Privacy Policy
Effective Date: November 28, 2025
Company: Online Fingerprint Authentication (Pty) Ltd (“Onfinga”)
Jurisdiction: Republic of South Africa | Global (GDPR, CCPA compliant)
1. Who We Are
Online Fingerprint Authentication (Pty) Ltd (“Onfinga”, “we”, “our”, “us”) provides a transaction verification service that enables online retailers to record consumer authorization, reduce fraud, and respond to chargeback disputes. We do not process payments or store card data.
This Privacy Policy explains how we handle data in connection with our services, in line with applicable privacy laws including the Protection of Personal Information Act (POPIA), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
2. What Data We Collect
A. Retailer (Merchant) Data
We collect limited information when a merchant signs up for and uses Onfinga:
- Business name and contact person
- Business email address
- API credentials (e.g. merchantId, merchantSecret)
- Account activity and logs
- Billing and invoice information
- Optional support messages or technical requests
B. Consumer Metadata (End-User)
We do not collect personal information from end users (buyers). We process only non-identifiable metadata, supplied by the merchant, such as:
- verifyId or checkoutId
- Transaction amount and currency
- Timestamp of user interaction
- Randomized session identifier
- Browser or device metadata (non-identifying)
- Outcome of biometric/passkey verification (success/fail)
We do not collect or store:
- Names, emails, or phone numbers
- ID numbers or addresses
- Card or payment data
- Biometric templates
- Any personally identifiable information
3. Delivery Data (via Delivery Shield)
Merchants using the optional Delivery Shield feature may submit delivery records including:
- Courier tracking numbers
- Proof-of-delivery events
- Delivery timestamps
- Signature or POD metadata
- Delivery address (for match verification only)
This information is:
- Supplied by the merchant
- Used only to assist in fraud and dispute investigations
- Not accessed or shared without merchant request or legal obligation
4. How We Use Data
We use collected data to:
- Operate the Onfinga platform
- Authenticate transaction verifications
- Provide logs and reporting to retailers
- Assist with dispute evidence packs
- Comply with legal and financial retention requirements
We do not use data for:
- Advertising or profiling
- Reselling or sharing with data brokers
- Unrelated analytics or AI training
5. Legal Basis for Processing (GDPR & POPIA)
Data Type | Purpose | Legal Basis
- Retailer contact and account data — To deliver and support the service — Contractual necessity (GDPR Art. 6(1)(b)) / Responsible Party (POPIA)
- Metadata and device logs — To verify transactions and prevent fraud — Legitimate interest (GDPR Art. 6(1)(f)) / Operator (POPIA)
- Delivery Shield submissions — Support for chargeback defense — Merchant-controlled (you remain the Responsible Party)
6. Data Storage & Retention
Data Type | Retention Period
- Verification logs — 12 months
- Transaction metadata — 18–24 months
- Retailer account data — Account lifetime + 24 months
- Billing & invoices — 5 years (tax/legal compliance)
- Delivery Shield metadata — 18 months or as requested by merchant
All data is stored on encrypted infrastructure hosted by Google Cloud Platform and protected via role-based access control, audit logs, and encrypted at rest & in transit.
7. Your Rights
A. Under POPIA (South Africa):
- Right to access personal information
- Right to request correction or deletion
- Right to object to processing
- Right to withdraw consent (where applicable)
B. Under GDPR (European Union):
- Right to access and portability
- Right to rectify inaccurate data
- Right to erasure (“right to be forgotten”)
- Right to object or restrict processing
- Right to lodge a complaint with a Data Protection Authority
C. Under CCPA (California):
- Right to know what data is collected
- Right to access and delete data
- Right to opt-out of data “sales” (we don’t sell data)
- Right to non-discrimination for exercising these rights
To exercise your rights, contact: 📧 support@onfinga.net
8. Data Security
We apply modern security measures to all data processed, including:
- TLS encryption for all transmissions
- API key and secret rotation
- Role-based access control
- IP-based logging and anomaly detection
- Serverless compute isolation (Cloud Run)
- No persistent biometric or card data stored
9. Subprocessors and International Transfers
We use the following subprocessors:
- Google Cloud Platform (GCP) – infrastructure & hosting
- Cloudflare – DNS and edge network
All data transfers comply with:
- Standard Contractual Clauses (GDPR)
- POPIA Section 72 (cross-border transfers)
We do not transfer personal data to any jurisdiction without equivalent protection.
10. Children's Data
Onfinga is not intended for use by children under 18. We do not knowingly collect data from minors or permit use of our service by individuals under legal age without merchant oversight.
11. Changes to This Policy
We may update this Privacy Policy periodically. Merchants will be notified of material changes via email or dashboard notice. Continued use of Onfinga after notice constitutes acceptance of changes.
12. Contact Us
For privacy questions or concerns:
Data Privacy Contact
📧 support@onfinga.net
Online Fingerprint Authentication (Pty) Ltd
Western Cape, South Africa