Mcash eKYC Field Data Collection Application

Privacy Policy

Application: eKYC Platform Last updated: May 19, 2026

This Privacy Policy describes how we collect, use, store, and disclose personal data gathered through the Mcash eKYC Field Data Collection Application (the "Application"). This Application is designed for authorised field agents and officers who collect Know Your Customer (KYC) data on behalf of the Organisation.

By installing and using the Application, you (as a field agent or data subject) acknowledge and accept the practices described in this Privacy Policy. If you are a data subject whose information is being collected, you have specific rights described in this document.

Table of Contents

1. Interpretation and Definitions

1.1 Interpretation

Capitalised terms have specific meanings as defined below. These definitions apply regardless of whether they appear in singular or plural form.

1.2 Definitions

2. Who This Policy Applies To

This Privacy Policy applies to:

Field Agents are responsible for informing Data Subjects of this Privacy Policy and obtaining appropriate consent before collecting any personal data.

3. Data We Collect

The Application collects the following categories of data during KYC field operations:

3.1 Personal Identification Data

3.2 Photographic and Biometric Data

Note: Photographs of faces may constitute biometric data under applicable law. Such data is treated with the highest level of care and subject to additional safeguards.

3.3 Location Data

Location data is used to verify that KYC collection occurs at approved or declared locations, to prevent fraudulent remote submissions, and to maintain an accurate audit trail. You may disable location services at the device level; however, this may prevent the Application from functioning correctly.

3.4 Device and Session Metadata

The Application automatically collects the following metadata from the Field Agent's device:

3.5 Field Agent Usage Data

3.6 Textual and Form Data

We process personal data on one or more of the following legal bases:

5. How We Use Collected Data

Personal data collected through the Application is used for the following purposes:

5.1 KYC Verification and Compliance

5.2 Fraud Prevention and Security

5.3 Audit and Record-Keeping

5.4 Service Improvement and Quality Assurance

6. Sharing and Disclosure of Personal Data

We do not sell personal data. We may share data in the following circumstances:

6.1 Regulatory and Government Authorities

We may disclose personal data to regulators, law enforcement agencies, financial intelligence units, or courts where required to do so by law, court order, or regulatory directive.

6.2 Authorised Service Providers

We may engage third-party processors (e.g. cloud storage providers, document verification services) who process data solely on our behalf and under strict data processing agreements. These providers are prohibited from using the data for their own purposes.

6.3 Within the Organisation

Collected data is accessible to authorised internal personnel, including compliance officers, risk analysts, supervisors, and IT administrators, on a need-to-know basis.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. Affected Data Subjects will be notified as required by applicable law.

6.5 With Data Subject Consent

We may share personal data with third parties for purposes beyond those stated above where the Data Subject has given explicit, informed consent.

7. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Policy and to comply with applicable legal and regulatory requirements. This includes, among others, KYC records (including photographs and document images), location and session metadata (for audit and fraud prevention purposes), device metadata and usage logs, and Field Agent activity logs.

Specific retention periods for each category of personal data are set out in Schedule A (Data Retention Schedule) to this Policy and are determined in accordance with applicable laws, including the National Payment Systems Act, 2020, the Data Protection and Privacy Act, 2019, KYC and AML requirements, and our internal data retention policies.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

No method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially reasonable means to protect your data, we cannot guarantee absolute security. Any suspected data breach will be reported to the relevant supervisory authority and affected individuals as required by applicable law.

9. Cross-Border Data Transfers

Personal data collected through the Application may be transferred to and processed in countries other than the country of collection. Such transfers will only take place where:

10. Rights of Data Subjects

Where permitted by applicable law, Data Subjects have the following rights regarding their personal data:

To exercise any of these rights, please contact us using the details in Section 14. We will respond to all requests within thirty (30) days. Certain rights may be limited where we have overriding legal obligations to retain or process the data.

11. Field Agent Responsibilities

Field Agents using the Application are required to:

Failure to comply with these obligations may result in disciplinary action and/or legal consequences.

12. Children's Data

The Application is not intended to be used to collect the personal data of individuals under the age of 18 without the consent of a parent or legal guardian. Where the KYC process requires the collection of data involving a minor, Field Agents must obtain written consent from the minor's parent or guardian and record this within the Application before proceeding.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The updated Policy will be published within the Application and on our website. Where changes are material, we will notify Field Agents through in-app notification and notify affected Data Subjects as required by law. The date at the top of this document reflects when the Policy was last revised.

Continued use of the Application after an updated Policy is published constitutes acceptance of the revised terms.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer:

Data subjects who believe their rights have not been adequately addressed may lodge a complaint with our data protection officer using the details provided above.

Schedule A — Data Categories and Retention Summary

Data Category Purpose Retention Period
Personal ID Data KYC verification, compliance 10 years
Photographs & Documents Identity verification, audit 10 years
Location Data Fraud prevention, audit trail 10 years
Device Metadata Security, session integrity 10 years
Agent Usage Logs Audit, quality assurance 10 years
Textual Form Data KYC assessment, compliance 10 years

This document is intended for internal and regulatory purposes. Unauthorised reproduction or distribution is prohibited.