Legal

Privacy Policy

Last updated: .

This Privacy Policy explains how Alchemy Digital Cloud (Pty) Ltd ("we", "us", "our") collects, uses, stores, and protects personal information when you use the Loosh platform — including the loosh.app website, the Loosh mobile applications, and any related services (together, the "Service").

We are committed to handling your personal information in compliance with the Protection of Personal Information Act, 2013 ("POPIA"), the Promotion of Access to Information Act, 2000 ("PAIA"), and other applicable laws.

1. Who we are

Responsible party (POPIA terminology):

  • Alchemy Digital Cloud (Pty) Ltd
  • Registration number 2025/028829/07
  • D-U-N-S 567455153
  • Republic of South Africa
  • Contact: hello@loosh.app

2. What information we collect

To provide the Service we collect the following categories of personal information:

  • Identity information — full name, date of birth, identity number, proof of identity, proof of address, and selfie verification image. This is required by the Financial Intelligence Centre Act ("FICA") to verify the people who use the Service.
  • Contact information — your phone number and email address.
  • Financial information — your wallet balance, transaction history, top-up sources (last four digits of payment card; we do not store full card numbers), and bank account details you provide for withdrawals.
  • Device and usage information — device type, operating system, app version, IP address (used for fraud prevention), and basic interaction data.
  • Customer support information — any details you share when you contact us.

3. Why we collect it

We process personal information for the following purposes:

  • To verify your identity in compliance with FICA.
  • To enable you to send, receive, top up, and withdraw funds.
  • To prevent fraud, money laundering, and other illegal activity.
  • To comply with reporting obligations to the South African Reserve Bank, the Financial Intelligence Centre, and other regulators.
  • To respond to your support enquiries.
  • To improve the Service and develop new features.

4. How we use third-party processors

We share personal information with carefully selected service providers ("operators" under POPIA) who help us deliver the Service:

  • Supabase — for our database and authentication infrastructure.
  • Sumsub (or equivalent) — for KYC verification of identity documents and selfies.
  • Yoco — for processing card top-ups.
  • First National Bank — for executing withdrawals to your bank account.
  • Twilio — for SMS one-time passwords.
  • Resend (or equivalent) — for transactional email.
  • Apple Push Notification Service / Firebase Cloud Messaging — for mobile push notifications.
  • Sentry — for application error monitoring (with personal identifiers scrubbed from error reports).

Each operator is bound by contract to process your information only on our instructions and to keep it secure. We do not sell personal information to anyone.

5. Where we store information

Personal information is stored on infrastructure operated by Supabase in a data centre region as close to South Africa as Supabase offers (currently the European Union). We do not transfer your personal information outside these locations except as required to operate the Service or to comply with the law.

6. How long we keep it

FICA and related anti-money-laundering legislation require us to retain identity verification information and transaction records for a minimum of five years after your last interaction with the Service. We may retain certain records longer where another law requires us to. Information that is not subject to retention obligations is deleted when it is no longer needed.

7. Your rights under POPIA

You have the right to:

  • Be told what personal information we hold about you.
  • Request a copy of that information.
  • Ask us to correct information that is inaccurate.
  • Ask us to delete information that we are no longer required to keep.
  • Object to processing in certain circumstances.
  • Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, email hello@loosh.app. We aim to respond within 30 days.

8. How we protect your information

We use industry-standard measures to protect your personal information, including:

  • Encryption in transit (TLS) and at rest.
  • Strict access controls and least-privilege permissions.
  • Daily integrity checks against our financial records.
  • Regular security reviews and incident-response procedures.
  • Two-factor authentication on every administrative account.

If we ever become aware of a security compromise that affects your personal information, we will notify you and the Information Regulator without undue delay, as required by POPIA.

9. Children

The Service is not intended for children under 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected such information, we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of the page. If the change is material, we will notify you in the Service or by email before the change takes effect.

11. Contact

Questions, requests, or complaints can be sent to hello@loosh.app. You may also contact the Information Regulator of South Africa directly at inforegulator.org.za.