XENA’s website and our services are not intended for children, and we do not knowingly collect data relating to children. XENA does not knowingly collect, use, or disclose personal information from or to children under age 18 without obtaining written, verifiable consent from a parent or legal guardian.
2. Contact Details
Retail Capital is made up of different legal entities consisting of:
- Retail Capital Limited
- First Asset Finance (Pty) Limited
- Fundrr (Pty) Limited
Address: 4th Floor, The Palms, 145 Sir Lowry Road Woodstock, 7915, Cape Town.
You have the right to make a complaint at any time to the Information Regulator (South Africa), the South African supervisory authority for data protection issues (www.inforegulator.org.za/). We would appreciate the chance to deal with your concerns before you approach the IRSA, so please contact us in the first instance.
4. Third-party links
Our website may contain links to and from the websites of our partner networks, advertisers, and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.
5. Personal Information we collect about you
We will never intentionally collect any unnecessary personal information about you, and we do not process your information other than as specified in this policy.
Personal Information means any information about an identifiable, living individual or an identifiable, existing juristic person from which that individual or juristic person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal information about you which may include the following:
- your name, contact number, email address, date of birth, physical address, gender, passport or other identification details, financial information and your job title;
- information about the entity that you represent/your principal, its name, postal and email addresses, telephone numbers; type of entity such as company, partnership or sole proprietor; registration number; the date the business was started; its bank and routing number and account number; its bank statements and its management and/or audited accounts and its physical addresses;
- information about the directors, shareholders or members where you represent a company, partnership or other business, including their names, contact numbers, email addresses, dates of birth, physical addresses, gender, passport or other identification details, financial information;
- financial information (including details of card or other transactions);
- information obtained from credit reference agencies as described in more detail below;
- information that you provide when providing feedback or when you report a problem with our website; and
- information that you provide when you contact us, or we contact you. We may keep a record of that correspondence and information you disclose to us.
We also collect, use, and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal information, but is not considered personal information in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your website usage data to calculate the percentage of users accessing a specific website feature. If we combine or connect Aggregated Data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this privacy notice.
We do not collect any special categories of personal information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). We also do not collect any information about alleged criminal convictions and offences.
6. If you fail to provide personal information
Where we need to collect personal information by law or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to process your application or provide products or services to you.
7. Legal bases for processing
We will only use your personal information when the law allows us to. Generally, we do not rely on consent as a legal basis for processing your personal information, although you are entitled to object to the processing of your personal information where we are relying on a legitimate interest and where you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. You can exercise your rights any time by contacting us at the addresses provided above in this policy. We also process your personal information where we need to comply with a legal or regulatory obligation.
8. How is your personal information collected?
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your personal information by filling in forms or by corresponding with us by phone, email or otherwise. This includes personal information you provide when you register to use our website, engage with learning content, purchase or subscribe to our products and services, search for a product, participate in discussion boards or other social media functions on our website, enter a competition, promotion or survey, and when you report a problem with our website;
- Automated technologies or interactions. We automatically collect technical data about your equipment, browsing actions and patterns as you use our website. We collect this personal information by using cookies and other similar technologies; and
- Third parties or publicly available sources. We also work closely with third parties (including, for example, business partners, sub-contractors or operators in technical and payment services, analytics providers, search information providers, credit reference agencies) and we may receive personal information about you from them where they are legally allowed to share your personal information with us.
9. Purpose for processing your personal information
We may use your personal information in the following ways:
- to process your application with us (or the application of a company or partnership to which you are connected) by registering you as a user and to evaluate whether we can provide the products or services that you require;
- to make, or cause searches to be made, at a credit reference agency, and other checks which we consider appropriate or necessary to perform our contractual obligations or to exercise our rights under a contract with you, to fulfil any of our legal obligations;
- to protect our legitimate interests on an ongoing basis, including for the purposes of fraud detection and credit risk management;
- to provide you with customer support;
- to ensure that content from our website is presented in the most effective manner for you and for your computer by monitoring and improving our services and customizing our website for you;
- to provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes or we have a legitimate interest to do so;
- to enable you to participate in interactive features of our service, when you choose to do so;
- to notify you about changes to our service;
- to perform our obligations and exercise our contractual rights; and/or
- for internal research purposes, general website administration, and demographic and statistical analysis of our service users.
10. When we may contact you
- where the data subject has given express consent to the processing of the personal information for one or more specific purposes to us; or
- where we believe that you have a legitimate interest in the communication. This will be because you:
- have previously utilised the services of Retail Capital;
- have indicated an interest in the financial products or services provided by Retail Capital; or
- may have a professional interest in Retail Capital and the services it provides.
If you are an existing customer, we may contact you by telephone, SMS, e-mail or by written material with information about goods and services similar to those which were the subject of a previous transaction or to deal with any requests for information or as a result of any breach of the terms of our contract with you.
The contacting of customers and relevant parties will be exercised on the following basis:
The above includes (but is not limited to) a customer abandoning an application online before submission, direct marketing, the previous provision of working capital, or where the customer has requested to be added to the communications and/or newsletter campaign emails. This would have been either by opting in to receive offers from Retail Capital or by opting in to receive such via third party collaborative competitions.
We strive to provide you with choices regarding certain personal information uses, particularly around marketing and advertising.
We may use your personal information to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you. You will receive marketing communications from us if you have requested information from us or purchased products or services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing.
12. Opting out
You can ask us to stop sending you marketing messages at any time by following the opt-out or unsubscribe links on any marketing message sent to you. Where you opt-out of receiving these marketing messages, this will not apply to personal information provided to us as a result of a product/service purchase, product/service experience or other transactions.
13. Cookies and similar technologies
- To monitor site usage;
- To keep an audit trail;
- To understand visitors’ browsing habits;
- To analyse trends and demographic statistics; and/or
- To compile statistical reports.
Most internet browsers accept cookies by default; however, you can usually change your browser settings to reject cookies if you would prefer not to receive them. If you choose not to receive our cookies you will not be able to receive any personalized features and you may not be able to benefit from all our services.
14. Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
15. Disclosure of your personal information
- by a subpoena or court order;
- to comply with any law; or
- with other companies within the Retail Capital Group;
- with our service providers or operators under contract, as permitted by law;
- with credit reference agencies / bureaus to report account information, as permitted by law;
- with social media platforms when you use tools or functionality on our website provided by those platforms (such as “recommend” or “share” buttons);
- with marketing partners where you register for events, webinars;
- for business transactions like a merger, or sale of our assets, or as part of the due diligence for such contemplated transactions. If a corporate transaction occurs, we will provide notification of any changes to control of your personal information, as well as choices you may have;
- with your consent. For example, with your consent, we post user testimonials that may identify you; and
- with your organization where you create an account or user role with an email address assigned to you as an employee, representative, contractor or member of an organization, that organization may find your account and take certain actions that may affect your account.
We may also share your personal information:
We may need to disclose personal information to our employees that require personal information to perform their work. These include our responsible management, human resources, accounting, audit, compliance, information technology, or other personnel. Any of our employees or personnel that handle your personal information will be subject to a duty of non-disclosure and confidentiality.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
16. Credit Reference Agencies
In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs)”. When you apply for financial products from us, we may also carry out periodic searches at CRAs to manage your account.
Where the application is in the name of a company or close corporation, we will carry out credit and identity checks against the directors and shareholders or members of the company or close corporation. Where the application is in the name of a partnership or trust, we will carry out those checks against partners or trustees of the applicant and against any other connected members of the applicant(s).
To do this, we will supply your personal information to CRAs, and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
- assess creditworthiness and affordability;
- verify accuracy of the data you have provided to us;
- prevent criminal activity, fraud, and money laundering
- manage your account;
- trace and recover debts; and
- ensure any offers provided to you are appropriate to your circumstances.
Using information in this way is necessary for our legitimate interests of managing our credit and regulatory risk. By submitting an application with us on behalf of a company, close corporation, trust or a partnership, you warrant that you have obtained consent from each director and/or shareholder of the company, alternatively from each member, trustee or partner of the close corporation, trust or partnership that you are acting for, so that we may carry out credit and identity checks at one or more CRAs.
We may continue to exchange information about you with CRAs while you have a relationship with Retail Capital. If you do not repay in full and on time, we are at liberty to report the same to the CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
17. International transfers
We may transmit or transfer personal information outside the Republic of South Africa to be stored on servers located outside the Republic where the laws protecting personal information may not be as stringent as the laws of the Republic.
Whenever we, or anyone we share your data with, transfer your personal information outside of the Republic, we ensure that appropriate measures are implemented and maintained so that the recipients of that data protect your personal information to the standard required in the Republic of South Africa.
You consent to us processing your personal information in a foreign country whose laws regarding the processing of personal information may be less stringent.
18. Data security
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. We have put in place physical, electronic, and administrative safeguards that are designed to protect your personal information from loss, misuse and/or unauthorized access, disclosure, alteration, and destruction. We will notify you and any applicable regulator of a breach where we are legally required to do so. We execute regular penetration tests using third-party software in order to continually test and indicate the strength of our technical defences.
We have several layers of security measures in place to protect your information, including:
- an up-to-date anti-virus software to protect against viruses damaging data and infrastructure,
- periodic review of our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems; and
- housekeeping measures by regular backups, encryption, and network domain policy.
19. Data retention
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for.
We’ll keep records of any financial transactions, and details regarding the information that you provided to us while making an application for one of our products, for a minimum of 7 years from the end of our relationship with you. We need to do this so that we can respond to any complaints or disputes.
We’ll keep the information that’s needed to provide you with the service that you’ve requested for as long as it takes us to provide the services and for 7 years from termination of the contract for provision of the services.
If you’ve asked us not to use your details for marketing purposes, we will need to keep some details to make sure our systems and processes reflect your preferences. We will implement your opt-out request as quickly as possible. However, you may receive emails for up to 30 days, or marketing by post for up to 60 days, following your opt-out request. This is because our marketing campaigns are usually prepared in advance, and it is often not feasible to remove an individual’s details after this point.
In addition, we will retain any data about you which we need in order to comply with our legal obligations (for example applicable South African tax law).
20. Your personal information rights
Under the Protection of Personal Information Act you have a number of important rights free of charge. In summary, those include rights to:
- access to your personal information and to certain other supplementary information that this Policy is already designed to address;
- require us to correct any mistakes in your information which we hold;
- require the erasure of personal information concerning you in certain situations;
- receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format;
- object at any time to processing of personal information concerning you for direct marketing;
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
- object in certain other situations to our continued processing of your personal information;
- otherwise restrict our processing of your personal information in certain circumstances;
- where consent is our lawful basis for processing your personal information, withdraw such consent;
- claim compensation for damages caused by our breach of any data protection laws.
For further information on each of those rights, including the circumstances in which they apply, view the website of the Information Regulator (South Africa) at www.inforegulator.org.za/.
21. Promotion of Access to Information Act
The Promotion of Access to Information Act, 2000 (‘PAIA’) gives persons the right to access information that is required to exercise or protect their rights. In terms of PAIA, before access to information requested by persons is granted, certain requirements have to be met. PAIA also requires private bodies such as Retail Capital to compile a manual, designed to assist persons who want to exercise their right to access information. In general, you can visit our website without having to divulge any personal information about yourself. However, while using this website you may provide information about yourself or it may be collected by Retail Capital. Access to your personal information held by Retail Capital may also be requested by you or third parties. PAIA regulates and sets out the procedure for such a request and under what circumstances such access may be refused. The PAIA manual, the prescribed request form and information on applicable fees payable for access to this information, is available here.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
The time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
22. Automated decisions
As part of the processing of your personal information, decisions may be made by automated means.
We may automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity.
We make automated decisions based on the information that you provide, and that we gather from third parties, as part of your application to determine your financial profile. The outcome of these automated decisions may mean that we do not approve your application for one of our products.
These automated decisions use a statistical process based on your or your business’ historical transactions (details you have provided) and historical credit performance as a business and as an owner of a business (details you have provided and/or publicly available information). If you are an existing customer, the automated decisions will also take into account your performance of previous/current contractual obligations.