DuelaPay is launching soon — South Africa's smarter lay-by platform.

ShoppersMerchantsHow It WorksFAQBlog
Sign Up Free Merchant Demo

Privacy Policy

Privacy Policy

Effective date: 4 June 2026
Responsible party: Duela Pay (Pty) Ltd
Registration number: [Registration number]
Information Officer: [Name], privacy@duelapay.com

This Privacy Policy explains how Duela Pay (Pty) Ltd (“DuelaPay”, “we”, “us”, “our”) collects, uses, stores, and protects your personal information. It applies to all users of the DuelaPay website, mobile application, and related services. We are committed to processing your personal information lawfully, transparently, and in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA).

1. Personal Information We Collect

We collect only the information necessary to provide our lay-by payment services. This includes:

1.1 Information you provide directly

  • Full name, South African ID number, and date of birth
  • Contact details: email address, phone number, and physical address
  • Proof of identity and proof of address (for KYC verification)
  • Banking details (for wallet funding and payouts)
  • Selfie and biometric data (for liveness verification — processed only to confirm your identity and not retained beyond the verification event)
  • Merchant business details: company name, registration number, VAT number, bank account information, and store locations

1.2 Information collected automatically

  • Device information: type, operating system, browser, and unique device identifiers
  • Usage data: pages visited, features used, timestamps, and in-app actions
  • Transaction data: lay-by plan details, instalment history, wallet movements, and payment rail used
  • Location data: general location derived from IP address (not precise GPS)
  • Cookie and tracking data — see our Cookie Policy for details

2. Why We Process Your Personal Information

We process your personal information for the following purposes and on the following lawful grounds under POPIA:

Purpose Lawful ground
Creating and managing your DuelaPay account Contract performance
KYC identity verification (FICA compliance) Legal obligation
Processing lay-by instalments and wallet transactions Contract performance
Calculating your Duela Score and tier level Legitimate interest
Fraud prevention and platform security Legitimate interest / Legal obligation
Communicating about your account, plans, and payments Contract performance
Sending marketing communications (with your consent) Consent
Improving our products and services Legitimate interest
Analytics and website performance measurement Consent (via cookie preferences)
Complying with regulatory and legal obligations Legal obligation

3. Who We Share Your Information With

We do not sell your personal information. We share it only where necessary:

  • Sponsor bank and payment processors: to process wallet top-ups, instalments, and merchant payouts
  • KYC/AML verification providers: to confirm your identity as required by FICA
  • Insurance underwriter: to administer the Duela Protect coverage included in every lay-by plan
  • Merchants: limited information (first name, last initial, collection reference) to facilitate product handover
  • Credit bureaux: for Excel-tier shoppers who have given explicit consent to credential export
  • Analytics providers: anonymised usage data where you have consented to analytics cookies
  • Law enforcement and regulators: where required by law or court order

All third parties who process your data on our behalf are bound by data processing agreements and may not use your information for their own purposes.

4. How Long We Retain Your Information

  • Account data: for the duration of your account, plus 5 years after closure (FICA requirement)
  • Transaction records: 5 years from the transaction date
  • KYC documents: 5 years from the date of verification
  • Marketing preferences: until you withdraw consent or close your account
  • Cookie data: as set out in our Cookie Policy — typically 12 months

5. Your Rights Under POPIA

You have the following rights regarding your personal information:

  • Right to be notified — we must tell you when we collect your information and why
  • Right of access — you can request a copy of the personal information we hold about you
  • Right to correction — you can ask us to correct inaccurate or outdated information
  • Right to deletion — you can ask us to delete your information, subject to legal retention requirements
  • Right to object — you can object to our processing of your information for direct marketing at any time
  • Right to data portability — you can request your data in a structured, machine-readable format
  • Right to complain — you can lodge a complaint with the Information Regulator (see Section 9)

To exercise any of these rights, email us at privacy@duelapay.com. We will respond within 30 days.

6. Security

We protect your personal information using industry-standard technical and organisational measures, including:

  • TLS encryption in transit and AES-256 encryption at rest
  • Multi-factor authentication on all staff accounts
  • Role-based access control — staff access only what they need
  • Regular security audits and penetration testing
  • Incident response procedures aligned with POPIA notification requirements

In the event of a data breach that may affect your rights, we will notify the Information Regulator and affected individuals within 72 hours of becoming aware of the incident, as required by POPIA.

7. Cookies

We use cookies and similar tracking technologies. You can manage your preferences at any time using the Cookie Preferences link in our footer. See our Cookie Policy for full details.

8. International Transfers

Our services are hosted and operated primarily within South Africa. Where personal information is transferred to service providers in other countries (for example, analytics providers), we ensure that appropriate safeguards are in place, including data processing agreements that provide equivalent protection to POPIA.

9. How to Complain

If you believe we have handled your personal information unlawfully, you have the right to lodge a complaint with South Africa’s Information Regulator:

  • Website: www.justice.gov.za/inforeg
  • Email: inforeg@justice.gov.za
  • Address: 33 Hoofd Street, Forum III, 3rd Floor, Braampark, Johannesburg, 2001

We encourage you to contact us first at privacy@duelapay.com — most concerns can be resolved directly and quickly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and display a notice in the app. The effective date at the top of this page will always reflect the most recent version. Continued use of DuelaPay after changes are posted constitutes acceptance of the updated policy.

Duela Pay (Pty) Ltd is registered and operates in South Africa. This Privacy Policy is governed by the laws of South Africa.