electronic payment platform that facilitates QR-based payments between merchants and buyers using PayShap instant payments through Ozow.

As a provider of electronic transactions and services, we are subject to the Electronic Communications and Transactions Act 25 of 2002 (“ECT Act” or “ECTA”). This page explains how we comply with our obligations under the ECT Act and sets out the information we are required to disclose to you.

The ECT Act establishes the legal framework for electronic communications and transactions in South Africa, including the validity of electronic agreements, consumer protection in e-commerce, data protection requirements, and the legal recognition of data messages and electronic signatures.

The ECT Act applies to Flamingo Pay because we:

• Provide an electronic platform for commercial transactions between merchants and buyers (Chapter VII — Consumer Protection)
• Facilitate automated electronic payment transactions via QR codes and the PayShap network (Part 2 — Automated Transactions)
• Generate, send, receive, and store data messages including payment confirmations, receipts, and transaction records (Chapter III — Facilitation of Electronic Transactions)
• Collect, process, and store personal information electronically (Chapter VIII — Protection of Personal Information)
• Operate a website that offers goods and services to persons within the Republic of South Africa (Section 42)

The ECT Act works alongside POPIA, FICA, and the Consumer Protection Act. Where these laws overlap, we comply with all applicable requirements. Our Privacy Policy, Merchant Terms, CPA page, and Data Processing Agreements provide further detail on our compliance with these related laws.

Section 43(1) of the ECT Act requires any person offering goods or services for sale, hire, or exchange by way of an electronic transaction to make certain information readily available on their website. In compliance with this requirement, we disclose the following:

The ECT Act recognises the legal validity of data messages — information generated, sent, received, or stored by electronic means. Flamingo Pay generates several types of data messages in the course of its operations:

• Payment confirmations: When a buyer completes a payment, both the buyer and merchant receive electronic confirmation of the transaction. These data messages constitute valid proof of payment under Section 11.
• Transaction receipts: Digital receipts are generated for every payment, containing the transaction reference, amount, date, merchant name, and payment status. These are available for download and are legally equivalent to paper receipts (Section 12).
• Merchant notifications: Real-time notifications of incoming payments sent to merchant devices constitute data messages acknowledging receipt of payment.
• KYC and compliance communications: Identity verification requests, compliance notifications, and account status updates sent electronically to merchants.

Under Section 13, a data message is regarded as having been received when the complete data message enters an information system designated or used by the addressee, and is capable of being retrieved. Our platform timestamps all data messages and maintains delivery records.

Section 20 of the ECT Act provides that an electronic transaction is not without legal force and effect merely because it was conducted by means of a data message or because a natural person was not involved in the formation of the agreement.

Flamingo Pay's payment process is an automated transaction:

• A buyer scans a merchant's QR code, which automatically generates a payment request with the correct amount and merchant details
• The buyer confirms payment through their banking app via PayShap
• Ozow processes the payment automatically and notifies both parties
• Transaction fees are automatically calculated and deducted
• Settlement to the merchant is processed automatically

In accordance with Section 20(a), we ensure that the buyer has the opportunity to review and confirm the transaction amount before authorising payment. The buyer must actively confirm the payment in their banking app — no payment is processed without explicit buyer action.

Under Section 20(c), if an error is made during the automated transaction, the buyer may use our dispute resolution process to request correction or reversal.

Chapter VII of the ECT Act provides specific consumer protection measures for electronic transactions. As a facilitator of electronic payments, Flamingo Pay complies with the following requirements:

• Fair and accurate information (Section 42): All information about our services, fees, and terms is presented accurately and is not misleading. Pricing is displayed inclusive of VAT at all times.
• Disclosure requirements (Section 43): All mandatory disclosures are set out in Section 3 above.
• Right to cancel (Section 44): Section 44 grants consumers a 7-day cooling-off right for certain electronic transactions. The right runs between the buyer and the merchant who supplied the goods or services — Flamingo Pay is the payment facilitator, not the seller. In practice almost all payments on our network are face-to-face point-of-sale transactions (a buyer scanning a QR code at a spaza shop, taxi rank or street stall), which fall outside the scope of Section 44 and the related exemptions in s44(2). Where a buyer does have a Section 44 right against a merchant, the merchant processes the refund through our standard dispute resolution process.
• Performance (Section 46): Payments are processed in real-time via PayShap. Settlement to merchants occurs within the timeframe specified in our Merchant Terms.
• Applicability to South Africa (Section 47): Our platform is designed for and operates exclusively within South Africa. All transactions are denominated in South African Rand (ZAR) and processed through South African banking infrastructure.

For comprehensive consumer protection information including the Consumer Protection Act 68 of 2008, see our Consumer Protection page.

Section 43(3) requires that we clearly disclose the manner of payment and provide receipts for transactions. Flamingo Pay complies as follows:

• Payment methods:Payments are processed via two rails — (i) Visa and Mastercard card payments, with mandatory 3-D Secure cardholder authentication handled directly by the buyer’s issuing bank, and (ii) PayShap instant payments. The buyer scans a QR code and selects their preferred method. Card details and bank credentials are entered into the buyer’s bank or card-scheme environment — Flamingo Pay does not collect, store, or process the buyer’s primary account number (PAN), CVV, or bank login credentials.
• Transaction confirmation: Both the buyer and merchant receive real-time confirmation when a payment is successfully processed. The buyer sees an on-screen confirmation with the transaction reference, amount, and merchant details.
• Digital receipts: A digital receipt is generated for every transaction, including the transaction reference number, date and time, amount paid, merchant name, and payment status. The receipt is available for immediate download as a PNG image and auto-downloads after payment completion.
• Record access: Merchants can view their full transaction history through their dashboard. Buyers can retrieve transaction details using their reference number.

All prices displayed on the platform are inclusive of VAT (where applicable) in accordance with Section 43(2).

Sections 14 to 16 of the ECT Act set requirements for the retention of information in electronic form. We comply with these requirements as follows:

• Accessibility (Section 14(1)(a)): All electronic records are stored in a format that allows them to be accessed and reproduced in their original form. Transaction records, receipts, and account data remain accessible through our platform for the duration of the retention period.
• Integrity (Section 14(1)(b)): Records are stored in a manner that maintains the integrity of the original information. We use Upstash Redis with encryption at rest (AES-256) and in transit (TLS 1.2+) to ensure records are not altered after creation.
• Origin and destination (Section 14(1)(c)): Transaction records include the origin (buyer), destination (merchant), and timestamp of every data message, enabling identification of the parties and the date and time of the transaction.

Our retention periods are aligned with FICA requirements: financial transaction records, KYC documents, and compliance flags are retained for 5 years. Non-financial personal information is retained only for as long as necessary and can be deleted upon request — see our retention policy and DSAR process.

While the ECT Act's Chapter VIII on personal information protection has been largely superseded by POPIA, we maintain comprehensive security measures that satisfy both frameworks:

• Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). No unencrypted personal information traverses the internet.
• Access controls: Platform access is restricted by role-based authentication. Compliance portal access requires separate credentials. API access is authenticated via secure tokens.
• Payment security: Flamingo Pay does not store buyer bank account details. All payment processing is handled by Ozow, a PCI-DSS compliant, SARB-licensed Payment Service Provider.
• KYC document security: Identity documents submitted for merchant verification are processed through VerifyNow/XDS and stored in encrypted form with restricted access.
• Breach notification: In the event of a security compromise, we will notify affected parties and the Information Regulator as required by POPIA Section 22, within the timeframes mandated by law.

For full details on our security measures and third-party processor safeguards, see our Privacy Policy (Security) and Data Processing Agreements.

Chapter V of the ECT Act establishes the framework for cryptography providers and the use of encryption in South Africa. As it relates to Flamingo Pay:

• TLS encryption: All communications between users and our platform are secured using TLS (Transport Layer Security) certificates issued by trusted certificate authorities. This ensures confidentiality and integrity of data in transit.
• Data at rest: Personal information stored in our database is encrypted using AES-256, a widely recognised and approved encryption standard.
• Payment encryption: Payment data flowing between Flamingo Pay and Ozow is encrypted end-to-end. Buyer banking credentials never pass through our servers.
• Authentication tokens: Session tokens and authentication credentials are generated using cryptographically secure random number generators and are stored as secure, HTTP-only cookies.

Flamingo Pay does not itself act as a cryptography provider as defined in Section 29 of the ECT Act. We use standard, commercially available cryptographic tools and services provided by our hosting and infrastructure partners (Vercel, Upstash, Ozow).

Section 45 of the ECT Act restricts the sending of unsolicited commercial communications (spam). Flamingo Pay complies with this section as follows:

• No unsolicited marketing: We do not send unsolicited commercial communications. All marketing communications require prior opt-in consent.
• Transactional messages only: The communications we send to merchants and buyers are transactional in nature — payment confirmations, receipts, KYC status updates, compliance notifications, and dispute updates. These are not commercial communications under Section 45.
• Opt-out mechanism: Should we send any marketing communications in future, they will include a clear and functional opt-out mechanism as required by Section 45(1). Our Privacy Policy provides further detail on our direct marketing practices.
• Identification: All electronic communications from Flamingo Pay clearly identify us as the sender, in accordance with Section 45(3).

In accordance with the ECT Act's consumer protection provisions and Section 43(7) on alternative dispute resolution, Flamingo Pay offers the following avenues for resolving complaints:

• Step 1 — Direct resolution: Contact us at complaints@flamingopay.co.za or use our online dispute form. We aim to respond within 5 business days.
• Step 2 — Compliance escalation: If not resolved, escalate to our Compliance Officer, Siphokazi Gazi, at compliance@flamingopay.co.za.
• Step 3 — External bodies: If still unresolved, you may approach the following regulatory bodies:

For full details on our complaints process, see our CPA complaints section.

For questions about our ECT Act compliance, to exercise your consumer rights, or to report any concerns about our electronic transactions, contact:

• Information Officer: Shawn Henderson
• Compliance Officer: Siphokazi Gazi
• General enquiries: info@flamingopay.co.za
• Compliance & complaints: compliance@flamingopay.co.za
• Phone: 063 947 7208
• Registered address: A23 10th Ave, Edenburg, Rivonia, Sandton, 2091, Gauteng, South Africa
• CIPC Registration: 2026/276925/07