Privacy Policy
Atlantic Accelerator (Pty) Ltd · Last updated: 6 June 2026
1. Who we are
Atlantic Accelerator (Pty) Ltd ("we", "us", "Atlantic Accelerator") is a South African company registered in Cape Town. We operate the following products:
- AffyScore (affy.co.za) — behavioural credit scoring from consumer bank statements
- Taxonomic (taxonomic.co.za) — tax working papers from source documents, including business data
- MortgageFlow (mortgageflow.co.za) — mortgage origination pipeline
This policy covers all personal information processed across these products and our associated websites.
Information Officer
Brink Olivier
Email: [email protected]
Phone: +27 72 842 1159
2. What information we collect
AffyScore — consumer bank statement data
When a consumer's bank statement is submitted for scoring — whether uploaded by a lending provider or by the consumer directly via a self-upload link — we process:
- Account holder name, account number, and bank identity
- Transaction history (typically three months): dates, amounts, descriptions, balances
- Derived data: income categories, expense categories, behavioural patterns, affordability calculations
We do not collect or store bank login credentials.
Taxonomic — business and tax document data
When source documents are submitted for processing, we may process:
- Business name, registration number, and tax reference numbers
- Financial records: invoices, receipts, bank statements, trial balances
- Names and contact details of individuals associated with the business
Website visitors
When you visit our websites, we collect:
- Analytics data via Google Analytics 4 (see our Cookie Policy)
- Contact form submissions: name, email address, company, and message content
3. How we use your information
We process personal information for the following purposes:
| Purpose | Legal basis (POPIA) |
|---|---|
| Generate a credit score and affordability assessment from a bank statement | Legitimate interest of the lending provider; consent where the consumer self-uploads |
| Produce tax working papers from source documents | Contract with the submitting party |
| Respond to enquiries submitted via our websites | Legitimate interest |
| Website analytics to improve our services | Consent (cookie consent) |
| Comply with legal and regulatory obligations | Legal obligation |
4. Our role under POPIA
Our role depends on how information reaches us:
- When a lending provider submits data to us — we act as an operator (processor) under POPIA. The lending provider is the responsible party and is accountable for obtaining lawful grounds to share the data with us.
- When a consumer self-uploads via a tokenised link — we act as a responsible party (controller) for the collection of that data. We present a consent notice at the point of upload, identifying the lending provider who will receive the score.
- For website visitors and contact form submissions — we act as a responsible party.
5. Credit scoring and automated processing
AffyScore uses automated processing to generate a behavioural credit score (300–850), an affordability assessment, and a recommendation (Clear, Caution, or Review). This output includes plain-English reason codes explaining the factors behind the score.
AffyScore is a supplementary pre-screening tool. It does not make credit decisions, lending recommendations, or affordability determinations under the National Credit Act. The subscribing lending provider is solely responsible for any credit decision and must ensure a qualified person reviews all outputs before taking action, in accordance with POPIA Section 71.
You have the right to:
- Request that a person (not an automated system) reconsider any decision made using our output
- Receive information about the logic involved in the automated processing
- Make representations about the output
6. Who we share information with
We share personal information only as follows:
- The lending provider who requested the score — they receive the decision pack (score, affordability, reason codes, recommendation)
- Cloud infrastructure providers who host our systems, under appropriate data processing agreements
- Law enforcement or regulators when required by law
We do not sell personal information. We do not share consumer data across lending providers. Each extraction is isolated to the requesting provider.
7. Data retention
| Data type | Retention period |
|---|---|
| Raw bank statements | Deleted within 72 hours of score generation |
| Score output and reason codes | 12 months from generation, then deleted |
| Processing audit logs (timestamp, provider ID, consent record) | 5 years (regulatory compliance) |
| Contact form submissions | 24 months |
| Website analytics | 14 months (Google Analytics default) |
We do not maintain an ongoing database of consumer credit records. Each extraction is a point-in-time assessment.
8. Cross-border transfers
Our primary processing infrastructure is hosted in South Africa. Where we use cloud services with infrastructure outside South Africa, we ensure adequate safeguards are in place as required by POPIA Section 72, including contractual commitments from the service provider.
9. Security
We take reasonable technical and organisational measures to protect personal information against loss, unauthorised access, and unlawful processing (POPIA Section 19). These include encryption in transit and at rest, access controls, and regular security reviews.
No system is completely secure. In the event of a data breach that poses a risk to data subjects, we will notify the Information Regulator and affected individuals as required by POPIA Section 22.
10. Your rights
Under POPIA, you have the right to:
- Access — request confirmation of what personal information we hold about you and receive a copy
- Correction — request correction of inaccurate or incomplete information
- Deletion — request deletion of your personal information where we no longer have a lawful basis to retain it
- Object — object to processing on grounds of legitimate interest
- Automated decisions — not be subject to a decision based solely on automated processing that produces legal effects (see Section 5 above)
To exercise any of these rights, contact our Information Officer at [email protected]. We will respond within 30 days.
11. Complaints
If you believe we have not handled your personal information properly, you may lodge a complaint with:
The Information Regulator (South Africa)
Email: [email protected]
Website: inforegulator.org.za
12. Changes to this policy
We may update this policy from time to time. Material changes will be posted on this page with an updated date. We encourage you to review this policy periodically.