Privacy Policy — Startup Bank

Thank you for trusting Startup Bank (“we”, “our”, “us”) with your information. We are committed to protecting the privacy and security of the people and businesses that use our services. This Privacy Policy explains what personal and business information we collect, why we collect it, how we use and share it, the safeguards we apply, your rights, and how you can contact us.

This policy is written with South African law in mind (including the Protection of Personal Information Act, “POPIA”), applicable financial-sector rules (including FICA and Financial Intelligence Centre Act obligations), and international standards where relevant. It covers our web properties, online and mobile applications, the Banking-as-a-Service (BaaS) platform, investor matchmaking services, invoice-financing marketplace, and any offline services we provide.

1. Scope & who we are

Startup Bank provides a community and platform where startups, investors and financial-service providers meet. Our offerings include:

  • BaaS (cohort accounts, virtual cards, disbursement tooling for accelerators and hubs)

  • AI-powered invoice financing and receivables marketplace

  • FX/hedging tools for exporters and importers

  • Investor matchmaking, cap-table tools and SPV syndication services

  • Educational programming (AI CFO clinics, chapter meetups), events and content

This Privacy Policy applies to any personal or business information we collect when you:

  • Register for an account, apply to a programme, or use our platform;

  • Submit information as a founder, investor, accelerator partner, supplier or beneficiary;

  • Attend an event, demo or clinic; or

  • Interact with our marketing, surveys or support channels.

Where we act as a data processor for a partner (for example, when we host cohort funds on behalf of an accelerator), the contractual terms with that partner will supplement this policy. Where we are a controller, this policy sets out our responsibilities.

2. Information we collect

We collect information that is necessary to provide our services, comply with law, and improve our platform. Information falls into several categories:

2.1 Identity & contact information

  • Full name, preferred name, date of birth (where required), job title, company name, registration number, company address, personal and business email addresses, phone numbers, postal address.

2.2 Identity verification / KYC / compliance information

To comply with FICA and anti-money-laundering rules we collect:

  • South African ID numbers or passport numbers, national identity documents, proof of address (utility bill, bank statement), company ownership documents, directors’ information, tax numbers.

  • Where required, biometric or photos for ID verification (face match), and copies of identity documents.

2.3 Financial & transactional data

  • Bank account numbers, account names, transaction histories, bank statements, payment receipts, invoices, credit facilities, lending terms, FX trades, virtual card transactions and ledger information required for cohort disbursements, invoice-finance underwriting and reconciliation.

2.4 Business & operational information

  • Business plans, pitch decks, revenue figures, monthly burn, contracts, customer lists, invoices and financial forecasts (e.g. 13-week cash forecast) used for underwriting and investor matchmaking.

2.5 Usage, device & technical data

  • IP address, device identifiers, browser type, operating system, pages visited, session times, cookies, analytics data and performance logs for security, optimisation and fraud detection.

2.6 Communications & support data

  • Emails, chat transcripts, support tickets, feedback, meeting notes, event registrations and recordings (where attendees give consent).

2.7 Sensitive personal information

We avoid collecting sensitive personal information unless necessary. Where we do (for regulatory checks or compliance), it may include:

  • Criminal records, sanction/PEP status, credit history, or other data required by law or to assess risk.
    We will only process sensitive information with explicit legal basis, stronger safeguards and, where required, explicit consent.

3. Where we collect data from

We collect data:

  • Directly from you (signup forms, account registration, uploads).

  • From your organisation, employer, accelerator or hub (when they create cohort accounts).

  • From third-party providers: identity-verification vendors, credit-reference agencies, payment processors, accounting systems (Xero / QuickBooks / Sage) where you authorise a connection, and data providers for PEP/sanctions screening.

  • From public sources (company registries) and partner referrals.

  • From your device and our servers (logs, cookies, analytics).

4. Why we collect and lawful bases

We collect and process data for the following purposes:

Service delivery & contract performance

  • To open accounts, execute payments, manage cohort disbursements, issue virtual cards, run exchange and hedging operations, perform reconciliations, and deliver the services you request. (Legal basis: performance of a contract.)

Regulatory compliance

  • To comply with FICA, the Financial Intelligence Centre Act and other legal or regulatory obligations, including KYC checks, STR reporting, record retention and cooperation with regulators. (Legal basis: legal obligation.)

Underwriting & risk management

  • To evaluate invoice finance advances, credit and liquidity facilities, and to make responsible credit and risk decisions. We use a combination of automated underwriting and human review. (Legal basis: legitimate interests and contractual necessity.)

Investor matchmaking & capital formation

  • To match founders with investors, provide cap-table tools and enable SPV formation. We share limited data with prospective investors under confidentiality and consent mechanisms. (Legal basis: consent & legitimate interests.)

Security, fraud prevention & dispute resolution

  • To detect, investigate and prevent fraud, money laundering and security incidents. (Legal basis: legitimate interests & legal obligation.)

Product improvement & research

  • To analyse product usage, troubleshoot issues, enhance features and measure impact, including aggregated and anonymised analytics. (Legal basis: legitimate interests.)

Marketing & community engagement

  • With your consent, to send newsletters, event invitations and relevant offers. You can opt out at any time. (Legal basis: consent.)

5. How we use automated decisions & AI

We use AI and automated models for:

  • Invoice underwriting, cash-flow scoring and credit risk assessments;

  • Personalised product suggestions and FX/hedging recommendations.

We aim for explainability. If an automated decision materially affects you (e.g., credit declined or underwriting terms applied), you can request a human review and an explanation of the main factors that contributed to the decision. We maintain logs for model inputs and outputs for auditability. If you believe an automated decision is unfair, contact our Information Officer (details below).

6. Sharing & disclosure

We do not sell your personal data. We share data only where necessary:

Service providers & processors

  • Payment processors, banks, PSPs, KYC/identity-verification vendors, cloud hosts, analytics providers, CRM/email platforms, accounting connectors and audit providers. We contractually require processors to maintain confidentiality and appropriate safeguards.

Investors & partners (by consent)

  • With your explicit consent, we share selected business and financial information with vetted investors, potential pilot partners or grantors during matchmaking. You control what is shared and can revoke consent.

Regulators & law enforcement

  • Where legally required, we disclose information to the Financial Intelligence Centre, South African Revenue Service, law enforcement or other authorities.

Corporate transactions

  • If we reorganise, merge or are acquired, customer information may be transferred to successor entities under similar protections.

7. International transfers

We may transfer data to service providers or investors outside South Africa. Where data leaves South Africa, we implement safeguards required by POPIA and applicable law — for example contractual protections, encryption, and where possible hosting in jurisdictions with adequate protections. If you have concerns about transfers, contact our Information Officer.

8. Retention policy

We retain personal and business data only as long as necessary for the purpose collected, and in accordance with legal obligations:

  • KYC, transaction and audit records: minimum 5 years (or longer where law requires).

  • Account and contractual records: for the duration of the contract plus statutory retention periods.

  • Marketing data: until you withdraw consent or unsubscribe.

  • Anonymised/aggregated data: retained as needed for analytics.

When data is no longer required we securely delete or anonymise it.

9. Security measures

We deploy organisational, technical and physical controls to protect data:

  • Encryption in transit (TLS) and at rest (AES-256 where supported).

  • Role-based access control, multi-factor authentication for admin access and least privilege principles.

  • Secure development lifecycle, penetration testing, and regular security audits.

  • Incident response plan and logged audit trails.

  • SOC2 readiness and ISO 27001 alignment roadmap.

While we strive to protect your data, no system is 100% secure. If a personal-data breach occurs we will assess and notify affected data subjects and regulators where required by law.

10. Your rights under POPIA and how to exercise them

POPIA gives data subjects various rights. Where applicable you may:

  • Right to be informed: Ask for information about the processing of your personal data (this policy is an example).

  • Right to access: Request a copy of personal data we hold about you.

  • Right to correction: Ask us to correct inaccurate or incomplete data.

  • Right to object / withdraw consent: Withdraw consent to direct marketing or other consent-based processing.

  • Right to deletion / restriction: Request deletion or restriction of processing where legal grounds permit.

  • Right to complain: Lodge a complaint with the Information Regulator of South Africa (contact details on the Regulator’s website).

How to make a request: Contact our Information Officer (details below). We will respond in accordance with POPIA and applicable timelines. We may request proof of identity and may charge a reasonable fee for vexatious or manifestly unfounded requests if permitted by law.

11. Children & minors

We do not knowingly collect personal information from children under 18 without verified parental or guardian consent. If you believe we have collected a child’s data without consent, contact us immediately and we will take steps to delete it.

12. Cookies & tracking technologies

We use cookies and similar technologies on our website and apps for:

  • Essential functionality (session management).

  • Analytics (to improve performance).

  • Advertising and marketing (where you have consented).

You can manage cookie preferences through our cookie banner or your browser settings. Blocking certain cookies may affect functionality.

13. Marketing communications

Where we ask for permission, we will send relevant communications about events, products and services. You may opt out at any time via unsubscribe links in emails or by contacting our Information Officer. We will not share your contact details for third-party marketing without your consent.

14. Third-party links

Our site or apps may link to third-party sites or services. This policy does not apply to those services. Please review the privacy notices of any third parties you visit.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law, our services or technology. Material changes will be communicated by prominent notice, email to registered users and an updated effective date on this page.

16. Contact, Information Officer & complaints

If you have questions, requests, or wish to withdraw consent, contact:

Information Officer / Data Protection Officer (DPO)
Email: hello@startupbank.co.za

If you remain dissatisfied after contacting us, you have the right to lodge a complaint with the Information Regulator of South Africa: https://inforegulator.org.za/

17. Practical examples & specifics (how we apply this policy in practice)

KYC & FICA

For account opening and money-laundering prevention we collect identity documents and proof-of-address. We retain these records for at least five years and share them where legally required with the Financial Intelligence Centre.

Invoice financing & underwriting

When you connect your accounting system we ingest invoices and bank feeds (with your permission). We use this data for automated underwriting and risk scoring; decisions can be reviewed on request. We do not sell invoice-level data; if matched to investors in our receivables marketplace that sharing is explicit and consented.

Investor matchmaking & SPVs

If you opt into investor matchmaking we share selected company and financial data with vetted investors under confidentiality. SPV and cap-table services require additional identity and banking information for legal and payment flows; those flows are processed through regulated payment partners.

Cohort BaaS

Accelerators using our BaaS provide beneficiary lists and disbursement instructions. We act as processor for the accelerator for those disbursement flows and maintain audit trails for compliance.

18. Data minimisation & transparency

We limit data collection to what is necessary for the stated purpose and aim for transparency: where we ask for information we will explain why and for how long it will be kept. We encourage you to share only what is necessary and to keep your profile and documents up to date.

19. International users

If you are located outside South Africa, note that your data may be processed in South Africa or other jurisdictions. We will respect applicable data-protection laws and take appropriate safeguards for international transfers.

Thank you for reading. We are committed to protecting your privacy while helping startups access capital and services responsibly. If you would like a machine-readable copy, an accessibility-friendly version or have specific compliance questions, contact hello@startupbank.co.za.