Purpose and scope
This privacy and data protection policy sets out how Beanstalk - Informed Online Investment uses and protects any information that you give the company when you engage with Beanstalk either via our website, email, video conferencing, events, telephonic engagement, services or in any other way. This policy applies to all Personal Data we process regardless of the media on which that data is stored or whether it relates to past or present clients, website users or any other Data Subject.
Beanstalk is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when engaging with us, then you can be assured that it will only be used in accordance with this privacy statement.
We comply with South African data protection legislation - the Protection of Personal Information Act (POPIA) and where applicable, the EU's General Data Protection Regulation (GDPR). As such, we have strict security procedures in place in respect of both the storage and the disclosure of any information that you have provided to us.
Please note, Beanstalk never shares any information about you with any unaffiliated third party unless authorised by you or required to do so by law or compliance with our regulatory obligations.
Beanstalk - Informed Online Investment has appointed an Information Officer who is a senior person in Beanstalk, who will be responsible for ensuring that Beanstalk has been properly informed and trained on ensuring the safekeeping and protection of Information in Beanstalk and that the required processes are implemented to ensure compliance. The Information Officer, Andrew Mobbs can be contacted on 021 687 0116 or Email: email@example.com.
What purpose do we collect information for?
We will collect Information from you for various purposes, including the following:
- Internal record keeping.
- Ensuring compliance with legislation that requires specific information to be collected.
- To provide product services as requested by you under the contract entered into with us.
- Improving services and product offerings to you.
- Providing information and resources most relevant and helpful to you.
- Appointing suitable individuals/companies to provide financial services/products to you.
- We may periodically send promotional emails about new services, special offers or other information which we think you may find interesting using the email address which you have provided.
- From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone or mail. We may use the information to customise the website according to your interests.
- All data processed by the Beanstalk is done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
- Beanstalk will only collect personal data for specified, explicit and legitimate purposes. Data will not be further processed in any manner incompatible with these purposes.
- Beanstalk cannot use your Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained, unless your consent is received.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to you based on your consent, the option for you to revoke your consent will be clearly available and systems are in place to ensure such revocation is reflected accurately in Beanstalk's systems.
What information we collect
Beanstalk collects information in various ways e.g. directly from individuals (for example, when purchasing a financial product, registering an account, using a product, or signing up for a newsletter), from employers, publicly available information, through cookies, and/or similar technology. Where possible, Beanstalk must inform you of which information you are legally required to provide to Beanstalk, and which information is optional.
Beanstalk shall ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
We may collect the following information:
- Your personal contact details as well as demographic information such as your name, age, gender, nationality, email, ID, telephone number etc. We may also collect details about your visits to our website for marketing stats and in order to improve our services.
- When you visit our website we may collect your IP (internet protocol) address and information about your device, browser as well as your location.
- Where you fill out our web form/ application forms etc. to apply to be a client of Beanstalk, we may also collect your financial information, financial services experience and other information required for account set up including but not limited to, your employment details, sources of funds, bank and credit card details etc.
- Beanstalk may supplement the information with other information received from other companies and/or organizations such as the South African Revenue Services (SARS) in order to enable Beanstalk to render suitable and proper services to you.
- We may also process your identification documents submitted at the time of registration to perform Know Your Customer checks as well as identity verifications. (If you visit our premises, we may have photos or videos recorded of you.)
- If you are a registered client or have used any of our services, we may process your email behaviour i.e., if and when you have read our emails and how. We may also process data you have shared on public websites or social media.
What we do with the information we gather
- We process your data in accordance with South African law as well as other applicable laws (for example GDPR where applicable). Across our business practices we ensure that your data is processed fairly and lawfully. Furthermore we make sure that your data is processed for the purposes it was originally collected for, kept up to date, relevant and not excessive, not kept longer than necessary and kept secure by adopting best industry practises.
- You consent to Processing of your Personal Data if you indicate agreement clearly either by a statement or positive action to the Processing.
- Beanstalk will only process personal data when performing services or going about business related to the contract entered into.
- Individuals have the right to access their personal data and any such requests made to the Beanstalk shall be dealt with in a timely manner.
- Beanstalk shall take reasonable steps to ensure Personal Data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that Personal Data is kept up to date.
- You will be required to ensure that your Personal Data that we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collect it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
We do not share or sell your information other than as described in our policy. As a responsible FSP authorised and regulated by the FSCA, we ensure our business practices and data processing activities are in compliance with the regulations and our data processing staff well-trained in processing your information. Furthermore, we have adopted sound technical and compliance procedures to avoid loss, destruction, unauthorised access or omission to your data. Our partners and third-party processors are all bound by strict data protection obligations through data processing contracts.
Beanstalk shall apply the following measure to ensure security of Personal Information:
- Beanstalk will take all reasonable precautions to protect Information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
- Beanstalk will not sell, rent, or lease mailing lists with Information to third parties and will not make your Information available to any unaffiliated parties, except for approved agents, suppliers and contractors, or as otherwise specifically provided for, as agreed with you or as required in terms of any Law.
- Beanstalk takes reasonable steps to protect Personal Information, which is held in a firewalled server. Beanstalk can however not guarantee the security of information transmitted to it electronically from you and you do so at their own risk. Beanstalk maintains administrative, technical and physical safeguards to ensure protection of Information against loss, misuse or unauthorized access, disclosure, alteration or destruction of the information provided to Beanstalk by you or your employer.
- Beanstalk may store and process Information in systems located outside Beanstalk's premises or your home country. However, regardless of where storage and processing may occur, Beanstalk takes appropriate steps to ensure that Information is protected as required under relevant Data Protection/Privacy laws.
- Beanstalk limit access to your personal Information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal Information on our instructions and they are subject to a duty of confidentiality.
- When personal data is deleted this is done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions are in place.
- We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
- Your access to some of Beanstalk's services and content may be password protected and non-disclosure of such usernames and passwords are required to ensure the safekeeping of your Information. The safe-guarding of your login details is your responsibility. It is important that you sign out and close the browser of the account or service at the end of each session.
- Beanstalk is legally obliged to provide adequate protection of Information, hold and prevent unauthorised access and use of Information, Beanstalk is therefore committed to ensure that all your Information will be kept safe and secure and not be disclosed to any unauthorized third parties, without the consent of the relevant person/body.
- Persons/Employees/Parties (as applicable) are not allowed to disclose any Information to any unauthorized third party as it may lead to a breach, disciplinary action and possible dismissal.
- Beanstalk seeks to ensure compliance with Data Protection/Privacy regulations, laws and industry best practices in respect of the security of your Personal Information. Where you are located in another country with other data protection/privacy laws, Beanstalk may transfer Personal Information to such other countries but they may not always guarantee the same level of protection for Personal Information as the one in which you reside (despite Beanstalk's best endeavours to ensure protection of Information). By providing information to Beanstalk, you consents to these transfers.
Sharing of your information
- We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you, in the context of a possible restructuring of the business or where we have another legitimate interest in doing so.
- We may share your information with third-party processors that are contracted to Beanstalk for the provision of services such as: identity verification, fraud/ sanctions screening, digital agencies, hosting providers, liquidity providers and other technical partners, banks, online payment service providers, legal advisors, regulators, law enforcement agencies or other legal bodies for crime prevention or national security.
- All our third-party service providers and other entities are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
- You may only share the Personal Data we hold with another employee, agent or representative of our group (which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
- Data may be transferred across borders to the countries with different level of protections. Data transfers outside SA may be for the purpose of administration or storage. Where transfers are made outside of SA, we ensure all adequacy measures are satisfied for the security of your personal information. Where reasonably possible, we may pseudonmyise or minimise data for protection.
Storage and retention of your information
Beanstalk may retain personal information for purposes of reporting, administration, monitoring its website or to communicate with you.
- Beanstalk will not keep Personal Data in an identifiable form for longer than necessary for the purposes for which the data is processed.
- Beanstalk will maintain retention policies and procedures to ensure your Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. We may be legally obliged to retain data for longer purposes such as 5 years past date of termination of agreement under Anti-Money Laundering regulations and FAIS regulations.
- You will be informed of the period for which data is stored and how that period is determined, as the need arises or a change in the contractual relationship requires it.
- Beanstalk has appointed an Information Officer accountable for data privacy.
- Beanstalk implement Privacy by Design when processing Personal Data and complete DPIA (Data Protection Impact Assessment) where processing presents a high risk to your rights and freedoms.
- Beanstalk have integrated data protection into internal documents and conduct training of employees on the POPIA and GDPR elements.
- Beanstalk conduct testing of privacy measures implemented and conduct periodic reviews to assess compliance.
- Generally Automated Decision-Making (ADM) is prohibited when a decision has a legal or similar significant effect on an individual unless:
- you have explicitly consented
- the processing is authorised by law; or
- the processing is necessary for the performance of or entering into a contract.
If certain types of Sensitive Data are being processed, then grounds (2) or (3) will not be allowed but such Sensitive Data can be Processed where it is necessary (unless less intrusive means can be used) for substantial public interest like fraud prevention.
Should any ADM be required, Beanstalk will inform you of the logic involved in the decision making or profiling, the significance and envisaged consequences and give you the right to request human intervention, express your point of view or challenge the decision.
Controlling your personal information
As a Responsible Party we respect your right to privacy and all other rights as set forth in the data protection law. If we process data about you, you have the right to request or access information we hold about you. In order to access your information you can (log into the 'Client Portal') or send us a request at firstname.lastname@example.org.
If you believe that any information we are holding on you is incorrect or incomplete, please email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect. Beanstalk will take all reasonable steps to confirm your identity before making changes to Information.
Where your data is shared with a third-party, we shall contact them for deletion unless this proves impossible or involves disproportionate effort.
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not typically a condition of your engagement with us that you agree to any request for consent from us.
You may choose to restrict the collection or use of your personal information in the following ways:
- Whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes.
- In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us via email on email@example.com. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
Your rights to how your data is processed
You have rights when it comes to how we handle your Personal Data. These include rights to:
- withdraw Consent to Processing at any time;
- receive certain information about our Processing activities;
- request access to your Personal Data that we hold;
- prevent our use of your Personal Data for direct marketing purposes;
- ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
- restrict Processing in specific circumstances;
- challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
- request a copy of an agreement under which Personal Data is transferred outside of the EEA;
- object to decisions based solely on Automated Processing, including profiling (ADM);
- prevent Processing that is likely to cause damage or distress to you or anyone else;
- be notified of a Personal Data Breach which is likely to result in high risk to your rights and freedoms;
- make a complaint to the supervisory authority; and
- in limited circumstances, receive or ask for your Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.
Beanstalk will take reasonable measures to ensure the verification of identity of an individual requesting data under the rights listed above, before any request is actioned or authorised.
Cross-border transfers and limitations
Data may be transferred across borders to the countries with different level of protections. Data transfers outside SA may be for the purpose of administration or storage. Our database development and management teams are located in South Africa. In limited circumstances, we may share your data with staff located in subsidiary locations (if applicable) for administration purposes or in order to process your instructions. Where transfers are made outside of South Africa, we ensure all adequacy measures are satisfied for the security of your personal information. Where reasonably possible, we may pseudonmyise or minimise data for protection. In some circumstances, we may share your data with entities in our group and staff for administration purposes or in order to process your instructions.
The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country. We may only transfer Personal Data outside the EEA if one of the following conditions applies:
- the European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects' rights and freedoms;
- appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPM;
- you have provided Explicit Consent to the proposed transfer after being informed of any potential risks; or
- the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and you, reasons of public interest, to establish, exercise or defend legal claims or to protect your vital interests where you are physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.
Unless we can rely on another legal basis of Processing, Explicit Consent is usually required for Processing Sensitive Personal Data, for Automated Decision-Making and for cross border data transfers. Usually we will be relying on another legal basis (and not require Explicit Consent) to Process most types of Sensitive Data. Where Explicit Consent is required, we must issue a Fair Processing Notice to you to capture Explicit Consent.
What is Automated Decision-Making (ADM)
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
- Where we have notified you of the decision and given you 21 days to request a reconsideration.
- Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal Information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
How we use web usage information
Beanstalk may track information about your usage and visits on the Beanstalk website. This Information may be stored in usage or web server logs, which are records of the activities on Beanstalk's services, products and/or sites. Beanstalk's's servers automatically capture and save such Information electronically. Some examples of the Information that may collected include your:
- Unique Internet protocol address;
- Name of your unique Internet Service Provider;
- The city, province, and country from which you accesses Beanstalk's website;
- The kind of browser or computer used;
- The number of links clicked within the site;
- The date and time of visits to the site;
- The web page from which you arrived on Beanstalk's site;
- The pages you viewed on the site;
- Certain searches/queries conducted on the site via Beanstalk's services, products and/or websites.
- The information collected in usage or web server logs help Beanstalk's to administer the services, products and sites, analyse its usage, protect the product and/or website and content from inappropriate use and improve the user's experience.
A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Limitation of Liability
The Privacy and Data Protection Policy does not form part of Beanstalks Terms and Conditions of Use. It is however recommended reading for all website users. Whilst every reasonable care has been taken to ensure the accuracy of the information contained in the above policy, we do not guarantee its accuracy nor that it will remain accurate as technology changes.
Beanstalk will not be liable for any losses or damage arising from reliance being placed upon the contents of this policy.
We have put in place procedures to deal with any suspected Personal Data breach and will promptly assess the risk to your rights and freedoms and notify you or any applicable regulator where we are legally required to do so.
If you know or suspect that a Personal Data breach has occurred, immediately contact us and preserve all evidence relating to the potential Personal Data Breach.
Changes to this Policy
We reserve the right to change this Privacy and Data Protection Policy at any time without notice to you so please check back regularly to obtain the latest copy of this Privacy and Data Protection Policy.
This Privacy and Data Protection Policy does not override any applicable national data privacy laws and regulations in countries where the Company operates. Unless otherwise stated, the current version of this policy will supersede and replace all previous versions of the policy.
If you have any queries with regards to how we handle your information, require access to your personal information or in case you have complaints, please send us an email to firstname.lastname@example.org
If your complaint is not dealt with adequately by the Beanstalk team, you can direct your complaint to the Information Regulator directly, using the details below.
The Information Regulator (South Africa)
33 Hoofd Street
Forum III, 3rd floor Braampark
P.O. Box 31533
Mr Marks Thibela
Chief Executive Officer
Tel No. +27 (0) 10 023 5200, Cell No. +27 (0) 82 746 4173
Complaints email: compliants.IR@justice.gov.za
General enquiries email: email@example.com