Privacy Policy

Privacy Policy

Digi Ex Pro (Pty) Ltd — Crypto Asset Service Provider

Digi Ex Pro (Pty) Ltd — Privacy Notice (South Africa)

Last revision: 28 May 2026

1. Scope

This Privacy Notice explains how Digi Ex Pro (Pty) Ltd processes personal information when you visit our website, create an account, use our services (including any crypto-asset exchange, transfer, custody or related services we offer), contact us, or otherwise interact with us online. It explains your rights under the Protection of Personal Information Act 4 of 2013 (POPIA) and, where you are located in the European Union or the European Economic Area (EEA), the additional rights you have under the EU General Data Protection Regulation (GDPR). Because the Company predominantly serves clients outside South Africa, this Notice is written to operate under South African law while giving effect to equivalent protections for clients and data subjects abroad.

2. Responsible Party and contact details

For the purposes of POPIA, the Responsible Party (equivalent to the “data controller” under the GDPR) is:

Digi Ex Pro (Pty) Ltd, registration number 2023/150340/07, registered office at 1 Hood Avenue, Rosebank, Johannesburg, Gauteng, 2196, South Africa.

  • Information Officer / Data Protection contact: privacy@zione.com
  • General contact: support@zione.com

The Company’s Information Officer is registered with the Information Regulator (South Africa) in accordance with POPIA.

3. Categories of personal information we process

Depending on how you use our website and services, we may process:

  • Identification and contact data: name, e-mail address, telephone number, residential or business address, date of birth, nationality and identity- or passport-document data.
  • Account and service data: username, account identifiers, settings, support tickets and communication history.
  • Transaction and financial data: transaction identifiers, crypto-asset wallet addresses, deposit and withdrawal details, payment references, bank-account details and related records.
  • KYC/AML data: identity-verification results, source-of-funds and source-of-wealth information, and politically-exposed-person and sanctions-screening results, as required by the Financial Intelligence Centre Act 38 of 2001 (“FIC Act”).
  • Technical and usage data: IP address, device identifiers, browser type, operating system, referrer URL, timestamps and similar log data.
  • Cookies / analytics data: identifiers and events collected via cookies or similar technologies (only where you have consented to non-essential cookies — see Section 9).

4. Purposes and lawful bases of processing

We process personal information for the following purposes, relying on the justifications for lawful processing in section 11 of POPIA (and, for EU/EEA data subjects, the corresponding lawful bases in Article 6 of the GDPR):

4.1 Website operation and security. To operate the website, ensure information security, prevent fraud and abuse, and maintain logs — based on our legitimate interests (POPIA s11(1)(f); GDPR Art 6(1)(f)).

4.2 Account creation and service delivery. To create and manage your account, provide our services, process your requests and instructions, provide support and communicate service updates — necessary for the conclusion or performance of a contract with you (POPIA s11(1)(b); GDPR Art 6(1)(b)).

4.3 Legal and regulatory compliance (including AML/CFT). To comply with our legal obligations — including the FIC Act, the Financial Advisory and Intermediary Services Act 37 of 2002 (“FAIS Act”), tax and accounting law, and sanctions obligations — to respond to lawful requests by competent authorities, and to keep records required by law (POPIA s11(1)(c); GDPR Art 6(1)(c)).

4.4 Communication and handling enquiries. To respond to messages, process complaints and maintain correspondence — based on contract or our legitimate interests, depending on the context.

4.5 Analytics and improving our website (consent only). To understand website performance and usage in order to improve it — based on your consent (POPIA s11(1)(a); GDPR Art 6(1)(a)). You may withdraw consent at any time (Section 9).

4.6 Direct marketing. To send newsletters or marketing communications — based on your consent, in accordance with section 69 of POPIA (and, for electronic marketing, the Electronic Communications and Transactions Act 25 of 2002 (“ECTA”) and the Consumer Protection Act 68 of 2008 (“CPA”)).

5. Special personal information and children

We do not seek to collect special personal information (as defined in POPIA) unless it is necessary and permitted by law. We do not knowingly process the personal information of children (persons under 18); our services are available only to persons aged 18 or older.

6. Whether providing personal information is mandatory

Some personal information is required to provide the services and to meet our legal obligations (for example, account, transaction and KYC/AML data). If you do not provide it, we may be unable to open an account, complete a transaction, or continue a business relationship. Where processing is based on consent, providing the information is voluntary and you may withdraw consent at any time without affecting processing carried out before the withdrawal.

7. Recipients of personal information (operators and third parties)

We may share personal information with:

  • Operators (processors) that support us — including hosting, IT and security providers, customer-support tools, analytics providers (where consent applies), e-mail/SMS delivery, electronic identity-verification and sanctions/PEP screening providers (for example Ondato UAB), and blockchain-analytics providers (for example Elliptic).
  • Professional advisers (lawyers, auditors) where necessary.
  • Competent authorities and law enforcement — including the Financial Intelligence Centre, the Financial Sector Conduct Authority and the South African Revenue Service — where we are legally required to disclose information or to protect our rights.

We require operators to process personal information only on our written instructions and to apply appropriate, reasonable security safeguards, in accordance with sections 20–21 of POPIA.

8. Cross-border transfers of personal information

Because we serve clients outside South Africa and use international service providers, personal information may be transferred to, or processed in, countries outside South Africa (and outside the EEA), including the European Union and the United States. Where we transfer personal information across borders, we do so in accordance with section 72 of POPIA — that is, only where the recipient is subject to a law, binding corporate rules or a binding agreement providing an adequate level of protection, where you have consented, or where the transfer is necessary for the performance or conclusion of a contract in your interest. For transfers of EU/EEA personal data, we additionally rely on an adequacy decision or the European Commission’s Standard Contractual Clauses (SCCs), together with appropriate supplementary safeguards. You may request further information about the safeguards applied to a specific transfer using the contact details in Section 2.

9. Cookies and similar technologies

9.1 Strictly necessary cookies. These are required for the website to function (for example, security and session management) and do not require consent.

9.2 Analytics cookies (consent only). We use analytics tools (for example Google Analytics 4) to understand how users interact with our website, and these are enabled only if you consent through our cookie banner / consent-management platform. If you do not consent, analytics cookies are not set.

9.3 Managing consent. Our cookie banner allows you to accept, reject or customise non-essential cookies, and you can change your preferences at any time via the cookie-settings link on our website. Withdrawing consent does not affect processing carried out before the withdrawal. You may also manage cookies through your browser settings; blocking strictly necessary cookies may affect website functionality. The use of cookies and similar technologies is consistent with POPIA and ECTA.

10. Server logs and IP addresses

When you visit our website, we (or our hosting provider) process server logs such as IP address, timestamps, device and browser information, and the pages requested. We use this to operate the website, maintain security, prevent abuse and troubleshoot incidents, based on our legitimate interests.

11. Retention of personal information

We keep personal information only for as long as necessary for the purposes described above and as required by law, including:

  • Website / server logs: up to 90 days, unless required longer for a security investigation.
  • Account data: for the duration of the account and afterwards as required for legal compliance and dispute handling.
  • Support communications: up to 5 years, depending on the nature of the enquiry and applicable prescription periods.
  • KYC/AML and transaction records: for at least 5 years after the end of the business relationship or the conclusion of a transaction, as required by sections 22–24 of the FIC Act, and longer where required for proceedings or audits.

Retention is applied in accordance with section 14 of POPIA.

12. Security safeguards and breach notification

In accordance with sections 19–22 of POPIA, we maintain appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of personal information and to prevent loss, damage, unauthorised access or processing. Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with section 22 of POPIA.

13. Your rights

Under POPIA (and, for EU/EEA data subjects, the GDPR) you have the right to:

  • request access to the personal information we hold about you, and details of third parties who have had access to it (POPIA s23; s11(3) of PAIA where applicable);
  • request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained (POPIA s24);
  • object, on reasonable grounds, to the processing of your personal information (POPIA s11(3));
  • withdraw consent where processing is based on consent;
  • request erasure or destruction of personal information that we are no longer authorised to retain; and
  • (for EU/EEA data subjects) the additional GDPR rights of restriction of processing and data portability.

You can exercise your rights using the contact details in Section 2. We may need to verify your identity before responding.

14. Direct marketing

We will send you electronic direct marketing only where you have consented or as otherwise permitted by section 69 of POPIA, ECTA and the CPA. You may opt out of direct marketing at any time, free of charge, using the unsubscribe mechanism in the communication or by contacting us.

15. Right to lodge a complaint (Information Regulator)

If you believe that we have processed your personal information in breach of POPIA, you have the right to lodge a complaint with the Information Regulator (South Africa):

  • Information Regulator (South Africa), JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 (P.O. Box 31533, Braamfontein, 2017).
  • Complaints e-mail: POPIAComplaints@inforegulator.org.za (complaints are submitted in writing, using POPIA Form 5).
  • General enquiries: enquiries@inforegulator.org.za

If you are an EU/EEA data subject, you may also lodge a complaint with the supervisory authority in your country of residence.

16. Automated decision-making and profiling

In accordance with section 71 of POPIA, we do not make decisions based solely on the automated processing of your personal information that result in legal consequences for you or that substantially affect you, unless this is necessary for entering into or performing a contract, is authorised by law, or is based on your consent. Where we use automated checks (for example, fraud, sanctions or compliance screening), we apply appropriate safeguards and allow you to request human review where required by law.

17. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. The latest version will be published on our website with the revision date shown above.