Legal & Compliance

Privacy Policy

Committed to safeguarding personal information in compliance with South Africa's Protection of Personal Information Act (POPIA).

Last Updated: May 29, 2026

1. Introduction

Welcome to Kredix ("we", "us", or "our"). We provide an intelligent, cloud-based debt resolution software platform built specifically for South African debt counselling companies, credit repair consultants, and debt practitioners.

This Privacy Policy outlines how we collect, use, store, share, and protect personal information processed in the course of providing our software-as-a-service (SaaS) application and website. We respect your privacy and are committed to complying with the **Protection of Personal Information Act, No. 4 of 2013 ("POPIA")**, the General Data Protection Regulation ("GDPR") where applicable, and any other relevant data protection legislation.

2. Definitions

  • "Client" refers to any individual (data subject) who is onboarding or receiving debt resolution services from a Practitioner through the Kredix platform.
  • "Practitioner" (or "Customer") refers to a debt counsellor, consultant, agency, or team member registered to use our platform to manage their clients' cases.
  • "Personal Information" means information relating to an identifiable, living, natural person, or where applicable, an identifiable, existing juristic person, as defined under Section 1 of POPIA.
  • "POPIA" refers to the Protection of Personal Information Act, No. 4 of 2013 of South Africa.
  • "NuPay" refers to Altron NuPay (Pty) Ltd, the integrated payment service provider used for DebiCheck mandate registration and tracking.

3. Key Roles (Responsible Party vs. Operator)

Understanding the distinction in POPIA roles is critical to how personal information is processed on our platform:

We Act as an Operator (For Client Data)

When a Practitioner uploads, inputs, or syncs their Client's Personal Information (such as financial metrics, bank accounts, or identity documents) into Kredix, the Practitioner/Company remains the Responsible Party. Kredix acts as an Operator in terms of Section 1 of POPIA, processing this data strictly on behalf of and in accordance with the instructions of the Practitioner.

We Act as a Responsible Party (For Practitioner Data)

For the Personal Information of Practitioners registered on our system (e.g., account credentials, email addresses, usage logs, billing information), Kredix acts as the Responsible Party. We determine the purpose and means of processing this account metadata.

4. Personal Information We Process

The types of personal information processed on our platform include:

A. Account Metadata (Practitioners & Consultants)

  • Full name, email address, physical/postal address, and telephone number.
  • Company registration number and registered VAT number.
  • System access credentials (username, password hash).
  • Role details (Admin, Manager, or Consultant).
  • System activity logs (IP addresses, action history, audit trails).

B. Client Data (On Behalf of Responsible Parties)

  • Identifying Information: Full names, South African identity number, date of birth, gender, and contact details (email, WhatsApp, phone numbers).
  • Financial & Employment Details: Income, expenses, debt accounts, credit bureau report details, employer name, employment status, and physical work address.
  • Banking Information: Bank name, account number, branch code, and account type (required to submit DebiCheck mandates).
  • DebiCheck Mandate Details: Instalment amounts, payment dates, tracking indicator values, contract reference numbers, mandate statuses (Accepted, Rejected, Pending), and settlement data from NuPay.
  • Case Records: Supporting documentation, debt review assesssment outcomes, mediation records, court applications, and correspondence history.

5. Purpose of Processing

We process Personal Information only for legitimate purposes aligned with our core operations:

DebiCheck Integration

Submitting mandate requests, updating contract parameters, and checking authentication statuses directly through the NuPay DebiCheck API.

Case Tracking & Management

Maintaining timelines, tracking sub-case statuses, and automating workflows for credit repair, debt mediation, and judgment removals.

Commission Reporting

Generating reports for Practitioners and individual Consultants based on successful DebiCheck mandates and settlement history.

Compliance & Audit Logging

Keeping secure, tamper-evident audit logs of platform actions to comply with regulatory audits, ensure security, and trace data access.

6. Third-Party Disclosures

We do not sell, rent, or trade personal information. However, to deliver our services, we share relevant information with verified third-party operators:

  • NuPay (Altron): Banking details and mandate configurations are transmitted directly to NuPay to process DebiCheck mandate authentication and track settlement logs.
  • Cloud Service Providers: The platform is hosted on secure Firebase and Google Cloud Platform infrastructure, ensuring database storage and automated function execution are handled within high-security environments.
  • Regulatory & Legal Authorities: If required to do so by law, court order, or by the National Credit Regulator (NCR) or South African Information Regulator.

7. Information Security

Kredix implements enterprise-grade technical and organizational measures to ensure the confidentiality, integrity, and availability of personal information:

Role-Based Access Control (RBAC)

Data access is strictly scoped by user roles. Consultants can only access client records and commission logs linked to their own accounts, while Managers and Admins have tiered team-wide access.

Data Encryption

All communication between users and our platform is encrypted in transit using Transport Layer Security (TLS 1.3), and all databases are encrypted at rest.

Audit Logging

Every sensitive action (onboarding clients, viewing bank details, modifying mandates) is logged in an immutable audit trail, recording the user identity, target entity, and timestamp.

8. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

  • Account Metadata: Retained for the duration of the Practitioner’s active subscription and up to 12 months post-cancellation, unless statutory requirements dictate a longer period.
  • Client Information (Operator Data): Retained in accordance with the Responsible Party’s instructions. Upon contract termination or request, we will delete or return all client data, subject to any legally mandated record-keeping periods (such as requirements under the National Credit Act or FICA).

9. Data Subject Rights

Under POPIA, Data Subjects (including Practitioners and their Clients) have key rights regarding their personal information:

Access

Request confirmation of whether we hold personal information and obtain a record of that information.

Correction

Request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out-of-date, or incomplete.

Objection

Object, on reasonable grounds, to the processing of personal information or object to direct marketing.

Complaint

Lodge a complaint with the South African Information Regulator regarding our processing of their personal information.

10. Contact Details

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact our Information Officer:

Information Officer
Kredix Compliance Department
Email: info@kredix.co.za
Website: www.kredix.co.za