Privacy Policy

Last Updated: 20 February 2026

Introduction

LedgerFlow ("we," "our," or "us") provides enterprise ledger management and financial transaction processing services to payment service providers, financial institutions, and merchants ("Customers"). This Privacy Policy explains how we collect, use, store, and protect personal information when:

  • Our Customers access and use the LedgerFlow Platform
  • Personal data of our Customers' end users ("End Users") is processed through our Platform as part of the Services

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, processing, and use of personal information as described herein.

This Privacy Policy should be read in conjunction with our Terms and Conditions of Use, which are incorporated by reference.

1. Information We Collect

1.1 Customer Information

We collect and process the following information about our Customers:

  • Business and personal contact information (names, email addresses, phone numbers, job titles)
  • Account credentials, authentication tokens, API keys, and access logs
  • Billing, invoicing, and payment information
  • Technical information related to Platform usage, including system logs, IP addresses, session data, and access timestamps
  • Communications and correspondence with LedgerFlow

1.2 End User Data

Through our Customers' use of the Platform, we may process personal information relating to End Users on behalf of our Customers, including:

  • Financial transaction records and account identifiers
  • Payment information and transaction amounts
  • KYC (Know-Your-Customer) identity documentation and verification records
  • Account balance and statement data
  • Any other financial data submitted by Customers through the Platform

We process End User data solely as a data processor acting on the documented instructions of our Customers, who are the data controllers for that data. See Section 9 for further details.

1.3 Automatically Collected Technical Data

When you access the Platform, we may automatically collect:

  • Browser type and version, operating system, and device information
  • IP address and geolocation data (country/region level)
  • Pages and features accessed, timestamps, and session duration
  • Error logs and performance metrics

1.4 Cookies and Similar Technologies

The Platform uses session cookies and similar tracking technologies to:

  • Maintain authenticated sessions (session tokens)
  • Remember user preferences (e.g., timezone settings)
  • Detect and prevent fraudulent or unauthorised access
  • Analyse Platform performance and usage patterns

By using the Platform, you consent to our use of cookies as described above. Session cookies are deleted when you close your browser. You may configure your browser to reject cookies, but doing so may impair Platform functionality.

2. Legal Basis for Processing (GDPR)

We process personal information under the following legal bases:

  • Contract performance: Processing necessary to provide the Services under our Customer agreements
  • Legal obligations: Processing required to comply with applicable laws (e.g., financial record-keeping, AML/KYC requirements)
  • Legitimate interests: Processing for fraud prevention, security monitoring, Platform improvement, and service administration
  • Consent: Where we rely on consent (e.g., marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing

3. Data Protection Principles

We adhere to the principles of both the GDPR (General Data Protection Regulation) and POPIA (Protection of Personal Information Act, South Africa) and commit to:

  • Processing personal information lawfully, fairly, and transparently
  • Collecting information only for specified, explicit, and legitimate purposes
  • Ensuring information is adequate, relevant, and limited to what is necessary (data minimisation)
  • Keeping information accurate and, where necessary, up to date
  • Storing information only for as long as is necessary for the purposes for which it was collected
  • Maintaining appropriate technical and organisational security measures
  • Not transferring personal information to countries without adequate protections unless appropriate safeguards are in place

4. How We Use Personal Information

We use the information we collect to:

  • Provision, operate, maintain, and improve the Platform and Services
  • Authenticate users and manage account access
  • Process and record financial transactions on behalf of Customers
  • Generate audit trails, compliance reports, and statements
  • Detect, investigate, and prevent fraud, security incidents, and abuse
  • Provide customer support and respond to enquiries
  • Send operational communications (service updates, security alerts, account notifications)
  • Comply with legal and regulatory obligations
  • Enforce our Terms and Conditions

We will not use your personal information for purposes incompatible with those described in this Privacy Policy without your prior consent or a lawful basis for doing so.

5. Data Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, or destruction, including:

  • Encryption of data in transit (TLS) and at rest
  • Role-based access controls (RBAC) with granular permission management
  • Multi-factor authentication options for account access
  • Comprehensive audit logging of all data access and modifications
  • Regular security assessments and vulnerability testing
  • Incident response procedures with defined escalation paths
  • Employee training on data protection and information security

Notwithstanding these measures, no system is completely secure. We cannot guarantee absolute security of data transmitted to or stored within the Platform, and transmission is at your own risk. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

6. Data Sharing and Disclosure

We do not sell personal information. We may share personal information in the following circumstances:

  • Service Providers and Subprocessors: We engage trusted third-party providers to assist in operating the Platform (e.g., cloud infrastructure, email delivery). These providers are contractually bound to process data only on our instructions and maintain appropriate security standards. See Section 10 for subprocessor details.
  • Legal Requirements: We may disclose personal information where required by law, court order, regulatory authority, or government request.
  • Protection of Rights: We may disclose information where necessary to detect, prevent, or address fraud, security incidents, or violations of our Terms.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to equivalent privacy protections.

We will not otherwise disclose your personal information to third parties without your prior consent.

7. International Data Transfers

LedgerFlow is based in South Africa. If we transfer personal information to other countries (including countries outside the European Economic Area or South Africa), we ensure that:

  • Adequate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions)
  • Transfer mechanisms comply with applicable GDPR and POPIA requirements
  • Data recipients maintain appropriate technical and organisational security measures

By using the Platform, you consent to the transfer of your personal information internationally where necessary to provide the Services.

8. Data Retention

We retain personal information for as long as is necessary to fulfil the purposes for which it was collected, including to:

  • Provide ongoing Services to Customers
  • Comply with applicable legal, regulatory, financial record-keeping, and tax obligations
  • Resolve disputes and enforce agreements
  • Maintain audit trails as required by applicable financial regulations

When personal information is no longer required for these purposes, it will be securely deleted or anonymised. Financial transaction records may be retained for extended periods as required by applicable law (typically a minimum of 5 to 7 years depending on jurisdiction).

9. Our Role as a Data Processor

For personal information relating to End Users that is processed through the Platform on behalf of Customers:

  • LedgerFlow acts as a data processor and Customers act as data controllers
  • We process such data only on documented instructions from the relevant Customer
  • Customers are solely responsible for ensuring they have an appropriate legal basis for collecting End User data and for complying with applicable data protection obligations in relation to that data
  • End Users wishing to exercise their rights (see Section 11) in relation to data held by a Customer should contact that Customer directly; we will assist Customers in meeting their obligations as required
  • LedgerFlow accepts no independent liability to End Users for the processing of their data in accordance with Customer instructions

10. Subprocessors

We may engage the following categories of subprocessors to assist in delivering the Services:

  • Cloud infrastructure and hosting providers
  • Email delivery providers
  • Observability and monitoring services (e.g., logging, tracing, metrics)
  • Authentication and identity providers

We maintain a current list of subprocessors and notify Customers of any material changes. All subprocessors are bound by data processing agreements requiring them to maintain appropriate security and data protection standards.

11. Your Rights

Under GDPR and POPIA, individuals have the following rights in relation to their personal information:

Right Description
Access Request a copy of personal information we hold about you
Correction Request correction of inaccurate or incomplete information
Erasure Request deletion of personal information in certain circumstances
Restriction Request restriction of processing in certain circumstances
Portability Receive your personal information in a structured, machine-readable format
Object Object to processing based on legitimate interests or for direct marketing
Withdraw Consent Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, please contact us at the details in Section 13. We will respond within 30 days (or as otherwise required by applicable law). We may require verification of your identity before processing your request.

Note for End Users: If your data is held by a LedgerFlow Customer, please direct requests to that Customer in the first instance. We will assist the Customer in responding as required.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, the Services, or applicable law. Where changes are material, we will notify Customers by email or through the Platform prior to the changes taking effect. Continued use of the Platform following the effective date of a revised Privacy Policy constitutes your acceptance of the revised Policy.

We maintain a version history of this Privacy Policy and the date of the most recent update is shown at the top of this document.

13. Contact Information

For all privacy-related enquiries, requests to exercise data subject rights, or to report a potential data breach:

We aim to respond to all privacy-related enquiries within 30 days of receipt.

14. Information Regulator β€” South Africa (POPIA)

For matters relating to the Protection of Personal Information Act (POPIA), you may contact the Information Regulator of South Africa:

15. Supervisory Authority β€” European Union (GDPR)

If you are located in the European Economic Area and believe we have processed your personal information in violation of GDPR, you have the right to lodge a complaint with your local data protection supervisory authority.