← Back to EvenSteven
Privacy Policy
Last updated: 28 April 2026
POPIA Compliance
EvenSteven is committed to protecting your personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa. This policy explains how we collect, use, store, and protect your data.
1. Responsible Party
The responsible party for the processing of your personal information is:
EvenSteven (Pty) Ltd
Republic of South Africa
Email: privacy@evensteven.co.za
You may contact our Information Officer at the email above for any POPIA-related queries or requests.
2. Information We Collect
We collect the following personal information when you use EvenSteven:
- Full name, email address, phone number, and username (provided during registration).
- Profile avatar selection.
- Transaction history (amounts, dates, recipients) generated through your use of the App.
- Device information (device model, operating system) for security and support purposes.
- Push notification tokens for delivering notifications.
- Group expense data (amounts, descriptions, member shares) when you use EvenUp.
- Notes attached to money requests (user-provided text, max 200 characters).
We do NOT collect or store:
- Bank card numbers, CVVs, or PINs.
- Bank account passwords or login credentials.
- Biometric data (processed locally on your device only).
- Location data — we do not track your geographic location.
3. Device Permissions
The App may request the following device permissions:
- Camera — used for profile avatar capture and receipt scanning (EvenUp expense splitting). Photos are transmitted to our servers for processing and are not used for any other purpose.
- Contacts — used during the "Find Friends" onboarding step. Phone numbers from your contact list are normalised and matched against our user directory to identify existing EvenSteven users. We do not store your full contact list on our servers. Contact matching is used solely to help you find friends on the platform.
You can revoke these permissions at any time through your device's settings. Revoking permissions may limit certain features but will not affect core payment functionality.
4. Receipt Images
When you scan a receipt to split an expense in EvenUp, the receipt image is transmitted to EvenSteven's servers and processed by EvenSteven and/or its sub-processors for the sole purpose of extracting line items, totals, and merchant information.
- Receipt images are retained only for as long as necessary to complete the expense-splitting workflow and are then deleted.
- We do not use receipt images for marketing, training AI models, or any purpose unrelated to expense extraction.
- You may review and delete expenses (including associated receipt data) from within the App.
5. No Storage of Banking or Card Details
EvenSteven does not store, process, or have access to your full banking or card details. All payment information is handled exclusively by Paystack, our PCI-DSS compliant payment processor.
What Paystack stores (not us):
- Tokenised card references for recurring payments.
- Bank account details for settlement.
What EvenSteven stores:
- A masked card reference (e.g., "•••• 4242") for display purposes only.
- Paystack authorisation codes (tokens) — these cannot be used to retrieve your card details.
Your sensitive financial information never touches our servers.
6. Purpose of Processing (POPIA Section 13)
We process your personal information for the following lawful purposes:
- To create and manage your EvenSteven account.
- To facilitate peer-to-peer payment transactions and money requests.
- To enable group expense tracking and bill-splitting (EvenUp).
- To process receipt images for expense extraction.
- To verify your identity and prevent fraud.
- To communicate with you about your account, transactions, and service updates.
- To send transactional and service-related push notifications.
- To comply with legal and regulatory obligations.
- To improve our services and user experience.
We will not use your information for any purpose other than those stated above without your explicit consent.
7. Lawful Basis for Processing
Under POPIA, we process your information based on:
- Consent — you provide consent when you register and agree to these terms.
- Contract — processing is necessary to provide you with the EvenSteven service.
- Legal obligation — we may be required to process data for regulatory compliance.
- Legitimate interest — for fraud prevention and service improvement.
8. Third-Party Data Processors
EvenSteven uses the following third-party data processors. Each processor is contractually bound to handle your data only for the stated purpose and in compliance with applicable data protection law:
-
Paystack (Paystack Payments Limited) — payment processing and card tokenisation. Your card and bank details are handled exclusively by Paystack's PCI-DSS compliant infrastructure. Privacy policy: paystack.com/privacy/policy
-
Anthropic, PBC — AI-powered receipt scanning. When you scan a receipt in EvenUp, the receipt image is sent to Anthropic's Claude Vision API solely to extract line items, totals, and merchant information. Anthropic processes only the image content required for extraction and does not use it to train models. Privacy policy: anthropic.com/privacy
-
Google Firebase (Google LLC) — push notification delivery via Firebase Cloud Messaging (FCM). Your device push token is shared with Firebase solely to deliver transactional and service notifications to your device. Firebase does not receive the content of your transactions. Privacy policy: firebase.google.com/support/privacy
-
Google Analytics 4 (Google LLC) — anonymous website usage analytics on evensteven.co.za. We use Google Analytics to understand aggregate traffic patterns, page views, and referral sources so we can improve the website. Google Analytics sets cookies and processes pseudonymous identifiers (such as a randomly generated client ID) and approximate location derived from your IP address. We have IP anonymisation enabled by default in GA4 and do not link analytics data to your EvenSteven account. Privacy policy: policies.google.com/privacy
9. Third-Party Sharing
Beyond the data processors listed above, we share your personal information only with:
- Law enforcement — when legally required or to prevent fraud.
We do NOT sell, rent, or trade your personal information to any third party for marketing purposes.
10. Data Retention
We retain your personal information only as long as necessary:
- Account data — for the duration of your account plus 5 years (as required by South African financial regulations).
- Transaction records — 5 years from the date of the transaction.
- Communication records — 2 years.
- Receipt images — deleted after expense extraction is complete.
You may request deletion of your account and data at any time (see your rights below).
11. Your Rights Under POPIA
As a data subject, you have the right to:
- Access — request a copy of your personal information we hold.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your personal information (subject to legal retention requirements).
- Objection — object to the processing of your information.
- Restriction — request that we limit how we use your data.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent — withdraw your consent at any time.
To exercise any of these rights — including requesting full account deletion — email privacy@evensteven.co.za. We will respond within 30 days.
12. Data Security
We implement appropriate technical and organisational measures to protect your personal information:
- All data transmitted between the App and our servers is encrypted using TLS 1.2+.
- Passwords are hashed using industry-standard algorithms (never stored in plain text).
- JWT tokens have short expiry times (15 minutes) with secure refresh mechanisms.
- Two-factor authentication is available for additional account security.
- Biometric authentication is processed locally on your device.
13. Push Notifications
EvenSteven uses push notifications to deliver timely information about your account:
- Transactional notifications — payment confirmations, money requests, dispute updates, friend requests, and settlement alerts.
- Service announcements — new features, maintenance windows, and important platform updates sent by our team.
Push notification tokens (device identifiers) are stored solely for notification delivery and are not shared with third parties. You can disable non-essential notifications through your device's operating system settings.
14. Cookies & Tracking
The EvenSteven mobile app does not use cookies. We do not use third-party analytics or advertising trackers.
15. Children's Privacy
EvenSteven is not intended for persons under 18 years of age. We do not knowingly collect personal information from children. If you believe a minor has provided us with personal information, please contact us immediately.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via the App or email. Continued use of EvenSteven after changes constitutes acceptance.
17. Complaints
If you are not satisfied with how we handle your personal information, you may lodge a complaint with:
- EvenSteven: privacy@evensteven.co.za
- The Information Regulator (South Africa):
Website: www.justice.gov.za/inforeg
Email: enquiries@inforegulator.org.za
18. Contact Us
For any privacy or POPIA-related queries:
Email: privacy@evensteven.co.za
General support: support@evensteven.co.za