1.1. This end user agreement (“Agreement”) is an agreement between you (“you” or “User”) and Karri’s trading company (Education Payment Solutions Proprietary Limited in South Africa) (“Karri”, “we,” or “us”) and, to the extent expressly stated, our affiliates, who may differ across countries of operation.

This Policy explains how we obtain, use and disclose your personal information, in accordance with the requirements of the General Data Protection Regulation (“GDPR”), and in South Africa, the Personal Information Act (“POPIA”).

By registering with Karri, you hereby grant to Karri a right to process your Data to the extent reasonably required for the performance of Karri’s obligations and the exercise of Karri’s rights under this policy.

Karri (“we”, “us”) is committed to protecting your personal data and respects your privacy. 

This privacy policy covers the following:

•     Why we use your data
•     What data we process
•     How we use your data
•     Legal basis for processing your data
•     Your rights as a Data Subject
•     Data Retention
•     Sharing data with third parties
•     Privacy policy changes
•    Data Protection Officer

The Karri services provided to organisations and their subscribers are governed by a contract between us and the organisation (“Karri Customer”), and also the Terms and Conditions that you agree with when you sign up (“Karri User”).

We process your personal data for the following purposes:

•     to provide you with the Karri service signed up to
•     to verify your identity where required, for example when resolving any Karri User queries
•     for the ongoing administration of the service
•     for the fulfilment of anti financial crime controls
•     to allow us to improve the products and services we offer to our customers
•     to ask for your opinion about our products and service
•     for analytics on payment patterns.  We only use the data in an anonymized manner when we use your data for      this purpose.
•     to enable us to comply with our legal and regulatory obligations

We collect (either from the organisation and/or from you directly) and process the following information:

•     Member’s first name
•     Member’s last name
•     Member number (if relevant)
•     Subscriber’s first name
•     Subscriber’s last name
•     Subscriber’s username and password
•     Subscriber’s address
•     Subscriber’s mobile number
•     Subscriber’s email address
•     Subscriber’s transaction history
•     Subscriber’s payment card details
•     Organisation Staff first name
•     Organisation Staff last name
•     IP Address, web browser, cookies for website access
•     Hardware ID

Your personal information is processed by PCI Data Security Standards.  Data is stored encrypted in physically secure data-centres with multiple levels of redundancy and security features.  We are subject to regular security audits.

Karri only processes your personal information in country jurisdictions with rigorous Data Protection Laws.  At all times we ensure that adequate safeguards are in place and upheld in order to protect the confidentiality of your data.

We process your personal information for these purposes in reliance on our legitimate business interests, in order to enter into a or perform a contract with you, with your consent, and or for compliance with our legal obligations. We indicate the specific processing grounds we rely on next to each purpose listed below.

We use information we collect and receive:

• To facilitate account creation and logon process.
• To send you marketing and promotional communications
• To send administrative information to you.
• To enforce our terms, conditions, and policies.
• To respond to legal requests and prevent harm
• For other Business Purposes. We may use our information for other business purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaign and to evaluate and improve our Sites or Apps, products, services, marketing and your experience.

You have the right of access to your data.  Your information can be accessed directly through the app, else through Karri’s customer support channels.

You have the right to request that your personal information be corrected if required.  Your information can be accessed directly through the app, else through Karri’s customer support channels. 

Any requests for corrections to incorrect or inaccurate data are actioned within 48 hours.

You have the right to withdraw your consent to Karri processing your data; depending on the circumstances, we may or may not be obliged to action this request.

Where actioned, deletion of your personal information occurs within 48 hours.  Any transactional information relevant to you however must be retained for up to seven years for regulatory compliance.

You have the right to object to the processing of your information at any time; depending on the circumstances, we may or may not be obliged to action this request.

You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request.

You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format suitable for transferring to another controller.

You have the right to lodge a complaint with the relevant supervisory authority if you believe we have infringed on your data protection or privacy. You can lodge your complaint in your country of residence, country of work or country where you believe we infringed your right(s).

You can exercise your rights by sending an e-mail to dpo@karripay.com. Please state clearly in the subject that your request concerns a privacy matter, and provide a clear description of your requirements.  Please note that we may need to request additional information in order to address your query.

We will only retain information for as long as is required for the fulfilment of services safely and securely. We may need to retain records for regulatory compliance fulfilment.  Accordingly certain records must be retained for an extended duration, which may be up to seven years.

We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, and in compliance with POPIA and the General Data Protection Regulation (“GDPR”).

These service providers include:

•   Payment Processors – to securely process your card payments (we do not see, or store payment card details)
•   SMS Providers – to send out our SMS notifications or messages sent by Customers using the Karri platform
•   Push Notification Providers – Pushwoosh and Firebase SDKs used to log events and send push notifications within the Karri App.
•   Email Providers – to send out our email notifications or messages sent by Customers using the Karri platform
•   Hosting Providers – to manage our secure enterprise data centres
•   Security Providers – to protect our systems from attack
•   Telephony Providers – we might record calls for training, quality and security purposes
•   Chat Portal  – so that you can easily and safely and securely ask for help directly from our Customer Support team.
•   Cloud Hosting and Recovery
•   Security insight and system logging
•   Cloud email delivery
•   Anonymous Web Analytics
•   Feedback Platforms (Optional)

We may also have access to your personal information as part of delivering the service. If we need to change or add additional third parties, we will always update our Privacy Policy accordingly.

We will only disclose your information to other parties in the following limited circumstances

•     where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities
•     where there is a duty to disclose in the public interest
•     where disclosure is necessary to protect our interest e.g. to prevent or detect crime and fraud
•     where you give us permission to do so e.g. by providing consent within the Karri App

This policy is reviewed regularly.  Any changes will be posted on our website. We reserve the right to change, modify, add, or remove portions of these terms at any time. We will post a clear, easily accessible notification on the website if there are any changes made to these Terms.

Karri’s appointed Data Protection Officer (DPO) can be contacted at the below email address:dpo@karripay.com

This Privacy Policy is governed by the Laws of the Republic of South Africa.  You agree that any cause of action that may arise under this Privacy Policy shall be commenced and be heard in the appropriate court in South Africa. You agree to submit to the personal and exclusive jurisdiction of the courts located within South Africa.