Privacy Policy
This Privacy Policy explains how BitWealth Asset Managers (Pty) Ltd ("BitWealth", "we", "us") collects, uses, shares and protects your personal information when you visit our website, register for and use the BitWealth Service. It is issued in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and forms part of our Terms of Service.
1. Responsible Party and Information Officer
The responsible party for purposes of POPIA is:
BitWealth Asset Managers (Pty) Ltd
Registration No. 2026/090346/07
Information Officer: Davin Gaier
Email: davin.gaier@bitwealth.co.za
Support: support@bitwealth.co.za
2. Personal Information We Collect
We collect the following categories of personal information:
| Category | Examples |
|---|---|
| Identity data | Full name, date of birth, ID number or passport number, photograph of ID document, residential address. |
| Contact data | Email address, mobile number. |
| Account data | Login credentials (passwords are stored only in hashed form), session metadata, IP address, browser/device fingerprint, customer portal preferences. |
| Financial data | VALR account ID, VALR API Key (read/trade scope only), historical trades and balances obtained from VALR, bank account details where you supply them for support purposes. |
| Trading data | Strategy selections, order intents and fills, statements, fee accruals, performance reporting. |
| Communications | Support tickets, replies, attachments, contact-form submissions, email correspondence. |
| Usage data | Pages viewed, features used, error logs, security and audit logs. |
Where we ask you to provide personal information voluntarily and you decline, we may be unable to provide the Service to you.
3. How We Collect Personal Information
We collect personal information directly from you (registration, KYC, support tickets, contact forms), automatically through your interaction with the Service (logs, cookies, security telemetry), and from third parties (VALR, identity verification providers, sanctions and PEP screening providers, public sources, regulators).
4. Lawful Basis and Purpose of Processing
We process your personal information on the following POPIA grounds:
- Performance of a contract — to provide the Service, execute trades on your behalf via VALR, generate statements, charge fees and respond to support requests.
- Legal obligation — to perform KYC and AML checks, retain records, and respond to lawful requests from regulators or law enforcement.
- Legitimate interest — to secure our systems, prevent fraud, improve the Service, and conduct internal analytics in aggregated form.
- Consent — for optional marketing communications and any non-essential cookies.
5. Sharing With Third Parties (Operators)
We share personal information only with operators who are contractually bound to process it on our instructions and to apply appropriate security safeguards. The current operators are:
| Operator | Function | Data shared | Location |
|---|---|---|---|
| Supabase Inc. | Database, authentication and edge-function hosting | All account, trading and communication data | United States / European Union |
| VALR (Pty) Ltd | Cryptocurrency exchange execution | VALR account ID, API Key, order instructions | South Africa |
| Browserless.io | Server-side PDF rendering of statements | Statement HTML (which may contain identity, trade and balance data) for the duration of the render | United States |
| Netlify Inc. | Web hosting and CDN for the public website and customer portal | HTTP request metadata, IP, user-agent | Global edge network |
| Google LLC (reCAPTCHA) | Bot protection on public forms | IP address, user-agent, interaction signals | United States |
We may also share personal information with our professional advisors (auditors, attorneys), with regulators when lawfully required, and with successors-in-interest in the event of a merger, acquisition or sale of assets (subject to equivalent privacy commitments).
We do not sell your personal information to third parties.
6. Cross-Border Transfers
Some of our operators are located outside South Africa. When personal information is transferred across borders we ensure that the recipient is bound by adequate data-protection safeguards (such as the operator's binding corporate rules, recognised certifications, or equivalent contractual measures), as required by section 72 of POPIA.
7. Security Safeguards
We apply appropriate, reasonable technical and organisational measures to protect personal information, including:
- Encrypted transport (HTTPS/TLS 1.2+) for all browser and API traffic;
- Encryption at rest for the production database;
- Hashed and salted password storage (passwords are never stored in plain text);
- Row-level security and per-organisation access policies inside the database;
- Strict separation of customer data via per-customer VALR subaccounts;
- Service-role API keys held only in server-side secrets, never exposed to the browser;
- Automated alerting for suspicious activity, failed logins and anomalous trades;
- Regular reviews of operator access and credential rotation.
Despite these measures, no online service can be guaranteed to be 100% secure. You are responsible for keeping your password and VALR credentials confidential.
8. Retention
We retain personal information for as long as necessary to provide the Service and to comply with our legal, accounting and reporting obligations. In particular:
- KYC records and AML documentation are retained for at least 5 (five) years after the end of the customer relationship, as required by the Financial Intelligence Centre Act 38 of 2001;
- Trading, statement and accounting records are retained for at least 5 (five) years from the relevant tax year;
- Support correspondence is retained for at least 24 (twenty-four) months after closure of the ticket;
- Security and audit logs are retained for at least 12 (twelve) months.
When personal information is no longer required and we are not legally obliged to retain it, we will securely delete or anonymise it.
9. Your Rights as a Data Subject
You have the following rights under POPIA:
- To be notified that your personal information is being collected;
- To access the personal information we hold about you;
- To request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or unlawfully obtained personal information;
- To object, on reasonable grounds, to the processing of your personal information;
- To object to direct marketing and to withdraw your consent at any time;
- To lodge a complaint with the Information Regulator (see clause 12).
To exercise any of these rights, email our Information Officer at davin.gaier@bitwealth.co.za. We may need to verify your identity before actioning a request and we will respond within the time periods required by POPIA.
10. Cookies and Tracking
We use a small number of cookies and similar technologies that are strictly necessary for authentication, session management and security (including reCAPTCHA bot protection). We do not currently use third-party advertising or behavioural tracking cookies. If we introduce optional analytics cookies in future, we will ask for your consent first.
11. Children
The Service is not intended for and may not be used by persons under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact our Information Officer so we can delete it.
12. Complaints to the Information Regulator
If you are not satisfied with the way we handle your personal information, you may lodge a complaint with the Information Regulator of South Africa:
Information Regulator (South Africa)
Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg 2191
Tel: 010 023 5200 · Toll-free: 0800 017 160
General enquiries: enquiries@inforegulator.org.za
POPIA complaints: POPIAComplaints@inforegulator.org.za
Website: https://inforegulator.org.za
13. Changes to this Policy
We may update this Privacy Policy from time to time. The latest version will always be published at bitwealth.co.za/legal/privacy-policy.html. Material changes will be notified to you by email or via the customer portal at least 14 (fourteen) days before they take effect.
14. Contact
For any privacy-related question, request or complaint, contact:
BitWealth Asset Managers (Pty) Ltd
Information Officer: Davin Gaier
Email: davin.gaier@bitwealth.co.za