1.1. This Privacy Policy (“Policy”) sets forth the standards and principles governing the collection, use, disclosure, retention, transfer, and safeguarding of Personal Data by 22seven (Pty) Ltd, trading as Vault22, a private company incorporated in South Africa (Registration Number: 2023/181742/07), and Vault22 Financial Ltd, an entity incorporated in the Dubai International Financial Centre (“DIFC”) and authorised and regulated by the Dubai Financial Services Authority (“DFSA”) (Firm Reference Number: F006841) (together, “Vault22,” “we,” “us,” or “our”), which are direct subsidiaries of Vault22 Solutions Holdings Ltd. (DIFC Registration Number: 8385).

1.2. This Policy has been adopted to ensure compliance with:
1.2.1 the Protection of Personal Information Act, 4 of 2013 (South Africa) (“POPIA”);
1.2.2 the Financial Advisory and Intermediary Services Act, 37 of 2002 (South Africa) (“FAIS”);
1.2.3 the DIFC Data Protection Law, DIFC Law No. 5 of 2020 (“DP Law”);
1.2.4 applicable DFSA Rules, and any directives, circulars, or guidelines issued thereunder; and
1.2.5 any other applicable domestic or international legal instruments regulating the collection, use, or transfer of Personal Data (collectively, “Applicable Law”).

1.3. By accessing, browsing, or otherwise utilising our website at  www.vault22.io/za (“Website”), our mobile application (“Mobile App”), or any other online or offline channel, portal, or platform operated by Vault22 (together, the “Service Channels”), you expressly acknowledge, understand, and consent to the terms of this Policy.

1.4. If you do not agree with the provisions of this Policy, you must immediately discontinue use of the Service Channels and refrain from furnishing any Personal Data to Vault22.

1.5. This Policy applies to all natural persons and juristic persons (where legally recognised) who interact with Vault22, whether as clients, counterparties, prospective clients, suppliers, service providers, contractors, or otherwise (“Data Subjects”).

1.6. In the event of any merger, acquisition, restructuring, business combination, corporate reorganisation, assignment, sale, or transfer of control involving Vault22, all rights and obligations set out herein shall accrue to the successor entity, which shall be bound to comply with the terms of this Policy and Applicable Law.

Unless expressly stated otherwise, terms used herein shall bear the following meanings:
‍
2.1 “Applicable Law”: All laws, regulations, rules, directives, codes, circulars, and requirements of competent governmental, supervisory, or regulatory authorities having jurisdiction over Vault22, including without limitation POPIA, FAIS, DP Law, and DFSA Rules.

2.2  “Consent”: The voluntary, specific, and informed expression of will, by statement or by clear affirmative action, signifying agreement to the Processing of Personal Data.

2.3 “Controller / Responsible Party”: Vault22, in its capacity as the entity determining the purposes and means of Processing Personal Data.

2.4 “Data Subject” / “You”: A natural or juristic person to whom Personal Data relates.

2.5 “Information Officer / Data Protection Officer”: The individual formally appointed by Vault22 under POPIA and DP Law to oversee compliance, maintain data inventories, respond to regulator inquiries, and act as point of contact for Data Subjects.

2.6  “Operator / Processor”: A natural or juristic person or third-party service provider engaged by Vault22 to Process Personal Data on its behalf, subject to binding contractual obligations.

2.7 “Personal Data”: Any information relating to an identified or identifiable natural person or juristic person (to the extent protected by Applicable Law), including without limitation names, contact details, identification numbers, financial details, transactional data, biometric identifiers, and Special Personal Data.

2.8 “Processing”: Any operation performed upon Personal Data, whether or not by automated means, including but not limited to collection, recording, organisation, storage, adaptation, retrieval, consultation, use, dissemination, restriction, erasure, or destruction.

2.9 “Special Personal Data”: Categories of data accorded enhanced protection under POPIA and DP Law, including information relating to race, ethnicity, political affiliation, religious or philosophical beliefs, trade union membership, health status, sex life, genetic or biometric data, and criminal behaviour.

2.10 “Service Channels”: Collectively, the Website, Mobile App, robo-advisory functionality, client portals, and all associated communication and transaction platforms operated by Vault22.

2.11 “Third Party Service Provider”: Any external vendor, subcontractor, or affiliate engaged by Vault22 to perform services that involve Processing Personal Data, whether regulated or unregulated.

2.12 “Vault22”: Collectively refers to 22seven (Pty) Ltd (South Africa), Vault22 Financial Ltd (DIFC), and Vault22 Solutions Holdings Ltd., together with their directors, officers, employees, successors, and assigns.

3.1 Vault22 undertakes to implement and maintain adequate, reasonable, and appropriate technical, organisational, and physical security measures to protect Personal Data against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure, or use. Such measures include, but are not limited to:

3.1.1 strong encryption protocols, intrusion detection systems, firewalls, and antivirus solutions;

3.1.2 role-based access restrictions and multi-factor authentication;

3.1.3 physical access controls, CCTV monitoring, and secure data centre environments;

3.1.4 background verification of personnel with access to sensitive systems;

3.1.5 recurring penetration testing, vulnerability assessments, and compliance audits;

3.1.6 binding confidentiality undertakings and data processing agreements with Third Party Service Providers.

3.2 Vault22 expressly disclaims absolute security guarantees, recognising that no system is impervious to compromise. Nevertheless, Vault22 shall comply with all requirements of Applicable Law to minimise risk and ensure lawful Processing.

4.1 Vault22 may collect, record, store, and otherwise Process the following categories of Personal Data:

4.1.1 Identification & Account Data: Full names, contact details, addresses, national ID or passport numbers, biometric identifiers, login credentials, photographs.

4.1.2 Financial & Transactional Data: Bank account details, payment card information, balances, credit histories, debit orders, tax identifiers, trading positions, portfolio information.

4.1.3 Regulatory Verification Data: AML/KYC documents (utility bills, proof of residence, source of funds declarations).

4.1.4 Device & Technical Data: IP addresses, operating systems, browser types, device identifiers, GPS location data (subject to Consent), network metadata.

4.1.5 Demographic & Behavioural Data: Marital status, number of dependants, income, employment, browsing patterns, preferences.

4.1.6 Special Personal Data: Health, race, religious affiliation, biometric data, and criminal history (collected only with explicit Consent or lawful basis).

4.1.7 Publicly Available or Third-Party Data: Information obtained from regulators, credit bureaus, service providers, or public registers..

5.1. Vault22 shall Process Personal Data strictly for lawful purposes, including but not limited to:

5.1.1 performing contractual obligations and delivering requested services;

5.1.2 onboarding, AML/KYC compliance, and regulatory reporting (under DFSA, FAIS, and anti-money laundering frameworks);

5.1.3 fraud prevention, monitoring, and risk management;

5.1.4 communicating with clients (including service updates, regulatory notices, and marketing communications subject to Consent);

5.1.5 conducting research, analytics, and product development;

5.1.6 enforcing Vault22’s rights, defending against claims, and complying with judicial or regulatory processes.

6.1 Personal Data may be disclosed to:

6.1.1 Vault22 group affiliates under intra-group transfer agreements;

6.1.2 employees and contractors subject to confidentiality restrictions;

6.1.3 Third Party Service Providers engaged under data processing agreements;

6.1.4 regulatory and governmental authorities (e.g., DFSA, Information Regulator, SARS, FIC, DIFC Commissioner of Data Protection) as required by law;

6.1.5 counterparties in corporate transactions (mergers, acquisitions, restructurings);

6.1.6 third parties where explicit Consent has been obtained;

6.1.7 other parties as required by Applicable Law.

7.1 Personal Data may be transferred to, and stored in, jurisdictions outside South Africa and the DIFC. Such transfers shall only occur where:

7.1.1 the destination jurisdiction is recognised as providing an adequate level of protection under POPIA or DP Law;

7.1.2 standard contractual clauses, binding corporate rules, or equivalent safeguards are in place; or

7.1.3 a derogation applies under Applicable Law (including explicit Consent, contractual necessity, or regulator-approved mechanisms).

Vault22 retains Personal Data only for so long as necessary to fulfil the purposes set forth in this Policy or as required under Applicable Law (typically a minimum of 6 years). Upon expiry of retention periods, Personal Data shall be securely destroyed, deleted, or irreversibly anonymised.

9.1 Subject to limitations under Applicable Law, Data Subjects enjoy the following rights:

9.1.1 Access: to obtain confirmation and a copy of Personal Data held.

9.1.2 Correction: to rectify inaccuracies.

9.1.3 Erasure: to request deletion, subject to statutory retention obligations.

9.1.4 Restriction: to limit Processing in certain circumstances.

9.1.5 Portability: to receive Personal Data in a structured, machine-readable format.

9.1.6 Objection: to object to Processing for legitimate interest or marketing.

9.1.7 Consent Withdrawal: to revoke previously granted Consent, without affecting prior lawful Processing.

9.1.8 Complaint: to lodge complaints with the Information Regulator (South Africa) or the DIFC Commissioner of Data Protection.

Vault22 employs cookies, tags, pixels, and similar technologies for operational, analytical, and advertising purposes. These may be disabled in browser settings, although certain functionalities may be impaired.

Vault22 shall notify the competent supervisory authorities and affected Data Subjects, without undue delay, in the event of a Personal Data breach that results in a high risk to rights and freedoms, in accordance with POPIA and DP Law.

Service Channels may contain hyperlinks to third-party websites or applications. Vault22 disclaims responsibility for the privacy practices or content of such third parties.

This Policy is incorporated into, and shall be read together with, Vault22’s Terms of Service. In case of conflict, this Policy prevails with respect to data protection matters.

Vault22 reserves the right to amend this Policy at any time, subject to Applicable Law. Material amendments shall be communicated via Service Channels or electronic notice. Continued use of Service Channels constitutes acceptance of amended terms.

Vault22 Data Protection Officer
Email: support@vault22.io

South Africa: Innovation City Darter Studios, Darter Road, Longkloof, Gardens, Cape Town, 8001

DIFC: Unit 813, Gate Village 10, DIFC, Dubai, UAE

17.1 For services rendered in or from South Africa, this Policy shall be governed by and construed in accordance with the laws of the Republic of South Africa, and disputes shall be subject to the exclusive jurisdiction of the South African courts.

27.2 For services regulated by the DFSA and rendered in or from the DIFC, this Policy shall be governed by and construed in accordance with the laws of the DIFC, with disputes subject to the exclusive jurisdiction of the DIFC Courts, including the Small Claims Tribunal for claims below AED 1,000,000.