Skip to main content

Privacy Policy

    Nombu Asset Management (Pty) Ltd, together with its group companies, affiliates, and subsidiaries (collectively, “Nombu,” “we,” “us,” or “our”) is committed to protecting the privacy and personal information of all individuals who interact with our businesses, services, and platforms. This Privacy Policy explains how we collect, process, store, share, and protect personal information in compliance with the Protection of Personal Information Act (POPIA), the General Data Protection Regulation (GDPR) where applicable, and ISO 27001 information security standards.

    By engaging with any Nombu service or other operations — you consent to the practices described in this Privacy Policy. If you do not agree, you should refrain from using our services.

     

    1. Scope of This Policy

    This Policy applies to all personal information collected, processed, or stored across all Nombu businesses, including:

    • Digital platforms, mobile applications, and websites.
    • Physical offices, client onboarding, and site interactions.
    • Employee, contractor, vendor, and partner records.
    • Investment, property, and token-related services.


    2. Information We Collect

    We collect personal information necessary to provide services, comply with legal obligations, and protect the integrity of our operations. This may include:

    • Identity Information: Full name, date of birth, identification documents, nationality, and biometric verification.
    • Contact Information: Address, email, and phone numbers.
    • Financial Information: Bank details, wallet addresses, proof of funds, transaction history, and trade-related records.
    • Corporate Information (for entities): Incorporation documents, shareholding structures, beneficial ownership details, and legal representatives.
    • Employment/Contractor Information: CVs, tax numbers, employment agreements, and professional credentials.
    • Technical Information: IP addresses, device identifiers, usage activity on digital platforms.
    • Publicly Available Information: From third-party verification providers, regulators, government registries, or social media sources.


    3. Purpose of Processing

    We process personal information only for legitimate and specific purposes, including:

    • Client and user onboarding, including Know Your Customer (KYC) checks.
    • Monitoring and reporting transactions under Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) laws.
    • Providing and operating Nombu services, platforms, and products.
    • Complying with regulatory, legal, and audit obligations.
    • Managing employment, contractor, and vendor relationships.
    • Ensuring information security, fraud prevention, and operational integrity.
    • Responding to inquiries, complaints, and dispute resolution.
    • Improving service functionality, user experience, and platform features.
    • Marketing communications and promotions, where explicit consent is provided.


    4. Lawful Basis for Processing

    Personal information is processed on the following lawful bases:

    • Legal Obligation: Compliance with POPIA, FIC Act, FSCA, tax, and other applicable laws.
    • Contractual Necessity: To provide services under agreements with clients, employees, or vendors.
    • Legitimate Interests: To safeguard Nombu systems, manage risks, improve services, and protect operational integrity.
    • Consent: For activities requiring explicit permission, including marketing or optional data collection.


    5. Cross-Border Data Transfers

    Personal information may be stored in South Africa and secure international jurisdictions for redundancy and security purposes. Cross-border transfers will only occur to countries with adequate data protection laws or under binding contracts that provide equivalent safeguards in compliance with POPIA and GDPR.


    6. Data Retention

    Personal information will be retained only as long as necessary to fulfil processing purposes or as legally required:

    • KYC/AML client records: 5 years post relationship.
    • Suspicious transaction reports, PEP files: 7 years.
    • Employment and contractor records: as per statutory requirements.
    • Records necessary for dispute resolution, legal claims, or regulatory audits: until resolved.

     

    7. Data Subject Rights

     

    Individuals have the following rights under POPIA, GDPR, and other applicable laws:

    • Access: Request a copy of personal data held.
    • Correction: Update or correct inaccurate information.
    • Deletion: Request deletion, subject to legal and regulatory obligations.
    • Objection: Object to certain processing activities, such as direct marketing.
    • Data Portability: Receive a copy of personal data in a portable format where technically feasible.

    Requests can be submitted to the Nombu Information Officer.


    8. Security Safeguards

    We implement technical and organisational measures aligned with ISO 27001 standards:

    • Encryption of data in transit and at rest.
    • Multi-factor authentication and role-based access controls.
    • Regular penetration testing and security audits.
    • Data minimisation and secure deletion protocols.
    • Real-time monitoring for unauthorised access.

    Despite these measures, no system is completely immune to cyber threats. Users acknowledge residual risks.


    9. Sharing of Personal Information

    Personal information may be shared with:

    • Regulatory authorities (FSCA, FIC, tax, and law enforcement).
    • Third-party service providers supporting operations (e.g., cloud hosting, payment processing, IT services).
    • Legal representatives, auditors, or dispute resolution bodies.
    • Business partners, vendors, or contractors where necessary to deliver services.

    We do not sell personal information to third parties under any circumstances.


    10. Children’s Privacy

    Nombu services are generally not intended for persons under 18. Where minors’ data is collected without consent, it will be deleted immediately.


    11. Changes to This Privacy Policy


    Nombu may update this Policy at any time. Material changes will be communicated via email, website notices, or service notifications. Continued use of Nombu services constitutes acceptance of the revised Policy.

     

    12. Contact Information

    Information Officer

    Nombu Asset Management (Pty) Ltd

    Email: compliance@nombu.co.za



Privacy Policy

    Nombu Asset Management (Pty) Ltd, together with its group companies, affiliates, and subsidiaries (collectively, “Nombu,” “we,” “us,” or “our”) is committed to protecting the privacy and personal information of all individuals who interact with our businesses, services, and platforms. This Privacy Policy explains how we collect, process, store, share, and protect personal information in compliance with the Protection of Personal Information Act (POPIA), the General Data Protection Regulation (GDPR) where applicable, and ISO 27001 information security standards.

    By engaging with any Nombu service or other operations — you consent to the practices described in this Privacy Policy. If you do not agree, you should refrain from using our services.

     

    1. Scope of This Policy

    This Policy applies to all personal information collected, processed, or stored across all Nombu businesses, including:

    • Digital platforms, mobile applications, and websites.
    • Physical offices, client onboarding, and site interactions.
    • Employee, contractor, vendor, and partner records.
    • Investment, property, and token-related services.


    2. Information We Collect

    We collect personal information necessary to provide services, comply with legal obligations, and protect the integrity of our operations. This may include:

    • Identity Information: Full name, date of birth, identification documents, nationality, and biometric verification.
    • Contact Information: Address, email, and phone numbers.
    • Financial Information: Bank details, wallet addresses, proof of funds, transaction history, and trade-related records.
    • Corporate Information (for entities): Incorporation documents, shareholding structures, beneficial ownership details, and legal representatives.
    • Employment/Contractor Information: CVs, tax numbers, employment agreements, and professional credentials.
    • Technical Information: IP addresses, device identifiers, usage activity on digital platforms.
    • Publicly Available Information: From third-party verification providers, regulators, government registries, or social media sources.


    3. Purpose of Processing

    We process personal information only for legitimate and specific purposes, including:

    • Client and user onboarding, including Know Your Customer (KYC) checks.
    • Monitoring and reporting transactions under Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) laws.
    • Providing and operating Nombu services, platforms, and products.
    • Complying with regulatory, legal, and audit obligations.
    • Managing employment, contractor, and vendor relationships.
    • Ensuring information security, fraud prevention, and operational integrity.
    • Responding to inquiries, complaints, and dispute resolution.
    • Improving service functionality, user experience, and platform features.
    • Marketing communications and promotions, where explicit consent is provided.


    4. Lawful Basis for Processing

    Personal information is processed on the following lawful bases:

    • Legal Obligation: Compliance with POPIA, FIC Act, FSCA, tax, and other applicable laws.
    • Contractual Necessity: To provide services under agreements with clients, employees, or vendors.
    • Legitimate Interests: To safeguard Nombu systems, manage risks, improve services, and protect operational integrity.
    • Consent: For activities requiring explicit permission, including marketing or optional data collection.


    5. Cross-Border Data Transfers

    Personal information may be stored in South Africa and secure international jurisdictions for redundancy and security purposes. Cross-border transfers will only occur to countries with adequate data protection laws or under binding contracts that provide equivalent safeguards in compliance with POPIA and GDPR.


    6. Data Retention

    Personal information will be retained only as long as necessary to fulfil processing purposes or as legally required:

    • KYC/AML client records: 5 years post relationship.
    • Suspicious transaction reports, PEP files: 7 years.
    • Employment and contractor records: as per statutory requirements.
    • Records necessary for dispute resolution, legal claims, or regulatory audits: until resolved.

     

    7. Data Subject Rights

     

    Individuals have the following rights under POPIA, GDPR, and other applicable laws:

    • Access: Request a copy of personal data held.
    • Correction: Update or correct inaccurate information.
    • Deletion: Request deletion, subject to legal and regulatory obligations.
    • Objection: Object to certain processing activities, such as direct marketing.
    • Data Portability: Receive a copy of personal data in a portable format where technically feasible.

    Requests can be submitted to the Nombu Information Officer.


    8. Security Safeguards

    We implement technical and organisational measures aligned with ISO 27001 standards:

    • Encryption of data in transit and at rest.
    • Multi-factor authentication and role-based access controls.
    • Regular penetration testing and security audits.
    • Data minimisation and secure deletion protocols.
    • Real-time monitoring for unauthorised access.

    Despite these measures, no system is completely immune to cyber threats. Users acknowledge residual risks.


    9. Sharing of Personal Information

    Personal information may be shared with:

    • Regulatory authorities (FSCA, FIC, tax, and law enforcement).
    • Third-party service providers supporting operations (e.g., cloud hosting, payment processing, IT services).
    • Legal representatives, auditors, or dispute resolution bodies.
    • Business partners, vendors, or contractors where necessary to deliver services.

    We do not sell personal information to third parties under any circumstances.


    10. Children’s Privacy

    Nombu services are generally not intended for persons under 18. Where minors’ data is collected without consent, it will be deleted immediately.


    11. Changes to This Privacy Policy


    Nombu may update this Policy at any time. Material changes will be communicated via email, website notices, or service notifications. Continued use of Nombu services constitutes acceptance of the revised Policy.

     

    12. Contact Information

    Information Officer

    Nombu Asset Management (Pty) Ltd

    Email: compliance@nombu.co.za