§ P · Legal

POPIA Privacy Policy

This policy sets out how Claar collects, uses, stores, and protects personal information in accordance with the Protection of Personal Information Act, 4 of 2013 (POPIA).

Last updated · 19 April 2026

1. Introduction

Claar ("we", "us", "our") provides a compliance platform that enables accountable institutions to meet their obligations under the Financial Intelligence Centre Act, 38 of 2001 (FICA). In doing so we act as an operator for our customers, and as a responsible party in respect of our own business contacts. This policy explains our practices in both capacities.

2. Information we process

Depending on the service, we may process the following categories of personal information:

  • Identity information — full names, identity or passport number, date of birth, nationality, photograph.
  • Contact information — email address, phone number, physical and postal address.
  • Verification data — liveness capture, document scans, proof of address, screening results (PEP, sanctions, adverse media, credit).
  • Transactional information — deal references, parties to a transaction, source of funds.
  • Usage information — login events, IP address, browser type, audit logs.

3. Purpose of processing

Personal information is processed only for lawful purposes directly related to the service, including:

  • performing identity verification and screening required by FICA;
  • maintaining records, risk ratings, and audit trails for accountable institutions;
  • generating regulatory reports such as Cash Threshold Reports and Suspicious Transaction Reports;
  • providing, securing, and improving the Claar platform;
  • complying with legal, regulatory, and court-ordered obligations.

4. Legal basis

We rely on the following grounds for processing in terms of section 11 of POPIA: consent (captured from data subjects before verification), performance of a contract, compliance with a legal obligation, and the legitimate interests of our customers and ourselves — provided those interests are not overridden by the rights of the data subject.

5. Sharing and cross-border transfers

We share personal information with sub-processors strictly to deliver the service — for example identity verification providers (document authentication, liveness, sanctions and credit bureaus) and infrastructure providers. All sub-processors are bound by written agreements that impose confidentiality and security obligations consistent with POPIA. Where information is transferred outside South Africa, we ensure an adequate level of protection as contemplated by section 72 of POPIA.

A current list of named sub-processors, together with the categories of personal information each receives and the jurisdiction in which they process it, is available on our sub-processors page.

6. Retention

Personal information processed for FICA purposes is retained for at least five years from the date the business relationship ends or the single transaction is concluded, as required by section 23 of FICA. Other categories are retained only for as long as necessary for the purpose collected or as required by law.

7. Security

We apply appropriate technical and organisational measures to safeguard personal information, including encryption in transit and at rest, least-privilege access controls, full audit logging, and ongoing security reviews. We notify affected parties and the Information Regulator promptly in the event of a security compromise involving personal information.

8. Your rights

Data subjects have the right under POPIA to:

  • request confirmation of, and access to, personal information we hold;
  • request correction or deletion of personal information that is inaccurate, irrelevant, excessive, or out of date;
  • object to processing and to the use of personal information for direct marketing;
  • submit a complaint to the Information Regulator.

Requests may be submitted to the Information Officer using the contact details in section 10. We respond within the period required by POPIA.

9. Cookies and analytics

The Claar platform uses strictly necessary cookies to maintain sessions and limited first-party analytics to monitor reliability. No third-party advertising trackers are used.

10. Information Officer and contact

Our Information Officer can be contacted at privacy@claar.co.za. For general enquiries contact info@claar.co.za. The Information Regulator (South Africa) can be contacted at inforegulator.org.za.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. Material changes will be communicated via the platform.