Privacy Policy.

Flamingo Pay (Pty) Ltd (“Flamingo”, “we”, “us”, “our”) is committed to protecting the privacy and personal information of our merchants, their customers, and all users of our platform.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), the Financial Intelligence Centre Act 38 of 2001 (FICA), and the Electronic Communications and Transactions Act 25 of 2002 (ECTA).

By registering for a Flamingo merchant account or using our platform, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal information as described herein.

The responsible party for the processing of your personal information is Flamingo Pay (Pty) Ltd, Registration Number 2026/276925/07, A23 10th Ave, Edenburg, Rivonia, Sandton, 2091, Gauteng, South Africa.

Our designated Information Officer is Shawn Henderson, and our Compliance Officer is Siphokazi Gazi, reachable at compliance@flamingopay.co.za.

The Information Officer is responsible for ensuring compliance with POPIA, responding to data subject requests, and liaising with the Information Regulator.

We collect and process the following categories of personal information:

We collect personal information directly from you (during registration and use of the platform), from third parties (identity verification services, credit bureaus, sanctions lists), and automatically through your use of the app and platform.

We process your personal information for these lawful purposes under POPIA:

• Contract performance (Section 11(1)(b)): to provide the Flamingo payment service, process transactions, and settle funds to your bank account.
• Legal obligation (Section 11(1)(c)): to comply with FICA KYC/AML requirements, tax obligations, and regulatory reporting (including suspicious transaction reporting to the FIC).
• Legitimate interest (Section 11(1)(f)): to prevent fraud, monitor risk, improve our services, and conduct analytics.
• Consent (Section 11(1)(a)): for marketing communications and optional features. You may withdraw consent at any time.

We will not process your personal information for purposes incompatible with those listed above without your additional consent.

We may share your personal information with:

• Banking and payment partners: our acquiring bank and PayShap/BankservAfrica, to process transactions and settle funds.
• Identity verification providers: third-party services used to verify your identity, address, and sanctions screening.
• Regulatory authorities: the FIC, SARS, and the Information Regulator, as required by law.
• Service providers: cloud hosting (AWS Cape Town), analytics, customer support tools, and communication services, all bound by data processing agreements.
• Professional advisors: auditors, legal advisors, and accountants, under professional confidentiality obligations.

We will not share your personal information with any party not listed above without your explicit consent, except where required by law or court order.

All personal information is stored on servers located within the Republic of South Africa (AWS Africa Cape Town region). We do not transfer personal information outside of South Africa as a matter of standard practice.

In the unlikely event that a cross-border transfer becomes necessary (for example, to comply with international regulatory requirements), we will ensure adequate safeguards as required by Section 72 of POPIA — including confirming the recipient country has adequate data protection laws or obtaining your explicit consent.

We retain your personal information for the following periods:

After the applicable retention period, personal information will be permanently and securely deleted or de-identified so it can no longer be linked to you.

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction, or alteration, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Access controls and role-based permissions for all staff accessing personal information;
• Regular security assessments and penetration testing;
• Secure coding practices and code review processes;
• Staff training on data protection and information security;
• Incident response and breach notification procedures; and
• Physical security of server infrastructure (AWS managed).

While we take all reasonable steps to protect your information, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet or stored electronically.

As a data subject, you have the following rights:

• Right to access (Section 23): request confirmation of whether we hold your personal information and request a copy.
• Right to correction (Section 24): request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, or misleading personal information.
• Right to deletion (Section 24): request deletion of your personal information where we no longer have a lawful basis for processing it, subject to legal retention requirements.
• Right to object (Section 11(3)): object to the processing of your personal information on reasonable grounds relating to your particular situation.
• Right to withdraw consent: where processing is based on consent, withdraw at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to complain (Section 74): lodge a complaint with the Information Regulator if you believe your rights have been infringed.

To exercise any of these rights, contact our Information Officer at compliance@flamingopay.co.za. We will respond within 30 days. We may charge a reasonable fee for access requests as permitted under POPIA, and will inform you of any applicable fee before processing your request.

We will only send you direct marketing communications (promotions, product updates, partner offers) with your explicit opt-in consent.

You may opt out of marketing communications at any time by: using the unsubscribe link in any marketing email, toggling marketing preferences in the Flamingo app, or contacting us at support@flamingopay.co.za.

Opting out of marketing does not affect transactional communications (payment confirmations, settlement notifications, security alerts, regulatory notices), which are essential to the service.

The Flamingo web dashboard may use cookies and similar technologies to improve functionality, remember preferences, and analyse usage patterns. Analytics data is aggregated and de-identified where possible. You can manage cookie preferences through your browser settings; disabling cookies may affect the functionality of the web dashboard.

The Flamingo platform is not intended for use by persons under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly.

In the event of a data breach that compromises your personal information and poses a risk of harm, Flamingo will notify the Information Regulator as soon as reasonably possible in accordance with Section 22 of POPIA, notify affected data subjects with details of the breach and mitigation steps, and take all reasonable steps to contain the breach, investigate the cause, and prevent recurrence.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance. Material changes will be communicated with at least 30 days’ notice via email, push notification, or in-app notice. The latest version will always be available on the Flamingo website.

You may also contact the Information Regulator (South Africa) directly at enquiries@inforegulator.org.za or via www.justice.gov.za/inforeg.