Vault22

Privacy Policy

1. About This Policy

This Privacy Policy ("Policy") sets forth the standards and principles governing the collection, use, disclosure, retention, transfer, and safeguarding of Personal Data by 22seven (Pty) Ltd, trading as Vault22, a private company incorporated in South Africa (Registration Number: 2023/181742/07), and Vault22 Financial Ltd, an entity incorporated in the Dubai International Financial Centre ("DIFC") and authorised and regulated by the Dubai Financial Services Authority ("DFSA") (Firm Reference Number: F006841) (together, "Vault22," "we," "us," or "our"), which are direct subsidiaries of Vault22 Solutions Holdings Ltd. (DIFC Registration Number: 8385).

This Policy has been adopted to ensure compliance with:

  • the Protection of Personal Information Act, 4 of 2013 (South Africa) ("POPIA");
  • the Financial Advisory and Intermediary Services Act, 37 of 2002 (South Africa) ("FAIS");
  • the DIFC Data Protection Law, DIFC Law No. 5 of 2020 ("DP Law");
  • applicable DFSA Rules, and any directives, circulars, or guidelines issued thereunder; and any other applicable domestic or international legal instruments regulating the collection, use, or transfer of Personal Data (collectively, "Applicable Law").

By accessing, browsing, or otherwise utilising our website at www.vault22.io ("Website"), our mobile application ("Mobile App"), or any other online or offline channel, portal, or platform operated by Vault22 (together, the "Service Channels"), you expressly acknowledge, understand, and consent to the terms of this Policy.

If you do not agree with the provisions of this Policy, you must immediately discontinue use of the Service Channels and refrain from furnishing any Personal Data to Vault22.

This Policy applies to all natural persons and juristic persons (where legally recognised) who interact with Vault22, whether as clients, counterparties, prospective clients, suppliers, service providers, contractors, or otherwise ("Data Subjects").

In the event of any merger, acquisition, restructuring, business combination, corporate reorganisation, assignment, sale, or transfer of control involving Vault22, all rights and obligations set out herein shall accrue to the successor entity, which shall be bound to comply with the terms of this Policy and Applicable Law.

2. Definitions

Unless expressly stated otherwise, terms used herein shall bear the following meanings:

"Applicable Law": All laws, regulations, rules, directives, codes, circulars, and requirements of competent governmental, supervisory, or regulatory authorities having jurisdiction over Vault22, including without limitation POPIA, FAIS, DP Law, and DFSA Rules.

"Consent": The voluntary, specific, and informed expression of will, by statement or by clear affirmative action, signifying agreement to the Processing of Personal Data.

"Controller / Responsible Party": Vault22, in its capacity as the entity determining the purposes and means of Processing Personal Data.

"Data Subject" / "You": A natural or juristic person to whom Personal Data relates.

"Information Officer / Data Protection Officer": The individual formally appointed by Vault22 under POPIA and DP Law to oversee compliance, maintain data inventories, respond to regulator inquiries, and act as point of contact for Data Subjects.

"Operator / Processor": A natural or juristic person or third-party service provider engaged by Vault22 to Process Personal Data on its behalf, subject to binding contractual obligations.

"Personal Data": Any information relating to an identified or identifiable natural person or juristic person (to the extent protected by Applicable Law), including without limitation names, contact details, identification numbers, financial details, transactional data, biometric identifiers, and Special Personal Data.

"Processing": Any operation performed upon Personal Data, whether or not by automated means, including but not limited to collection, recording, organisation, storage, adaptation, retrieval, consultation, use, dissemination, restriction, erasure, or destruction.

"Special Personal Data": Categories of data accorded enhanced protection under POPIA and DP Law, including information relating to race, ethnicity, political affiliation, religious or philosophical beliefs, trade union membership, health status, sex life, genetic or biometric data, and criminal behaviour.

"Service Channels": Collectively, the Website, Mobile App, robo-advisory functionality, client portals, and all associated communication and transaction platforms operated by Vault22.

"Third Party Service Provider": Any external vendor, subcontractor, or affiliate engaged by Vault22 to perform services that involve Processing Personal Data, whether regulated or unregulated.

"Vault22": Collectively refers to 22seven (Pty) Ltd (South Africa), Vault22 Financial Ltd (DIFC), and Vault22 Solutions Holdings Ltd., together with their directors, officers, employees, successors, and assigns.

3. Security Commitment

Vault22 undertakes to implement and maintain adequate, reasonable, and appropriate technical, organisational, and physical security measures to protect Personal Data against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure, or use. Such measures include, but are not limited to:

  • strong encryption protocols, intrusion detection systems, firewalls, and antivirus solutions;
  • role-based access restrictions and multi-factor authentication;
  • physical access controls, CCTV monitoring, and secure data centre environments;
  • background verification of personnel with access to sensitive systems;
  • recurring penetration testing, vulnerability assessments, and compliance audits;
  • binding confidentiality undertakings and data processing agreements with Third Party Service Providers.

Vault22 expressly disclaims absolute security guarantees, recognising that no system is impervious to compromise. Nevertheless, Vault22 shall comply with all requirements of Applicable Law to minimise risk and ensure lawful Processing.

Vault22's Processing of Personal Data is undertaken strictly as a Controller/Responsible Party under Applicable Law and does not create, expressly or implicitly, any fiduciary obligations toward any Data Subject. Vault22 does not assume fiduciary responsibilities in relation to data accuracy, completeness, timeliness, or ongoing monitoring beyond obligations imposed by Applicable Law.

4. Information Collected

Vault22 may collect, record, store, and otherwise Process the following categories of Personal Data:

Identification & Account Data: Full names, contact details, addresses, national ID or passport numbers, biometric identifiers, login credentials, photographs.

Financial & Transactional Data: Bank account details, payment card information, balances, credit histories, debit orders, tax identifiers, trading positions, portfolio information.

Regulatory Verification Data: AML/KYC documents (utility bills, proof of residence, source of funds declarations).

Device & Technical Data: IP addresses, operating systems, browser types, device identifiers, GPS location data (subject to Consent), network metadata.

Demographic & Behavioural Data: Marital status, number of dependants, income, employment, browsing patterns, preferences.

Special Personal Data: Health, race, religious affiliation, biometric data, and criminal history (collected only with explicit Consent or lawful basis).

Publicly Available or Third-Party Data: Information obtained from regulators, credit bureaus, service providers, or public registers.

Vault22 relies on the accuracy and completeness of Personal Data provided by Data Subjects and third parties. Vault22 does not warrant the accuracy, currency, or authenticity of externally sourced Personal Data and shall not be liable for any inaccuracies resulting from third-party or user-provided information.

5. Purposes of Processing

Vault22 shall Process Personal Data strictly for lawful purposes, including but not limited to:

  • performing contractual obligations and delivering requested services;
  • onboarding, AML/KYC compliance, and regulatory reporting (under DFSA, FAIS, and anti-money laundering frameworks);
  • fraud prevention, monitoring, and risk management;
  • communicating with clients (including service updates, regulatory notices, and marketing communications subject to Consent);
  • conducting research, analytics, and product development;
  • enforcing Vault22's rights, defending against claims, and complying with judicial or regulatory processes.

Processing activities undertaken by Vault22 are based on one or more lawful grounds under POPIA and DP Law, including:

  • (i) Consent;
  • (ii) performance of a contract;
  • (iii) compliance with legal obligations;
  • (iv) legitimate interests pursued by Vault22 or a third party; and
  • (v) protection of vital interests.

Vault22 is not required to obtain Consent where another lawful basis applies.

5.1 Automated Processing

Vault22 may utilise automated processing, machine-learning models, risk-scoring algorithms, and profiling tools for purposes including identity verification, fraud detection, AML/KYC assessments, suitability assessments (where applicable), transaction monitoring, and service optimisation. Automated outcomes may affect service eligibility or risk classification. Data Subjects may request human intervention, contest automated decisions, or obtain clarification, subject to limitations under Applicable Law.

5.2 Third-Party AI Services

Vault22 utilises third-party artificial intelligence ("AI") services to support its in-app financial assistant, Tara AI, and to enhance product functionality, including the provision of financial insights and customer support.

Third-Party AI Provider:

  • Anthropic (Claude) — used to support Tara AI, Vault22's conversational financial assistant.

Where third-party AI services are used, Vault22 ensures that:

  • data is processed strictly for defined and limited purposes related to the functionality of the service;
  • appropriate contractual, technical and organisational safeguards are in place in accordance with applicable data protection laws, including DIFC Data Protection Law;
  • sensitive personal data is minimised and, where appropriate, subject to anonymisation or aggregation prior to processing; and
  • no client assets or custody-related data is transferred to or controlled by third-party AI providers.

Tara AI operates as an informational tool only and does not execute transactions, provide discretionary investment management, or act as a regulated decision-maker.

6. Disclosure and Sharing

Personal Data may be disclosed to:

  • Vault22 group affiliates under intra-group transfer agreements;
  • employees and contractors subject to confidentiality restrictions;
  • Third Party Service Providers engaged under data processing agreements;
  • third-party AI service providers (including Anthropic) for the purposes described in Section 5.2, subject to explicit Consent;
  • regulatory and governmental authorities (e.g., DFSA, Information Regulator, SARS, FIC, DIFC Commissioner of Data Protection) as required by law;
  • counterparties in corporate transactions (mergers, acquisitions, restructurings);
  • third parties where explicit Consent has been obtained;
  • other parties as required by Applicable Law.

7. Cross-Border Transfers

Personal Data may be transferred to, and stored in, jurisdictions outside South Africa and the DIFC. Such transfers shall only occur where:

  • the destination jurisdiction is recognised as providing an adequate level of protection under POPIA or DP Law;
  • standard contractual clauses, binding corporate rules, or equivalent safeguards are in place; or
  • a derogation applies under Applicable Law (including explicit Consent, contractual necessity, or regulator-approved mechanisms).

Cross-border transfers do not imply that the destination jurisdiction offers protections identical to South Africa or the DIFC. Vault22 disclaims any guarantee regarding foreign government surveillance laws, extraterritorial access regimes, or regulatory practices that may differ from Applicable Law.

8. Retention and Disposal

Vault22 retains Personal Data only for so long as necessary to fulfil the purposes set forth in this Policy or as required under Applicable Law (typically a minimum of 6 years). Upon expiry of retention periods, Personal Data shall be securely destroyed, deleted, or irreversibly anonymised. Where Vault22 reasonably believes that Personal Data may be relevant to actual or anticipated litigation, investigation, regulatory inquiry, or enforcement process, Vault22 may suspend ordinary retention periods and preserve such data until the matter is resolved.

9. Data Subject Rights

Subject to limitations under Applicable Law, Data Subjects enjoy the following rights:

  • Access: to obtain confirmation and a copy of Personal Data held.
  • Correction: to rectify inaccuracies.
  • Erasure: to request deletion, subject to statutory retention obligations.
  • Restriction: to limit Processing in certain circumstances.
  • Portability: to receive Personal Data in a structured, machine-readable format.
  • Objection: to object to Processing for legitimate interest or marketing.
  • Consent Withdrawal: to revoke previously granted Consent, without affecting prior lawful Processing.
  • Complaint: to lodge complaints with the Information Regulator (South Africa) or the DIFC Commissioner of Data Protection.

The exercise of Data Subject rights may be restricted where necessary to:

  • (i) comply with legal obligations;
  • (ii) protect the rights of other individuals;
  • (iii) preserve confidentiality obligations;
  • (iv) maintain regulatory audit trails; or
  • (v) safeguard investigative or fraud-prevention processes.

Vault22 may refuse manifestly unfounded, excessive, or repetitive requests.

10. Cookies and Tracking

Vault22 employs cookies, tags, pixels, and similar technologies for operational, analytical, and advertising purposes. These may be disabled in browser settings, although certain functionalities may be impaired. Certain tracking tools may collect behavioural or technical data that constitutes Personal Data under Applicable Law. Vault22 shall not be liable for limited loss of functionality where Data Subjects disable such tools, nor for failures by third-party technology providers whose cookies or SDKs operate subject to their own privacy policies.

11. Breach Notification

Vault22 shall notify the competent supervisory authorities and affected Data Subjects, without undue delay, in the event of a Personal Data breach that results in a high risk to rights and freedoms, in accordance with POPIA and DP Law. Vault22 shall notify Data Subjects only where required under Applicable Law. Vault22 disclaims responsibility for notifying Data Subjects where:

  • (i) the breach does not meet legal reporting thresholds;
  • (ii) the supervisory authority instructs otherwise; or
  • (iii) notification would prejudice security or investigations.

12. Third-Party Links

Service Channels may contain hyperlinks to third-party websites or applications. Vault22 disclaims responsibility for the privacy practices or content of such third parties. Vault22 shall not be liable for acts, omissions, breaches, or failures of Third Party Service Providers where such parties act independently, contrary to instructions, or outside the scope of binding processing agreements. Data Subjects must review third-party privacy practices independently.

13. Relationship with Terms of Service

This Policy is incorporated into, and shall be read together with, Vault22's Terms of Service. In case of conflict, this Policy prevails with respect to data protection matters.

14. Amendments

Vault22 reserves the right to amend this Policy at any time, subject to Applicable Law. Material amendments shall be communicated via Service Channels or electronic notice. Continued use of Service Channels constitutes acceptance of amended terms.

15. Contact Details

Vault22 Data Protection Officer

Email: support@vault22.io

South Africa: Innovation City Darter Studios, Darter Road, Longkloof, Gardens, Cape Town, 8001

DIFC: Innovation Hub, Office 705, DIFC, Dubai, UAE

16. Governing Law and Jurisdiction

For services rendered in or from South Africa, this Policy shall be governed by and construed in accordance with the laws of the Republic of South Africa, and disputes shall be subject to the exclusive jurisdiction of the South African courts.

For services regulated by the DFSA and rendered in or from the DIFC, this Policy shall be governed by and construed in accordance with the laws of the DIFC, with disputes subject to the exclusive jurisdiction of the DIFC Courts, including the Small Claims Tribunal for claims below AED 1,000,000.

Where both South African and DIFC/Data Protection laws apply simultaneously, Vault22 shall determine in good faith the governing legal framework based on the location of service delivery, regulatory licensing requirements, and the nature of Processing. This determination shall be final unless overridden by a competent authority.