This Privacy Policy ("Policy") sets forth the standards and principles governing the collection, use, disclosure, retention, transfer, and safeguarding of Personal Data by 22seven (Pty) Ltd, trading as Vault22, a private company incorporated in South Africa (Registration Number: 2023/181742/07), and Vault22 Financial Ltd, an entity incorporated in the Dubai International Financial Centre ("DIFC") and authorised and regulated by the Dubai Financial Services Authority ("DFSA") (Firm Reference Number: F006841) (together, "Vault22," "we," "us," or "our"), which are direct subsidiaries of Vault22 Solutions Holdings Ltd. (DIFC Registration Number: 8385).
This Policy has been adopted to ensure compliance with:
By accessing, browsing, or otherwise utilising our website at www.vault22.io ("Website"), our mobile application ("Mobile App"), or any other online or offline channel, portal, or platform operated by Vault22 (together, the "Service Channels"), you expressly acknowledge, understand, and consent to the terms of this Policy.
If you do not agree with the provisions of this Policy, you must immediately discontinue use of the Service Channels and refrain from furnishing any Personal Data to Vault22.
This Policy applies to all natural persons and juristic persons (where legally recognised) who interact with Vault22, whether as clients, counterparties, prospective clients, suppliers, service providers, contractors, or otherwise ("Data Subjects").
In the event of any merger, acquisition, restructuring, business combination, corporate reorganisation, assignment, sale, or transfer of control involving Vault22, all rights and obligations set out herein shall accrue to the successor entity, which shall be bound to comply with the terms of this Policy and Applicable Law.
Unless expressly stated otherwise, terms used herein shall bear the following meanings:
"Applicable Law": All laws, regulations, rules, directives, codes, circulars, and requirements of competent governmental, supervisory, or regulatory authorities having jurisdiction over Vault22, including without limitation POPIA, FAIS, DP Law, and DFSA Rules.
"Consent": The voluntary, specific, and informed expression of will, by statement or by clear affirmative action, signifying agreement to the Processing of Personal Data.
"Controller / Responsible Party": Vault22, in its capacity as the entity determining the purposes and means of Processing Personal Data.
"Data Subject" / "You": A natural or juristic person to whom Personal Data relates.
"Information Officer / Data Protection Officer": The individual formally appointed by Vault22 under POPIA and DP Law to oversee compliance, maintain data inventories, respond to regulator inquiries, and act as point of contact for Data Subjects.
"Operator / Processor": A natural or juristic person or third-party service provider engaged by Vault22 to Process Personal Data on its behalf, subject to binding contractual obligations.
"Personal Data": Any information relating to an identified or identifiable natural person or juristic person (to the extent protected by Applicable Law), including without limitation names, contact details, identification numbers, financial details, transactional data, biometric identifiers, and Special Personal Data.
"Processing": Any operation performed upon Personal Data, whether or not by automated means, including but not limited to collection, recording, organisation, storage, adaptation, retrieval, consultation, use, dissemination, restriction, erasure, or destruction.
"Special Personal Data": Categories of data accorded enhanced protection under POPIA and DP Law, including information relating to race, ethnicity, political affiliation, religious or philosophical beliefs, trade union membership, health status, sex life, genetic or biometric data, and criminal behaviour.
"Service Channels": Collectively, the Website, Mobile App, robo-advisory functionality, client portals, and all associated communication and transaction platforms operated by Vault22.
"Third Party Service Provider": Any external vendor, subcontractor, or affiliate engaged by Vault22 to perform services that involve Processing Personal Data, whether regulated or unregulated.
"Vault22": Collectively refers to 22seven (Pty) Ltd (South Africa), Vault22 Financial Ltd (DIFC), and Vault22 Solutions Holdings Ltd., together with their directors, officers, employees, successors, and assigns.
Vault22 undertakes to implement and maintain adequate, reasonable, and appropriate technical, organisational, and physical security measures to protect Personal Data against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure, or use. Such measures include, but are not limited to:
Vault22 expressly disclaims absolute security guarantees, recognising that no system is impervious to compromise. Nevertheless, Vault22 shall comply with all requirements of Applicable Law to minimise risk and ensure lawful Processing.
Vault22's Processing of Personal Data is undertaken strictly as a Controller/Responsible Party under Applicable Law and does not create, expressly or implicitly, any fiduciary obligations toward any Data Subject. Vault22 does not assume fiduciary responsibilities in relation to data accuracy, completeness, timeliness, or ongoing monitoring beyond obligations imposed by Applicable Law.
Vault22 may collect, record, store, and otherwise Process the following categories of Personal Data:
Identification & Account Data: Full names, contact details, addresses, national ID or passport numbers, biometric identifiers, login credentials, photographs.
Financial & Transactional Data: Bank account details, payment card information, balances, credit histories, debit orders, tax identifiers, trading positions, portfolio information.
Regulatory Verification Data: AML/KYC documents (utility bills, proof of residence, source of funds declarations).
Device & Technical Data: IP addresses, operating systems, browser types, device identifiers, GPS location data (subject to Consent), network metadata.
Demographic & Behavioural Data: Marital status, number of dependants, income, employment, browsing patterns, preferences.
Special Personal Data: Health, race, religious affiliation, biometric data, and criminal history (collected only with explicit Consent or lawful basis).
Publicly Available or Third-Party Data: Information obtained from regulators, credit bureaus, service providers, or public registers.
Vault22 relies on the accuracy and completeness of Personal Data provided by Data Subjects and third parties. Vault22 does not warrant the accuracy, currency, or authenticity of externally sourced Personal Data and shall not be liable for any inaccuracies resulting from third-party or user-provided information.
Vault22 shall Process Personal Data strictly for lawful purposes, including but not limited to:
Processing activities undertaken by Vault22 are based on one or more lawful grounds under POPIA and DP Law, including:
Vault22 is not required to obtain Consent where another lawful basis applies.
Vault22 may utilise automated processing, machine-learning models, risk-scoring algorithms, and profiling tools for purposes including identity verification, fraud detection, AML/KYC assessments, suitability assessments (where applicable), transaction monitoring, and service optimisation. Automated outcomes may affect service eligibility or risk classification. Data Subjects may request human intervention, contest automated decisions, or obtain clarification, subject to limitations under Applicable Law.
Vault22 utilises third-party artificial intelligence ("AI") services to support its in-app financial assistant, Tara AI, and to enhance product functionality, including the provision of financial insights and customer support.
Third-Party AI Provider:
Where third-party AI services are used, Vault22 ensures that:
Tara AI operates as an informational tool only and does not execute transactions, provide discretionary investment management, or act as a regulated decision-maker.
Personal Data may be disclosed to:
Personal Data may be transferred to, and stored in, jurisdictions outside South Africa and the DIFC. Such transfers shall only occur where:
Cross-border transfers do not imply that the destination jurisdiction offers protections identical to South Africa or the DIFC. Vault22 disclaims any guarantee regarding foreign government surveillance laws, extraterritorial access regimes, or regulatory practices that may differ from Applicable Law.
Vault22 retains Personal Data only for so long as necessary to fulfil the purposes set forth in this Policy or as required under Applicable Law (typically a minimum of 6 years). Upon expiry of retention periods, Personal Data shall be securely destroyed, deleted, or irreversibly anonymised. Where Vault22 reasonably believes that Personal Data may be relevant to actual or anticipated litigation, investigation, regulatory inquiry, or enforcement process, Vault22 may suspend ordinary retention periods and preserve such data until the matter is resolved.
Subject to limitations under Applicable Law, Data Subjects enjoy the following rights:
The exercise of Data Subject rights may be restricted where necessary to:
Vault22 may refuse manifestly unfounded, excessive, or repetitive requests.
Vault22 employs cookies, tags, pixels, and similar technologies for operational, analytical, and advertising purposes. These may be disabled in browser settings, although certain functionalities may be impaired. Certain tracking tools may collect behavioural or technical data that constitutes Personal Data under Applicable Law. Vault22 shall not be liable for limited loss of functionality where Data Subjects disable such tools, nor for failures by third-party technology providers whose cookies or SDKs operate subject to their own privacy policies.
Vault22 shall notify the competent supervisory authorities and affected Data Subjects, without undue delay, in the event of a Personal Data breach that results in a high risk to rights and freedoms, in accordance with POPIA and DP Law. Vault22 shall notify Data Subjects only where required under Applicable Law. Vault22 disclaims responsibility for notifying Data Subjects where:
Service Channels may contain hyperlinks to third-party websites or applications. Vault22 disclaims responsibility for the privacy practices or content of such third parties. Vault22 shall not be liable for acts, omissions, breaches, or failures of Third Party Service Providers where such parties act independently, contrary to instructions, or outside the scope of binding processing agreements. Data Subjects must review third-party privacy practices independently.
This Policy is incorporated into, and shall be read together with, Vault22's Terms of Service. In case of conflict, this Policy prevails with respect to data protection matters.
Vault22 reserves the right to amend this Policy at any time, subject to Applicable Law. Material amendments shall be communicated via Service Channels or electronic notice. Continued use of Service Channels constitutes acceptance of amended terms.
Vault22 Data Protection Officer
Email: support@vault22.io
South Africa: Innovation City Darter Studios, Darter Road, Longkloof, Gardens, Cape Town, 8001
DIFC: Innovation Hub, Office 705, DIFC, Dubai, UAE
For services rendered in or from South Africa, this Policy shall be governed by and construed in accordance with the laws of the Republic of South Africa, and disputes shall be subject to the exclusive jurisdiction of the South African courts.
For services regulated by the DFSA and rendered in or from the DIFC, this Policy shall be governed by and construed in accordance with the laws of the DIFC, with disputes subject to the exclusive jurisdiction of the DIFC Courts, including the Small Claims Tribunal for claims below AED 1,000,000.
Where both South African and DIFC/Data Protection laws apply simultaneously, Vault22 shall determine in good faith the governing legal framework based on the location of service delivery, regulatory licensing requirements, and the nature of Processing. This determination shall be final unless overridden by a competent authority.