PRIVACY NOTICE

Effective Date: 2nd September 2024

1. Introduction

• The purpose of this privacy notice is to provide you with information on how we collect and process your personal data when you use the ChitChat App and the payment services provided through it.
• We take your privacy seriously and understand that you will only continue to use our services if you have confidence in our ability to protect your personal data.

2. Our role as data controller

• Union Fiftyfour Limited (“we”, “our”, “us”), operating under the name ”ChitChat”, is the controller responsible for your personal data. We are a company registered with Zambia’s Patents and Companies Registration Agency under company number 120170000396 and are regulated as a payments system business by the Bank of Zambia.
• Zambia has enacted various pieces of legislation that provide for a safe, secure, and effective environment for the conduct and use of electronic communications. Data privacy and protection issues in Zambia are mainly regulated by the Electronic Communications and Transactions Act No. 4 of 2021, the Data Protection Act No. 3 of 2021, the Cyber Security and Cyber Crimes Act No. 2 of 2021, and the Information and Communications Technologies Act No. 15 of 2009, as those laws are supplemented, amended and replaced from time to time (the “Privacy Laws”). The Privacy Laws are comprehensive and provide legal requirements for the communication of data messages, processing of personal information, recognition of authentication service providers, protection of critical databases, and domain name regulation. The Privacy Laws include provisions that prohibit the interception of communications, the disclosure of stored communications, the unauthorized decryption of communications or release of a decryption key, and the disclosure of records or other information by the key holder. Furthermore, the Privacy Laws provide for rules relating to cyber inspections, cybercrimes, and the security of electronic communications. To the extent applicable, we will also comply with the data protection regimes of any jurisdiction where we process data or act as a data controller including, respectfully, the General Data Protection Regulation ((EU) 2016/679) retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR); the Data Protection Act 2018 (DPA 2018); and the California Consumer Privacy Act (CCPA).
• We are responsible for the personal data which is collected from you and processed when you visit our website (www.onchitchat.com) or use the ChitChat App, during the registration and application processes, and through your continued use of our services.
• Some of the third-parties with whom we share personal data, such as financial institutions and payment acquirers, are independent data controllers. When your personal data is shared with such independent data controllers, it will be processed in accordance with their data policies.
• If you have any questions about our use of your personal data, please contact us  Customer Services, or by emailing us at help@onchitchat.com, by phone on +260978017054, or visiting us (Mondays to Fridays, from 8:30 to 17:30 hrs) at Villa 6, Zimbabwe House, Millenium Village, Birdcage Walk, Lusaka, 10101, Zambia.
• Alternatively, you can contact our Data Protection Officer at compliance@onchitchat.com.

3. Your personal data

• We collect and process the personal data that we collect from you in accordance with our obligations under the Privacy Laws.
• We collect information about you when
  • you register as a ChitChat user or apply for any services which we offer, such as the ChitChat wallet;
  • you use the ChitChat App to contact other ChatChat users;
  • you transfer funds to or from your ChitChat wallet; and
  • when you contact us for any reason.
• The information that we collect and hold about you might include:
  • your identity data (including your name, title, date of birth, tax residency and gender);
  • your biometric information if you elect to use face or touch recognition to log in;
  • your contact details, including your email address and mobile phone number;
  • your user name and password for accessing the ChitChat App and any of our additional services for which you register;
  • transaction details, including your payment card details and information about transactions you make using the ChitChat wallet;
  • your device data, including the type of mobile device you use, a unique device identifier (for example, your device’s IMEI number, the MAC address of the device’s wireless network interface, or the mobile phone number used by the device), mobile network information, your mobile operating system, the type of mobile browser you use and the time zone setting;
  • your preferences in receiving marketing from us and our third parties and your communication preferences;
  • your cookie and tracking preferences;
  • a record of any interactions you have with us, such as when you contact our customer service representatives; and
  • your location data.
• We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

4. How and why we use your data

We will only use your personal data when the law allows us to do so. Generally we may only process your personal data:

• for the performance of a contract which we enter into with you (for example, our contract for the use of the ChitChat App based on our Terms and Conditions;
• if you have given us your consent;
• if it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
• if we need to comply with a legal or regulatory obligation.

5. Contractual Performance

We have a lawful basis in processing your personal data to fulfil our contractual obligations to you in relation to your use of ChitChat’s services in accordance with our Terms and Conditions. For example, we will need to use your data:

• to process payments to and from the ChitChat wallet;
• to send you and the recipients confirmation of payments which you make;
• to assist you with any customer services requests; and
• to confirm your identity when you contact us.

Our specific lawful basis for processing your personal data is set out in the table in the Appendix to this policy.

6. With your consent

We will seek your consent if we want to use your data for reasons where we have no other lawful basis. For example, we may ask for your consent:

• to send you marketing communications; and
• to include you in any customer surveys or research that we carry out from time to time.

You can withdraw your consent to processing at any time through Customer Services.

7. Our Legitimate Interests

We are entitled to process your personal data on the basis of our other legitimate interests. This means that we may use your personal data for purposes that you might reasonably expect, provided that this does not affect your rights under the Privacy Laws. For example, we may use your personal data:

• for analytics purposes;
• to inform you about ChitChat’s services through social media channels; and
• to improve our services based on your use of your ChitChat account.

8. Our Legal or Regulatory Obligation

We have a lawful basis for processing your personal data if we are obliged to do so by law or regulation. For example, we may need to:

• confirm your identity when you register for any ChitChat services;
• carry out sanctions screening or checks with third prevention agencies in order to comply with our legal obligations, including in relation to politically exposed persons and sanctions;
• assist with the detection and prevention of fraud and other criminal offences, including by reporting suspicious transactions;
• keep records of your personal data to comply with our legal requirements; and
• comply with banking laws and regulations, particularly in relation to our authorisation as a payments system business from the Bank of Zambia

9. Automated Decisions

Decisions are sometimes made automatically, for example in circumstances where:

• we need to take action, like freezing a transaction or account because we suspect fraud or money-laundering against ChitChat or another ChitChat user; and
• we need to complete initial assessments for disputed transactions

You are entitled to request a review of any such decision through Customer Services.

10. Sharing your Personal Data

We may need to share your personal data with other companies. For example:

• Our Service Providers

  We use third party service providers in connection with providing our services to you, including:

  • payment processors;
  • cloud computing power, storage and software providers;
  • the providers of business intelligence tools;
  • analytics platform providers;
  • the providers of software tools used for customer communications
  • accounting services providers;
  • customer services agencies; and
  • firms, including Onfido, which we use to carry out ID checks when you register for ChitChat services.

  We enter into a data processing agreement with each such service provider to ensure that they are obliged to process your data only in accordance with our rights and obligations under this Privacy Notice.

• Fraud Prevention and Law Enforcement Authorities

  We may share information about you when requested to do so by:

  • authorities involved in crime prevention, including fraud, money laundering, terrorism and tax evasion;
  • the police;
  • financial services regulation agencies, including the Bank of Zambia.

• Other Union Fiftyfour Group Companies

  We may share your personal data with Union Fiftyfour Limited’s group companies where we have a lawful reason to do so.

11. Our Data Retention Policy

We shall not retain your personal data for any longer than is necessary for our lawful processing. Our general rules for data retention are as follows:

• we store your personal data for as long as your customer relationship with Union Fiftyfour and its group companies continues;
• when you terminate your customer relationship with us, we shall continue to store certain information in accordance with our legal obligations regarding accounting records and money laundering;
• we do not retain personal data that we process on the basis of your consent if you withdraw your consent, unless there is another legal basis for further processing; and
• in some situations, we may have a legitimate interest in keeping the personal data for a longer period, for example for back-up.
• In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

12. Your Rights

Under the Privacy Laws you have rights regarding our collection, processing and retention of your personal data. These rights include:

• The right to access the personal data which we hold about you. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• The right to request that we correct any errors in the personal data which we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• The right to have your personal data transferred in a machine-readable format to a new data controller. We will provide to you, or the third party you have specified, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• The right to withdraw consent at any time where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
• The right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• The right to request restriction of processing of your personal data. This entitles you to ask us to suspend the processing of your personal data in the following scenarios:
  • if you want us to establish the data’s accuracy;
  • where our use of the data is unlawful but you do not want us to erase it;
  • where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• The right to require us to delete the personal data which we hold about you. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see paragraph (f)) where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

You can exercise your rights through Customer Service.

13. International Transfers of Personal Data

• ChitChat offers its services internationally and we and/or the Service Providers listed in paragraph 10(a) may transfer your personal data for processing outside the country where you live. Certain of these countries may not provide the same level of data protection as your own country.
• Where we transfer personal data:
  • from the UK, we do so based the UK Addendum (approved by the Information Commissioner’s Office) to the EU Standard Contractual clauses, approved by the European Commission, in order to protect your data; and
  • from the EU, we do so based the EU Standard Contractual clauses, approved by the European Commission,

  in order to protect your data.

14. Cookies

• Cookies are small files assigned to your computer or device by a website or mobile application. Cookies do not contain your personal data but do include a unique ID linked to your device. We use cookies in order to collect your device information, recognise your device, provide relevant advertising, perform analytics and prevent potential fraud.
• You can manage cookies by accessing your browser settings, although this may vary across browsers and devices.

15. Data security

• All information you provide to us is stored on our secure servers. Any payment transactions carried out by us or our chosen third-party provider of payment processing services will be encrypted in transit.
• We will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
• We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

16. Disclosures of your personal data

• When you consent to providing us with your personal data, we will also ask you for your consent to share your personal data with the third parties set out below for the purposes set out in the table below:
  • External Third Parties as set out in the [Glossary].
  • Specific third parties listed in the table below
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

17. General Principles

• In order to help us protect your personal data, it is important that you always keep your account information safe. Never share your user name, password, or other credentials with any person or third party. By providing your user name, password or other credentials to any person or third party (including an aggregation service) you authorize that person or third party to access your account.
• We may interact with registered users of various social media platforms, including Facebook and Twitter. Please note that any content you post to such social media platforms (e.g., pictures, information or opinions), as well as any personal data that you otherwise make available to users (e.g., your profile), is subject to the applicable social media platform’s terms of use and privacy notice. We advise you to review these documents carefully in order to understand your rights and obligations with regard to such content.
• We shall never initiate (unless otherwise stated for a specific product or service application) a request via email for any of your personal data (e.g., personal ID, password, user name or account number). If you receive an email asking for your sensitive information, you should be suspicious of such a request and promptly contact us to report the suspicious activity.

18. Changes to this Privacy Notice

Any changes we may make to our Privacy Notice in the future will be published on our website and, where appropriate, notified to you by SMS, by email and/or when you next access the ChitChat App. The new terms may be displayed on-screen in the ChitChat App and you may be required to read and accept them to continue your use of the ChitChat App or our services.