ESPEES
ESPEES
P2P Exchange
Legal · POPIA

Privacy Policy

Last updated: 20 April 2026

ESPEES Exchange (Pty) Ltd (we, us) is the Responsible Party for the personal information we process about you. This notice explains what we collect, why, and your rights under the Protection of Personal Information Act 4 of 2013 (POPIA).

1. Information Officer

Our Information Officer is registered with the Information Regulator of South Africa and can be contacted at privacy@espees.exchange.

2. Personal information we collect

  • Account data: name, email, phone, password (hashed), display name.
  • KYC data: ID number, date of birth, nationality, address, ID/passport image, selfie, source-of-funds documents.
  • Financial data: wallet balances, trade history, payment-method details (bank account, mobile money number).
  • Technical data: IP address, device, browser, timestamps, security logs.
  • Communications: in-trade chat, support tickets, dispute evidence.

3. Why we process it (lawful basis under POPIA s.11)

  • Contract: to operate your account, run trades and hold escrow.
  • Legal obligation: to comply with FICA, the FIC's directives, the South African Reserve Bank's crypto-asset framework, the Income Tax Act and court orders.
  • Legitimate interest: fraud prevention, security, risk management, product analytics.
  • Consent: marketing communications, optional features.

4. Special personal information

Biometric information from selfie verification is processed under POPIA s.27(1)(b) (compliance with an obligation of law — FICA). We do not sell or share biometric data with third parties for their own purposes.

5. Sharing

  • Operators (POPIA s.21): cloud hosting, KYC verification provider, email provider — bound by written agreements.
  • Authorities: the Financial Intelligence Centre, SARS, SARB, SAPS, courts and regulators where lawfully required.
  • Counterparties: your display name, KYC tier and payment-method label are visible to your trading counterparty for the duration of a trade.

6. Cross-border transfers (POPIA s.72)

Some Operators are located outside South Africa. We only transfer personal information to jurisdictions with comparable data-protection laws, or under binding contractual safeguards, or with your consent.

7. Retention

We retain account and transaction records for at least five (5) years after the end of the business relationship, as required by FICA s.42. KYC records may be retained for longer where required by law or for the establishment, exercise or defence of legal claims.

8. Security

We apply appropriate technical and organisational measures (POPIA s.19): TLS in transit, encryption at rest, role-based access, 2FA, withdrawal PINs, audit logging. Notwithstanding, no system is completely secure; you must protect your credentials.

9. Your rights (POPIA Chapter 3)

  • Access — request a copy of the personal information we hold (s.23).
  • Correction or deletion of inaccurate, irrelevant, excessive, out-of-date or unlawfully obtained data (s.24).
  • Object to processing based on legitimate interest or for direct marketing (s.11(3)).
  • Withdraw consent (where processing is based on consent).
  • Lodge a complaint with the Information Regulator: inforegulator.org.za · complaints.IR@justice.gov.za.

10. Direct marketing

We will only send electronic marketing in line with POPIA s.69 and ECTA s.45 — to existing customers about similar services or with your opt-in consent. Every message has an unsubscribe link.

11. Automated decision-making

Trade-risk scoring may be automated. You may request human review of any decision that has a legal or similarly significant effect on you (POPIA s.71).

12. Children

The Platform is not intended for persons under 18. We do not knowingly process personal information of children.

13. Changes

We will notify you of material changes by email and on this page at least 14 days before they take effect.

14. Contact

Information Officer · ESPEES Exchange (Pty) Ltd · privacy@espees.exchange.