South Africa's Protection of Personal Information Act (POPIA) sets out how organisations — including lenders and comparison platforms — must handle your personal data. Here's what it means in practice.
A lender or platform can only collect personal information for a specific, lawful purpose — in this case, processing your loan request. They must tell you that purpose up front. Random collection "for marketing" without consent is not allowed.
POPIA requires "minimality" — only the data needed for the purpose. For a loan application that's your ID, contact details, employment and bank statement. A lender asking for unrelated information (e.g. your political affiliation) is not compliant.
Sharing your data with third-party lenders requires your consent. On a comparison platform like LoanMatch, you give that consent when you submit the application — and the platform must list, in its privacy policy, who the partners are.
Lenders must protect data using "appropriate technical and organisational measures" — encryption in transit, secure storage, access controls. If a breach occurs and there is risk of harm, they must notify both you and the Information Regulator.
If a lender or platform sends your data outside South Africa, it can only do so if the destination has adequate protection or you have given explicit consent. This matters when offshore back-office processing is involved.
LoanMatch's own approach to data is set out in our Privacy Policy.